Again, below are the problems I am having with my laptop:
The problem started when my browser started redirecting me to sites that I did not select from the search result list. It happens on both Yahoo and Google search. 90% of the time, I will be redirected.
I've downloaded anti-malware/spyware programs like MalwareBytes and Lavasoft's AdAware, I ran the programs and they were able to clean/quarantined some files. But the problem did not go away. I even disabled some of the add-ons that I have on my IE.
Then, I ran HijackThis and found that there is an issue with my UserInit registry entry. "C:\Program Files\Microsoft\Destoplayer.exe" is being added on the string. It keeps coming back even I removed it from the string. I also cannot delete c:\Program Files\Microsoft\Destoplayer.exe.
I then downloaded Process Explorer. With this tool, I was able to delete c:\Program Files\Microsoft\Destoplayer.exe. I then created a dummy file with 0 bytes in it in the same folder with the same filename (Desktoplayer.exe). And then I checked Userinit. "c:\Program Files\Microsoft\Destoplayer.exe" is now gone but it added <filename>srv.exe on the string. The <filename> is same as any .exe file under my "Program Files" folder. And I discovered the virus is also creating other <filename>srv.exe files in other folder in "C:\Program Files". I can delete some of them but one file can't be allowed to be deleted. But with the help of Process Explorer, by closing the handle of that srv.exe file, I was able to delete it. It now allows me to modify the Userinit registry entry. but everything COMES BACK once I rebooted. Even if I cleaned/removed the files from Safe Mode, they still coming back. During this time, I also noticed that my laptop is becoming very slow.
Below are some of the things that I observed during the time I was working on the problem:
1. After removing the srv files and rebooted on Safe Mode, and bring up Task Manager, I noticed that srv files are not there anymore and it allows me to modify Userinit and it's not appending anything on the string value. But since I have to check if there are any srv.exe files in the system, I have to bring up Windows Explorer. Once Explorer is up, the virus creates ExplorerSrv.exe in Windows Folder. Again, this can only be deleted after closing the handle from Process Explorer. After deleting the file, I can now modify UserInit again. I also noticed that while doing this in Safe Mode, IE keeps showing up. I have to close them so I can continue working.
2. When I rebooted in Normal Mode, and bring up Task Manager, I can see the new <filename>srv.exe files in Task Manager. Some of them just go away, some I have to delete from the Task Manager itself. These <filename>srv.exe files are then again created inside the folders in "c:\Program Files". They're being created with the same name and in the same folder as the "Services" being executed when I logged on. I can also see IExplorer.exe in Task Manager even thought IE is not showing up. Again, I can delete most of them, and at least one, I have to kill from the Process Explorer before I can delete. Userinit is modified again with the new appended srv.exe file. I can modify the userinit after I have deleted all <filename>srv.exe files were deleted.
But everything is back when I reboot again.
I don't see anything wrong in "BootExecute" entry in the registry. And since "Services" comes first before user enters the password, I suspect the problem is the "Services" entry, either in msconfig or Registry. But I do not know which ones are legitimate.
I have already reset IE.
I have already spent so many hours trying to fixed the problem but to no avail. Any help that you can extend is greatly appreciated. I'm not sure if the redirect was fixed since I stopped using the internet from that machine since I discovered the Desktoplayer.exe.
Thank you very much for your immediate attention regarding this matter.
As per your instruction, I followed the Guide, starting with #6.
CD Emulation Software was disabled using DeFogger.
Here is the DDS.txt:
DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 10:15:07.28 on Fri 07/30/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.269 [GMT -4:00]
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Canon\BJPV\TVMon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Owner.LISSALOWE\Desktop\dds.scr
============== Pseudo HJT Report ===============
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6448
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\adobe\acrobat 7.0\reader\acrord32infosrv.exe,c:\progra~1\symant~1\symant~1\rtvscansrv.exe
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: &Google: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\progra~1\google\GOOGLE~1.DLL
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [{A056F4DE-9476-65FD-9028-4A236B223BB3}] "c:\documents and settings\owner.lissalowe\application data\qiemzo\tebin.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [BJPD HID Control] c:\program files\canon\bjpv\TVMon.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mPolicies-system: EnableLUA = 0 (0x0)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - hxxp://www.photodex.com/pxplay.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: ckpNotify - ckpNotify.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-23 64288]
R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2007-4-15 2235760]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2008-3-16 47504]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-6 1352832]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-8-11 30720]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-9-2 671744]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2008-3-16 121136]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2008-3-16 673872]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-8-11 221184]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100716.004\NAVENG.sys [2010-7-16 85424]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100716.004\NAVEX15.sys [2010-7-16 1362608]
S3 Radialpoint Security Services;Radialpoint Security Services;c:\windows\system32\dllhost.exe [2006-6-17 5120]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-9-28 24652]
=============== Created Last 30 ================
2010-07-30 14:01:47 0 ----a-w- c:\documents and settings\owner.lissalowe\defogger_reenable
2010-07-30 13:58:49 45568 ----a-w- c:\windows\ExplorerSrv.exe
2010-07-26 21:48:37 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-26 03:31:40 0 d-----w- c:\program files\Microsoft
2010-07-26 01:52:31 2148 ----a-w- c:\windows\system32\wpa.dbl
2010-07-23 18:21:39 743936 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-23 13:55:59 59904 -c--a-w- c:\windows\system32\dllcache\regsvc.dll
2010-07-23 13:55:59 59904 ----a-w- c:\windows\system32\regsvc.dll
2010-07-20 23:24:31 24576 ----a-w- c:\windows\system32\userinitnew.exe
2010-07-20 17:32:03 74752 -c--a-w- c:\windows\system32\dllcache\spoolss.dll
2010-07-20 17:32:03 74752 ----a-w- c:\windows\system32\spoolss.dll
2010-07-18 13:16:18 38 ----a-w- c:\windows\KillJobs.bat
2010-07-18 13:14:10 58368 ----a-w- c:\windows\jt.exe
2010-07-18 02:33:32 4467 ----a-w- c:\windows\wininit.ini
2010-07-18 01:42:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-07-11 22:30:31 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-11 21:20:03 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{65893B95-F47B-4483-B883-86BA181E9B54}
==================== Find3M ====================
2010-07-20 05:07:23 749568 ----a-w- C:\StubInstaller.exe
2010-07-06 17:28:45 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-27 03:00:01 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-06-23 17:55:01 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20:32 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys
============= FINISH: 10:27:47.96 ===============
Thanks again for the attention on this issue.