Chronic redirects in IE and Firefox

Hi,

I get redirects when I click on any Google search results to random shopping sites. This happens more than 50% of the time. VERY FRUSTRATING! I need help to remove the adware. I've run Spybot, AVG, Ad Aware and none of them touch it. I am posting a current Hijackthis.txt log file in the hope that somebody can tell me what files I need to delete.

Thanks very much from Vancouver Washington.

Here is the attachment of hijackthis..  hijackthis_Feb21_2010.txt   10.15KB   13 downloads

Edited by vancwa, 21 February 2010 - 09:24 PM.

Hello vancwa Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





In order to better make an assessment of your problem I will need the following:




Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt

Save both reports to your desktop, post the DDS.txt in the reply window and attach the Attach.txt

If you are using CD emulation software, such as DAEMON Tools or Alcohol run Defogger prior to running the GMER scan below. If not skip the instructions for Defogger and go straight on to GMER






Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

• The application window will appear
• Click the Disable button to disable your CD Emulation drivers.
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.









Download GMER Rootkit Scanner from here to your desktop.

• Double click the exe file.
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.
  
  
  
  Click the image to enlarge it
  
  
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries



If GMER does not want to run add the following to those that you unchecked and try it again:

• Registry
• Files
  

Thanks,



thewall

Hi thewall,

Thanks - ok, I've done all the things you mention. I downloaded and ran everything you asked for. I couldn't get through GMER without unchecking files and registry. And Defogger never asked for a reboot, I just did it when the program seemed to stop running.

There will be three txt files attached; 1. DDS notepad.txt, 2. DDS attach.txt and 3. GMER.txt

If you need me to rerun anything differently, no problem.

Best regards, vancwa

You're welcome!

Let's go ahead with ComboFix. You can paste the log in the reply window, no need to make an attachment out of it.


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Hi thewall,

OK - I followed your instructions exactly - downloaded combofix, disabled AVG, ran a scan. Here is the combofix scan log:

Thanks and Go Gators. vancwa
______________________________________________________________________________________________________________________________________________________________________________

ComboFix 10-02-27.04 - Frank 02/27/2010 12:00:35.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2462 [GMT -8:00]
Running from: c:\documents and settings\Frank\My Documents\bleepingcomputer\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\Temp
c:\windows\system32\BSTIEPrintCtl1.dll
F:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it
.
((((((((((((((((((((((((( Files Created from 2010-01-27 to 2010-02-27 )))))))))))))))))))))))))))))))
.

2010-02-26 20:01 . 2010-02-26 20:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-02-24 03:23 . 2010-02-24 03:23 -------- d-----w- c:\documents and settings\Frank\Application Data\Office Genuine Advantage
2010-02-22 06:39 . 2010-02-22 06:39 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-22 06:38 . 2010-02-22 06:38 -------- d-----w- c:\documents and settings\Frank\Application Data\Malwarebytes
2010-02-22 06:38 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-22 06:38 . 2010-02-22 06:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-22 06:38 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-22 06:37 . 2010-02-22 06:38 -------- d-----w- c:\program files\Malwarebyte
2010-02-21 05:25 . 2010-02-21 05:25 95024 ------w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-21 05:25 . 2010-02-21 05:25 95024 ------w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\SBREDrv.sys
2010-02-21 05:25 . 2010-02-21 05:25 598368 ------w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\EmailScanner.dll
2010-02-21 05:25 . 2010-02-21 05:25 566608 ------w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\sbap.dll
2010-02-21 05:25 . 2010-02-21 05:25 562272 ------w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\aawapi.dll
2010-02-21 05:25 . 2010-02-21 05:25 221408 ------w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\VipreBridge.dll
2010-02-21 05:25 . 2010-02-21 05:25 247120 ------w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\SBRE.dll
2010-02-21 05:25 . 2010-02-21 05:25 1230160 ------w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\SBTE.dll
2010-02-21 05:25 . 2010-02-21 05:25 17480 ------w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\EmailScannerBridge.dll
2010-02-21 05:24 . 2010-02-21 05:24 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-21 05:24 . 2010-02-04 15:53 2954656 -c----w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-02-18 07:13 . 2010-02-18 07:15 -------- d-----w- c:\program files\Windows Live Safety Center
2010-02-18 03:30 . 2010-02-18 03:30 -------- d-----w- c:\windows\system32\wbem\Repository
2010-02-17 17:21 . 2010-02-26 17:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-01-31 00:51 . 2010-01-31 00:52 -------- d-----w- c:\documents and settings\Frank\Application Data\GARMIN

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-27 06:15 . 2009-10-30 17:28 0 ----a-w- c:\documents and settings\Tammy\Local Settings\Application Data\prvlcl.dat
2010-02-26 17:23 . 2009-08-02 21:47 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-25 02:18 . 2009-11-23 01:36 79488 ----a-w- c:\documents and settings\Frank\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-24 16:21 . 2009-11-24 07:42 79488 ----a-w- c:\documents and settings\Tammy\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-24 13:52 . 2008-09-17 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-21 06:33 . 2008-09-17 02:35 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-02-21 05:45 . 2008-04-14 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-21 05:24 . 2009-09-07 15:42 -------- d-----w- c:\program files\Lavasoft
2010-02-05 00:49 . 2009-08-08 01:42 1616248 ------w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-04 15:53 . 2009-09-07 15:43 64288 ------w- c:\windows\system32\drivers\Lbd.sys
2010-01-26 06:17 . 2010-01-26 06:17 152576 ------w- c:\documents and settings\Frank\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-18 03:10 . 2010-01-18 03:10 0 ------w- c:\windows\nsreg.dat
2010-01-05 10:00 . 2008-04-14 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-01 01:28 . 2010-01-01 01:27 -------- d-----w- c:\program files\EZ_backtest
2009-12-31 16:50 . 2008-04-14 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-30 01:33 . 2009-03-01 03:51 -------- d-----w- c:\program files\TurboTax
2009-12-20 19:05 . 2009-12-20 19:05 360584 ------w- c:\windows\system32\drivers\avgtdix.sys
2009-12-20 19:05 . 2009-12-20 19:05 12464 ------w- c:\windows\system32\avgrsstx.dll
2009-12-20 19:05 . 2009-12-20 19:05 333192 ------w- c:\windows\system32\drivers\avgldx86.sys
2009-12-20 19:05 . 2009-12-20 19:05 28424 ------w- c:\windows\system32\drivers\avgmfx86.sys
2009-12-16 18:43 . 2008-09-13 03:01 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-13 20:49 . 2008-09-25 19:10 66472 ------w- c:\documents and settings\Tammy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-08 19:26 . 2008-04-14 12:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2008-04-14 00:01 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2008-04-14 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-30 16:43 . 2009-09-21 15:43 3695616 ------w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AutoLaunch.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"PxDotNetLoader"="c:\program files\Fidelity\Active Trader Pro\Fidelity Active Trader\System\ATPStartupAssistant.exe" [2009-03-25 42336]
"SpybotSD TeaTimer"="c:\program files\Spybot S&D\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2008-06-28 19456]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"nwiz"="nwiz.exe" [2008-05-03 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2006-01-07 172032]
"HPHUPD06"="c:\windows\HP 8150\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2006-01-07 49152]
"HP Software Update"="c:\windows\HP 8150\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2006-01-07 659456]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"hpqSRMon"="c:\windows\HP 8150\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-02-21 815184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-9-20 113664]
HP Digital Imaging Monitor.lnk - c:\windows\HP 8150\digital imaging\bin\hpqtra08.exe [2004-5-28 241664]
MarketBrowser.lnk - c:\program files\Marketbrowser\lmt\mktbrws.exe [2009-8-23 2972160]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [2009-7-26 585728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-20 19:05 12464 ------w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=3 (0x3)
"avg8wd"=2 (0x2)
"AdobeActiveFileMonitor7.0"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\HP 8150\\digital imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\WINDOWS\\HP 8150\\digital imaging\\bin\\hpqsudi.exe"=
"c:\\WINDOWS\\HP 8150\\digital imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/7/2009 7:43 AM 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/20/2009 11:05 AM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/20/2009 11:05 AM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [12/20/2009 11:05 AM 285392]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 7:52 AM 1229232]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 11:43 AM 204800]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [6/27/2008 6:21 PM 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [6/27/2008 6:21 PM 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [6/27/2008 6:21 PM 566296]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [6/27/2008 6:21 PM 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [6/27/2008 6:21 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [6/27/2008 6:21 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [6/27/2008 6:21 PM 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [6/27/2008 6:21 PM 566296]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
S4 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 11:03 AM 169312]
.
Contents of the 'Scheduled Tasks' folder

2010-02-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 05:25]

2010-02-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-02-27 c:\windows\Tasks\HP Usg Daily FY04.job
- c:\windows\HP 8150\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe [2008-09-18 05:09]

2010-02-27 c:\windows\Tasks\User_Feed_Synchronization-{5362173C-89B4-471D-BF5B-CEE96DA6F1C0}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 01:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {DEA6994F-3ED5-40BC-B5E3-0FD02411B1B4} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_1/PhotoCenter_ActiveX_Control.cab?
FF - ProfilePath - c:\documents and settings\Frank\Application Data\Mozilla\Firefox\Profiles\kovwwuyz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/|https://www.fidelity.com/
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-23C3F5C0 - c:\docume~1\tammy\locals~1\tempor~1\content.ie5\bb9vfloo\speedu~1.exe
Notify-AtiExtEvent - (no file)
AddRemove-ToneGen - c:\program files\NCH Software\ToneGen\uninst.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2676)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\java.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-02-27 12:13:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-27 20:13

Pre-Run: 135,405,867,008 bytes free
Post-Run: 136,341,385,216 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 1B76E954E7F9938158B54E0901D09D92

Great, that was what I was hoping to see. Atapi.sys was infected and should have been the cause of your redirection problems. Are they gone now?

Hi thewall -

IT'S FIXED!! No more redirects!! Amazing! I owe you a large alholic beverage of your choice. Umm - can't really send you a drink over the internet, but thanks big time - that was less painful than I thought.

Thanks again, vancwa

You're very welcome but hang on we have a little more to do. Let's run this scan and if it is OK:



It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:



Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Open the Kaspersky WebScanner
  page.
• Click on the button on the main page.
• The program will launch and fill in the Information section on the left.
• Read the "Requirements and Limitations" then press the button.
• The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
• Once the files have been downloaded, click on the ...button.
  In the scan settings make sure the following are selected:
  • Detect malicious programs of the following categories:
    Viruses, Worms, Trojan Horses, Rootkits
    Spyware, Adware, Dialers and other potentially dangerous programs
  • Scan compound files (doesn't apply to the File scan area):
    Archives
    Mail databases
    By default the above items should already be checked.
  • Click the button, if you made any changes.
• Now under the Scan section on the left:
  
  Select My Computer
  
• The program will now start and scan your system. This will run for a while, be patient and let it finish.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• In the drop down box labeled Files of type change the type to Text file.
• Save the file to your desktop.
• Copy and paste that information in your next post.

You can refer to this animation by sundavis if needed.

Hi thewall,

I'm going to run Kaspersky and it will take some time to get the full download. Now I'm curious, why Kaspersky? Is this AV software significantly different or better than AVG, Norton, McAffee or many others?

vancwa

I personally like Kaspersky. A different helper may use a different scanner to check for any leftovers. I find this one to be excellent at picking up on anything which might be missed. We as helpers tend to use what we like and what we are most comfortable.

hi thewall,

OK. I ran Kaspersky and here is the log file. There was an infection that is in quarantine - the atapi.sys.vir - I am thinking that there is nothing more for me to do with it. Should I somehow delete it or just leave it where it is?

Thanks - vancwa

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, February 27, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, February 27, 2010 12:18:35
Records in database: 3659349
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
X:\

Scan statistics:
Objects scanned: 164197
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 01:59:50


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.Tdss.ai 1

Selected area has been scanned.


-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

No, it will be gone when we uninstall ComboFix. Let's take care of your Java and then if everything is still OK we'll finish up.

Thanks for the donation, I appreciate it.



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 18 and save it to your desktop.
• Scroll down to where it says JDK 6 Update 18 (JDK or JRE)
• Click the Download JRE button to the right
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u18 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    Applications and Applets
    Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

Ok - I've deleted previous versions of Java, downloaded and updated JDK 6 v 18, cleaned out temp files using the control panel (although CCleaner does a pretty nice job of that anyway). Not sure what this Java does that the version I was using didn't do.

I can still browse to the infected files that are in quarantine, which is odd. Seems like you want to simply delete them and then empty the recycle bin. Perhaps I inadvertently didn't get rid of everything. I still have several files (like GMER) that I didn't delete.

Other than that, going forward - what do you recommend to avoid infections? I use AVG AV program, run Ad-Aware, Spybot, now Malwarebyte. Would any AV program have prevented this? My wife and I are pretty careful about clicking links and websites and we don't have anyone else that uses the computer. I don't mind buying a Kaspersky product if would help with this kind of problem.

vancwa

The infected file in Qoobox quarantine will be be gone when we uninstall ComboFix. That's part of it's cleanup procedure.

The reason it is important to keep all of your programs updated is often these updates include patches for known security issues. Other times it is just to make them work better. I will include a program for doing that in my suggestion list.

I believe that should do it now. We can clean off our tools and as I said I have some suggestions to add to what you already have. Unluckily the way they release new version of Malware daily it is hard for the companies to keep their programs updated to stop all infections. AVG is a good program but you may want to check around and do some research to see if there is something you like better. The best thing to do is check for comparison checks done by various groups.


Uninstall Combofix

• Press the Windows Key + R on your keyboard.
• Now copy & paste the green bolded text in the run-box and click OK.
  
  ComboFix /Uninstall
  
  <Notice the space between the "x" and "/".>
  
  

  

• The following will implement some very important cleanup procedures as well as reset System Restore points.

You can now go ahead and delete GMER and DDS also.










To re-enable your Emulation drivers, double click DeFogger to run the tool.

• The application window will appear
• Click the Re-enable button to re-enable your CD Emulation drivers.
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.





Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented

1. Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
   Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
   Go here to check for & install updates to Microsoft applications
   Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
2. Keep your non-Microsoft applications updated as well
   Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
3. Make Internet Explorer more secure
   Click Start > Run
   Type Inetcpl.cpl & click OK
   Click on the Security tab
   Click Reset all zones to default level
   Make sure the Internet Zone is selected & Click Custom level
   In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
   Next Click OK, then Apply button and then OK to exit the Internet Properties page.
4. Install SpywareBlaster & make sure to update it regularly
   SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
   If you don't know what activex controls are, see here
   You can download SpywareBlaster from here
5. Finally, this is very important. It is absolutely essential to keep all of your security programs up to date

If you have any other questions or issues feel free to ask as I will be checking back on this topic.



Other than that if there is nothing else I can do for you then I wish you good luck in the future.




thewall

Removing Combo fix was fine. After that, I have a problem.

After launching Defogger, when I try to re-enable the CD emulation drivers I get an ominous pop-up error that just says "Unable to open file". So I went back and re-downloaded Defogger and the same thing still happens. I have no idea what would be causing this. Obviously - I never got to the "Finished" stage. Just for grins I disabled the AVG scanner and that didn't help. What's going on here?

Oh yeah - the defogger enable file said this:

defogger_enable by jpshortstuff (23.02.10.1)
Log created at 21:07 on 28/02/2010 (Frank)

Parsing file...


-=E.O.F=-

vancwa

Edited by vancwa, 01 March 2010 - 12:39 AM.