Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Google redirect virus


  • This topic is locked This topic is locked
21 replies to this topic

#1 Seagull7

Seagull7

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:Tennessee, USA
  • Local time:12:35 AM

Posted 04 March 2010 - 09:57 PM

My husband's computer has the redirect virus and I have no idea where to start to remove it. I don't know what it's called or where to look. I am currently backing up his data and e-mails, but thought I would post ahead of that to start the ball rolling. This has been happening to him for about 2 weeks.

When he goes to google and does a search, normal sites are listed, but when he clicks on them he is redirected to one of many various, seemingly random, sites. This seems to be the only symptom, but I am suspect that there is something deeper at work.

Below are my logs from dds and gmer. Any help would be appreciated.

One note, earlier today he contracted the Win 7 Antispyware 2010 virus (which is interesting because he has XP home SP3) and I seemed to have successfully cleaned his machine from that using malwarebytes.

He has AVG free running on his computer and only uses Firefox as his browser.

I hope that's enough.

Here is the dds log:
attach.txt and ark.txt are attached



DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 21:01:12.06 on Thu 03/04/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.384 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\jetsuite\JETSTAT.EXE
C:\Program Files\Common Files\eFax\dllcmd32.exe
C:\Program Files\NETGEAR\WG111U Configuration Utility\WG111UCFG.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
c:\jetsuite\jsdaemon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [UIUCU] c:\docume~1\owner\locals~1\temp\UIUCU.EXE -CLEAN_UP -S
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-ba7e-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hplase~1.lnk - c:\jetsuite\JETSTAT.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\liveme~1.lnk - c:\program files\common files\efax\dllcmd32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartw~1.lnk - c:\program files\netgear\wg111u configuration utility\WG111UCFG.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1261595444656
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - c:\program files\common files\g7ps\shared files\g7psdll\G7PS.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\tnvw0vcx.default\
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Main_Page
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-2 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-1-2 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-2 360584]
R1 jsmux;jsmux;c:\windows\system32\drivers\JSMUX.SYS [2010-1-3 173880]
R1 jsscan;jsscan;c:\windows\system32\drivers\JSSCAN.SYS [2010-1-3 56672]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-1-2 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-1-2 285392]
R2 jsfax;jsfax;c:\windows\system32\drivers\JSFAX.SYS [2010-1-3 59604]
S3 ATHFMWDL;NETGEAR WG111U Bootloader driver;c:\windows\system32\drivers\athfmwdl.sys [2010-2-20 43264]
S3 WG111U;NETGEAR WG111U Driver;c:\windows\system32\drivers\wg111u.sys [2010-2-22 282976]
S4 jsdbg;jsdbg;c:\windows\system32\drivers\JSDBG.SYS [2010-1-3 50352]

=============== Created Last 30 ================

2010-03-05 00:15:18 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-03-05 00:15:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-05 00:15:11 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-05 00:15:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-05 00:15:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-23 04:38:40 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-22 11:55:14 282976 ----a-w- c:\windows\system32\drivers\wg111u.sys
2010-02-22 11:55:14 143208 ----a-w- c:\windows\system32\drivers\ar5523.bin
2010-02-22 11:42:50 827392 ----a-w- c:\windows\system32\AegisE5.dll
2010-02-22 11:42:50 651264 ----a-w- c:\windows\system32\libeay32.dll
2010-02-22 11:42:50 15781 ----a-w- c:\windows\system32\drivers\mdc8021x.sys
2010-02-22 11:42:50 147456 ----a-w- c:\windows\system32\ssleay32.dll
2010-02-22 11:42:50 0 d-----w- c:\program files\NETGEAR
2010-02-22 11:42:48 16736 ----a-w- c:\windows\system32\drivers\wg111u.inf
2010-02-22 11:42:48 0 ----a-w- c:\windows\system32\drivers\wg111u.cat
2010-02-22 11:42:46 1840 ----a-w- c:\windows\system32\drivers\athfmwdl.inf
2010-02-22 11:42:46 0 ----a-w- c:\windows\system32\drivers\athfmwdl.cat
2010-02-22 11:42:13 61440 ----a-w- c:\windows\system32\W32N50.dll
2010-02-22 11:42:13 16292 ----a-w- c:\windows\system32\PCANDIS5.SYS
2010-02-20 22:00:36 43264 ----a-w- c:\windows\system32\drivers\athfmwdl.sys
2010-02-20 13:32:23 69 ----a-w- c:\documents and settings\owner\jagex_runescape_preferences2.dat
2010-02-20 13:31:22 41 ----a-w- c:\documents and settings\owner\jagex_runescape_preferences.dat
2010-02-20 13:31:08 0 d-----w- c:\windows\.jagex_cache_32
2010-02-19 05:43:49 151 ----a-w- c:\windows\PhotoSnapViewer.INI
2010-02-03 14:37:49 0 d-----w- c:\docume~1\alluse~1\applic~1\LightScribe
2010-02-03 14:19:02 0 d-----w- C:\Twilight New Moon

==================== Find3M ====================

2010-02-27 01:58:46 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-03 23:31:07 13416 ----a-w- c:\windows\hpbins01.dat
2010-01-03 22:51:59 34918 ----a-w- c:\windows\fonts\Braggadocio.ttf
2010-01-02 20:12:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-02 17:38:18 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-23 16:27:02 90112 ----a-w- c:\windows\system32\mdmxsdk.dll
2009-12-23 16:27:02 32218 ----a-w- c:\windows\system32\HSFCI008.dll
2009-12-23 15:07:17 577536 ----a-w- c:\windows\soundman.exe
2009-12-23 15:07:17 135168 ----a-w- c:\windows\system32\RtlCPAPI.dll
2009-12-23 15:07:17 10476032 ----a-w- c:\windows\system32\RTLCPL.exe
2009-12-23 15:07:13 217088 ----a-w- c:\windows\Alcrmv.exe
2009-12-23 15:07:12 40960 ----a-w- c:\windows\system32\ChCfg.exe
2009-12-23 15:07:12 307200 ----a-w- c:\windows\alcupd.exe
2009-12-23 15:05:51 33280 ----a-w- c:\windows\system32\NVCOI.DLL
2009-12-23 15:05:51 176128 ----a-w- c:\windows\system32\nvusmb.exe
2009-12-23 15:05:50 290304 ----a-w- c:\windows\system32\idecoi.dll
2009-12-23 14:36:12 21640 ----a-w- c:\windows\system32\emptyregdb.dat

============= FINISH: 21:01:46.48 ===============



Thanks in advance for any help!



Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:35 AM

Posted 07 March 2010 - 05:42 PM

Hello and and Welcome to Bleepingcomputer

Please note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have since resolved your issues I
would appreciate if you would let me no so I can close this topic.


We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    /md5start
    proquota.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    /md5stop
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Thanks

unite.jpg


#3 Seagull7

Seagull7
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:Tennessee, USA
  • Local time:12:35 AM

Posted 09 March 2010 - 07:48 PM

Syler, thanks for your attention in this matter. Sorry it's been 2 days, my life is hectic (big family) and the infectd computer is not my personal computer so I don't always have access to it.

One thing that's new since my last post - the AVG Free popped up a message after a reboot and it said that the computer has the "patched.CH" virus (or trojan, I can't remember!) and that the infected file was windows\sys32\drivers\atapi.sys.

Thanks again for your time.

I keep getting errors when I try to post - something about the server being reset, so if I'm missing something, I apologize. I think I'm going to post the logs in a separate reply and see if that doesn't work better.



Edited by Seagull7, 09 March 2010 - 07:56 PM.


#4 Seagull7

Seagull7
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:Tennessee, USA
  • Local time:12:35 AM

Posted 09 March 2010 - 07:56 PM

OTL logfile created on: 3/9/2010 7:38:44 PM - Run 1
OTL by OldTimer - Version 3.1.35.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.00 Mb Total Physical Memory | 149.00 Mb Available Physical Memory | 17.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 63.00% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 121.41 Gb Free Space | 81.46% Space Free | Partition Type: NTFS
Drive D: | 7.20 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OWNER-817678F09
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/09 19:37:16 | 000,554,496 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2010/03/06 04:47:25 | 011,952,304 | ---- | M] (Mozilla Messaging) -- C:\Program Files\Mozilla Thunderbird\thunderbird.exe
PRC - [2010/02/18 06:47:00 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/01/03 09:58:52 | 002,033,432 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/01/02 15:12:34 | 001,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/01/02 15:12:33 | 000,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/01/02 15:12:33 | 000,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/01/02 15:12:33 | 000,503,576 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/01/02 15:12:31 | 000,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2010/01/02 15:12:30 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2009/12/23 10:07:17 | 000,577,536 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\soundman.exe
PRC - [2009/08/19 10:23:24 | 007,418,368 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2009/08/19 10:23:22 | 007,424,000 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2008/04/23 02:08:13 | 000,483,328 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
PRC - [2008/04/13 19:12:28 | 000,060,416 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Outlook Express\msimn.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/06/25 08:47:24 | 001,629,480 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
PRC - [2007/06/25 08:47:12 | 001,552,680 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
PRC - [2007/06/25 08:47:02 | 001,057,064 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\InCD\InCD.exe
PRC - [2004/11/12 17:43:50 | 001,073,238 | ---- | M] () -- C:\Program Files\NETGEAR\WG111U Configuration Utility\WG111UCFG.exe
PRC - [2003/08/06 13:24:20 | 012,037,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
PRC - [1999/10/19 17:03:10 | 000,065,024 | ---- | M] (eFax.com) -- c:\jetsuite\jsfman.exe
PRC - [1999/10/13 13:15:12 | 000,147,456 | ---- | M] (eFax.com) -- C:\jetsuite\JETSTAT.EXE
PRC - [1999/09/22 11:48:52 | 000,045,056 | ---- | M] (JetFax, Inc.) -- c:\jetsuite\JSDAEMON.EXE
PRC - [1999/08/24 12:45:58 | 000,026,112 | ---- | M] (eFax.com) -- C:\Program Files\Common Files\eFax\dllcmd32.exe


========== Modules (SafeList) ==========

MOD - [2010/03/09 19:37:16 | 000,554,496 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/01/02 15:12:31 | 000,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2010/01/02 15:12:30 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2007/06/25 08:47:12 | 001,552,680 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe -- (InCDsrv)
SRV - [1999/09/22 11:48:52 | 000,045,056 | ---- | M] (JetFax, Inc.) [Auto | Running] -- c:\jetsuite\JSDAEMON.EXE -- (jsdaemon)


========== Driver Services (SafeList) ==========

DRV - [2010/01/02 15:12:48 | 000,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/01/02 15:12:42 | 000,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/01/02 15:12:42 | 000,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/12/23 11:27:02 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2009/12/23 11:27:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2009/12/23 11:27:02 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2009/12/23 10:07:15 | 003,842,560 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2009/12/23 10:05:51 | 000,098,432 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2009/11/20 21:34:54 | 010,235,968 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2009/01/28 09:02:24 | 000,022,016 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2009/01/28 09:02:23 | 000,054,144 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2007/06/25 08:47:12 | 000,038,440 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDRm.sys -- (incdrm)
DRV - [2007/06/25 08:47:12 | 000,036,776 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDPass.sys -- (InCDPass)
DRV - [2007/06/25 08:47:02 | 000,119,080 | ---- | M] (Nero AG) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\InCDfs.sys -- (InCDfs)
DRV - [2004/11/12 16:49:02 | 000,282,976 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wg111u.sys -- (WG111U)
DRV - [2004/11/12 16:49:00 | 000,043,264 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\athfmwdl.sys -- (ATHFMWDL)
DRV - [2004/11/12 16:49:00 | 000,016,292 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\PCANDIS5.SYS -- (PCANDIS5)
DRV - [2004/11/12 16:49:00 | 000,015,781 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdc8021x.sys -- (MDC8021X) AEGIS Protocol (IEEE 802.1x)
DRV - [1999/09/22 11:48:52 | 000,173,880 | ---- | M] (JetFax, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\JSMUX.SYS -- (jsmux)
DRV - [1999/09/22 11:48:52 | 000,059,604 | ---- | M] (JetFax, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\JSFAX.SYS -- (jsfax)
DRV - [1999/09/22 11:48:52 | 000,056,672 | ---- | M] (JetFax, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\JSSCAN.SYS -- (jsscan)
DRV - [1999/09/22 11:48:52 | 000,050,352 | ---- | M] (JetFax, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\JSDBG.SYS -- (jsdbg)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-21-1482476501-1409082233-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1482476501-1409082233-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://en.wikipedia.org/wiki/Main_Page"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.716
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7

FF - HKLM\software\mozilla\Firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/01/02 15:12:30 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/23 07:54:57 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/18 06:47:05 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.3\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/03/06 04:47:25 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.3\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2010/01/02 11:01:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/01/02 11:01:05 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010/01/02 10:51:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\tnvw0vcx.default\extensions
[2010/03/09 07:44:18 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/11/19 17:16:28 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2009/11/19 17:16:29 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll

O1 HOSTS File: ([2004/08/04 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-1482476501-1409082233-839522115-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe (Nero AG)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe File not found
O4 - HKLM..\Run: [NeroFilterCheck] C:\P

#5 Seagull7

Seagull7
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:Tennessee, USA
  • Local time:12:35 AM

Posted 09 March 2010 - 07:58 PM

The rest of the log from OTL.txt

O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] File not found
O4 - HKLM..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe (Nero AG)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [UIUCU] C:\Documents and Settings\Owner\Local Settings\Temp\UIUCU.EXE (Conexant Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP LaserJet 3150 Status.lnk = C:\jetsuite\JETSTAT.EXE (eFax.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Live Menu.lnk = C:\Program Files\Common Files\eFax\dllcmd32.exe (eFax.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Smart Wizard Wireless Settings.lnk = C:\Program Files\NETGEAR\WG111U Configuration U

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:35 AM

Posted 09 March 2010 - 08:00 PM

Hi Seagull7,

Your logs are missing parts can you please try and post them again, thanks.

EDIT- that still isn,t the whole log and their should be two log, please try attaching them both separately to the thread,
each log should end with < End of report >

Edited by syler, 09 March 2010 - 08:03 PM.

unite.jpg


#7 Seagull7

Seagull7
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:Tennessee, USA
  • Local time:12:35 AM

Posted 09 March 2010 - 08:03 PM

IT won't let me post the entire log...

I'm going to attach them, I hope that's okay.

Attached Files



#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:35 AM

Posted 09 March 2010 - 08:17 PM

That's done it this time, not much showing there though.
  • Go to Kaspersky and Download TDSSKiller.zip.
  • Extract the contents of TDSSKiller.zip to your Desktop.
  • Double click on TDSSKiller.exe to run it.
  • If it finds something and asks you what to do, follow the instructions to type in "delete".
  • When done, a log file should be created on your C: drive called TDSSKiller.txt please post this log in your next reply.

unite.jpg


#9 Seagull7

Seagull7
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:Tennessee, USA
  • Local time:12:35 AM

Posted 09 March 2010 - 08:32 PM

Okay, I kind of botched this, but I think I'm okay.

I extracted and ran the TDSSKiller program. If I remember correctly, it found a few things in the rootkit - one of them being that atapi.sys... It told me they were all healed now and to press any key. I tried to do a CTRL A to select all, so I could paste the screen in if the log didn't give the details - and it closed the whole program out! I tried to re-run it, but then it, of course, found nothing.

I can't find any log anywhere. Sorry.

Should I do a reboot and then see if the re-direct is still a problem?

Karen

#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:35 AM

Posted 09 March 2010 - 09:22 PM

The log should be at the root of your C drive C:\TDSSKiller.txt with time and date appended.

unite.jpg


#11 Seagull7

Seagull7
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:Tennessee, USA
  • Local time:12:35 AM

Posted 10 March 2010 - 07:47 PM

I don't have access to the computer right now, but husband did do a reboot in the night and the re-direct problem is gone.

If you think I should, I will get to that computer and post the log, but all seems well now.

Thank you for all you've done so far. smile.gif

#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:35 AM

Posted 10 March 2010 - 07:55 PM

Well it sounds like it has probably taken out the main problem, but just because their are no more symptoms it doesn't mean
their isn't still something lurking in the background, so I would still like to check over your computer. When you have a chance
please post a new OTL log, try and paste it into the thread first and if you are still having trouble doing that attach it, thanks.

unite.jpg


#13 Seagull7

Seagull7
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:Tennessee, USA
  • Local time:12:35 AM

Posted 10 March 2010 - 10:56 PM

Will attempt to find and post the TDSSKiller log and a new OTL log. Will have to be 3/11. Thanks again.

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:35 AM

Posted 11 March 2010 - 06:13 PM

no problem and your welcome smile.gif

unite.jpg


#15 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:35 AM

Posted 15 March 2010 - 08:50 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users