wellzy
asked on
Search results get redirected in IE8 & FF
My computer was recently infected with a browser helper object (or similar) and I cannot seem to remove it. I have done a lot of research and tried everything I have read about. When I do a Google search and click on the links I get redirected to other sites. My system info: Win XP Professional Service Pack 3, Avast Professional Anti-Virus, Ad-Aware (free version). Here is what I have run so far to try and detect and remove it: Avast, AVG, Kapersky Online scan, Combofix, Malwarebytes, Super Anti Spyware, Ad-Aware, Spybot Search & Destroy. I normally do not run all of these applications. Just trying to get it clean.
Please let me know if you need additional info.
Here is my HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:22, on 10/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\Ati2ev xx.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\Ati2ev xx.exe
C:\Program Files\AVG\AVG9\avgchsvx.ex e
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.e xe
C:\Program Files\Alwil Software\Avast4\ashServ.ex e
C:\Program Files\AVG\AVG9\avgcsrvx.ex e
C:\WINDOWS\system32\spools v.exe
C:\Program Files\AVG\AVG9\avgwdsvc.ex e
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.ex e
C:\WINDOWS\system32\CTsvcC DA.exe
C:\Program Files\Java\jre6\bin\jqs.ex e
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\UPS\WSTD\MSSQL$UPSWSDBS ERVER\Binn \sqlservr. exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPZipm 12.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QB CFMonitorS ervice.exe
C:\WINDOWS\system32\svchos t.exe
C:\PROGRA~1\ALWILS~1\Avast 4\ashDisp. exe
C:\UPS\WSTD\UPSNA1Msgr.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre6\bin\jusche d.exe
C:\Program Files\AVG\AVG9\avgcsrvx.ex e
C:\PROGRA~1\AVG\AVG9\avgtr ay.exe
C:\Program Files\Common Files\InstallShield\Update Service\IS USPM.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Common Files\Intuit\QuickBooks\QB Update\qbu pdate.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\dllhos t.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EX E
C:\Program Files\AVG\AVG9\avgcsrvx.ex e
C:\Program Files\Lavasoft\Ad-Aware\AA WService.e xe
C:\Program Files\Lavasoft\Ad-Aware\AA WTray.exe
C:\Program Files\Intuit\QuickBooks 2009\qbw32.exe
C:\WINDOWS\System32\vssvc. exe
C:\WINDOWS\system32\dllhos t.exe
C:\PROGRA~1\Intuit\QUICKB~ 2\QuickBoo ksMessagin g.exe
C:\Program Files\Common Files\Intuit\QuickBooks\ax lbridge.ex e
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\Hijack-This\HijackTh is.exe
C:\Program Files\Common Files\InstallShield\Update Service\ag ent.exe
C:\WINDOWS\system32\rundll 32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.e xe
C:\Program Files\Alwil Software\Avast4\ashWebSv.e xe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = partnerpage.google.com/sma llbiz.dell .com/en_us ?hl=en&cli ent=dell-u suk&channe l=us-smb&i bd=0080913
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Search,Default_Pa ge_URL = partnerpage.google.com/sma llbiz.dell .com/en_us ?hl=en&cli ent=dell-u suk&channe l=us-smb&i bd=0080913
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.d ll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4 E65E497C8C 0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5 164760863C 6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.d ll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0 445EE16191 0} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C E66B5AD205 D} - C:\Program Files\Google\GoogleToolbar Notifier\5 .3.4501.14 18\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-7 6C02E2E7C4 E} - C:\Program Files\Google\Google Toolbar\Component\fastsear ch_B7C5AC2 42193BB3E. dll
O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A 07C3DB8F77 7} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9 C25C1C588A 9} - C:\Program Files\Java\jre6\bin\jp2ssv .dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-E ABFE594F69 C} - C:\Program Files\Java\jre6\lib\deploy \jqs\ie\jq s_plugin.d ll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0 819E2EAAC9 3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.d ll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast 4\ashDisp. exe
O4 - HKLM\..\Run: [NA1Messenger] C:\UPS\WSTD\UPSNA1Msgr.exe
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe " -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusche d.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtr ay.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\Update Service\IS USPM.exe" -scheduler
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe " /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QB Update\qbu pdate.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IECapture. html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IEAppend.h tml
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IECaptureS elLinks.ht ml
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IEAppendSe lLinks.htm l
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IECapture. html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IEAppend.h tml
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IECapture. html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IEAppend.h tml
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \Office12\ EXCEL.EXE/ 3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D 9FCDDC9D60 0} - C:\Program Files\Windows Live\Writer\WriterBrowserE xtension.d ll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D 9FCDDC9D60 0} - C:\Program Files\Windows Live\Writer\WriterBrowserE xtension.d ll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\Offic e12\REFIEB AR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-B E107C0EC16 6} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
O16 - DPF: {CAFEEFAC-0016-0000-0005-A BCDEFFEDCB A} (Java Plug-in 1.6.0_05) -
O16 - DPF: {CAFEEFAC-0016-0000-0007-A BCDEFFEDCB A} (Java Plug-in 1.6.0_07) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\T cpip\..\{7 2416BE3-01 0B-4335-98 B4-2FDF03E A1C20}: NameServer = 68.87.73.242,68.87.71.226
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-0 43BA1B54AE 3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggablePro tocol.dll
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-8 6486D72E74 9} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggablePro tocol.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-F BDDE494F8D 1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-5 3150405FD5 7} - mscoree.dll (file missing)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrss tx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc. exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.e xe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev xx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.ex e
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.e xe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.e xe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.ex e
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.ex e
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcC DA.exe
O23 - Service: Google Update Service (gupdate1c9c426ed159bec) (gupdate1c9c426ed159bec) - Google Inc. - C:\Program Files\Google\Update\Google Update.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.ex e
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AA WService.e xe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm 12.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QB CFMonitorS ervice.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FC S\Intuit.Q uickBooks. FCS.exe
O23 - Service: QuickBooksDB18 - Unknown owner - C:\PROGRA~1\Intuit\QUICKB~ 1\QBDBMgrN .exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 12729 bytes
Please let me know if you need additional info.
Here is my HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:22, on 10/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\Ati2ev
C:\Program Files\AVG\AVG9\avgchsvx.ex
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.e
C:\Program Files\Alwil Software\Avast4\ashServ.ex
C:\Program Files\AVG\AVG9\avgcsrvx.ex
C:\WINDOWS\system32\spools
C:\Program Files\AVG\AVG9\avgwdsvc.ex
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.ex
C:\WINDOWS\system32\CTsvcC
C:\Program Files\Java\jre6\bin\jqs.ex
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\UPS\WSTD\MSSQL$UPSWSDBS
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPZipm
C:\Program Files\Common Files\Intuit\QuickBooks\QB
C:\WINDOWS\system32\svchos
C:\PROGRA~1\ALWILS~1\Avast
C:\UPS\WSTD\UPSNA1Msgr.exe
C:\WINDOWS\System32\svchos
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre6\bin\jusche
C:\Program Files\AVG\AVG9\avgcsrvx.ex
C:\PROGRA~1\AVG\AVG9\avgtr
C:\Program Files\Common Files\InstallShield\Update
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Google\GoogleToolbar
C:\WINDOWS\system32\ctfmon
C:\Program Files\Common Files\Intuit\QuickBooks\QB
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\dllhos
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EX
C:\Program Files\AVG\AVG9\avgcsrvx.ex
C:\Program Files\Lavasoft\Ad-Aware\AA
C:\Program Files\Lavasoft\Ad-Aware\AA
C:\Program Files\Intuit\QuickBooks 2009\qbw32.exe
C:\WINDOWS\System32\vssvc.
C:\WINDOWS\system32\dllhos
C:\PROGRA~1\Intuit\QUICKB~
C:\Program Files\Common Files\Intuit\QuickBooks\ax
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\Hijack-This\HijackTh
C:\Program Files\Common Files\InstallShield\Update
C:\WINDOWS\system32\rundll
C:\Program Files\Alwil Software\Avast4\ashMaiSv.e
C:\Program Files\Alwil Software\Avast4\ashWebSv.e
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-7
O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-E
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast
O4 - HKLM\..\Run: [NA1Messenger] C:\UPS\WSTD\UPSNA1Msgr.exe
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusche
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtr
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\Update
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbar
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QB
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {5ED80217-570B-4DA9-BF44-B
O16 - DPF: {CAFEEFAC-0016-0000-0005-A
O16 - DPF: {CAFEEFAC-0016-0000-0007-A
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O17 - HKLM\System\CCS\Services\T
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-0
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-8
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-F
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-5
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrss
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.e
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.ex
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.e
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.e
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.ex
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.ex
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcC
O23 - Service: Google Update Service (gupdate1c9c426ed159bec) (gupdate1c9c426ed159bec) - Google Inc. - C:\Program Files\Google\Update\Google
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.ex
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AA
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QB
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FC
O23 - Service: QuickBooksDB18 - Unknown owner - C:\PROGRA~1\Intuit\QUICKB~
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 12729 bytes
Did you try running IE or FF in safe mode to see if it's some plugin or toolbar crap that's causing it? Unlikely, but still worth a try.
ASKER
Yes, I did try that and it was the same.
O17 - HKLM\System\CCS\Services\T cpip\..\{7 2416BE3-01 0B-4335-98 B4-2FDF03E A1C20}: NameServer = 68.87.73.242,68.87.71.226
Are those your name servers? Check your dns tcp-ip configuration.
Are those your name servers? Check your dns tcp-ip configuration.
Please remove the following.
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - (no file)
O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A 07C3DB8F77 7} - (no file)
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-5 3150405FD5 7} - mscoree.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-5
ASKER
aktharchowdhury - those are my name servers
Try scanning that system with this live cd:(hopefully it detects and removes the "dns changer")
Kaspersky live cd http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/
--It is in iso/image format so you will have to burn it to a cd.
--Once the cd is created, boot the infected machine to that cd and scan your system
NB-Update the virus database in live cd before scanning.
Also, do you have your installation media?
If so you may have to do a repair installation afterwards, depending on what infected files are removed:
http://michaelstevenstech.com/XPrepairinstall.htm
Kaspersky live cd http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/
--It is in iso/image format so you will have to burn it to a cd.
--Once the cd is created, boot the infected machine to that cd and scan your system
NB-Update the virus database in live cd before scanning.
Also, do you have your installation media?
If so you may have to do a repair installation afterwards, depending on what infected files are removed:
http://michaelstevenstech.com/XPrepairinstall.htm
ASKER
I removed the following, but it is still doing it. I removed them, rebooted, ran CCleaner and it is still doing it.
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - (no file)
O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A 07C3DB8F77 7} - (no file)
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-5 3150405FD5 7} - mscoree.dll
Optoma - I am burning the ISO and scanning now
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-5
Optoma - I am burning the ISO and scanning now
ASKER
OK, the Kapersky boot scan found nothing. Not really sure what to do next. I am posting an updated HijackThis log. I have removed some apps to 'unclutter' it. If there are any other log files or scans I can do just let me know.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:01:51, on 10/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\Ati2ev xx.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\Ati2ev xx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.e xe
C:\Program Files\Lavasoft\Ad-Aware\AA WService.e xe
C:\Program Files\Alwil Software\Avast4\ashServ.ex e
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.ex e
C:\WINDOWS\system32\CTsvcC DA.exe
C:\Program Files\Java\jre6\bin\jqs.ex e
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\UPS\WSTD\MSSQL$UPSWSDBS ERVER\Binn \sqlservr. exe
C:\WINDOWS\system32\HPZipm 12.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QB CFMonitorS ervice.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.e xe
C:\Program Files\Alwil Software\Avast4\ashWebSv.e xe
C:\Program Files\Lavasoft\Ad-Aware\AA WTray.exe
C:\PROGRA~1\ALWILS~1\Avast 4\ashDisp. exe
C:\UPS\WSTD\UPSNA1Msgr.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre6\bin\jusche d.exe
C:\Program Files\Common Files\InstallShield\Update Service\IS USPM.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QB Update\qbu pdate.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\System32\vssvc. exe
C:\WINDOWS\system32\dllhos t.exe
C:\WINDOWS\system32\dllhos t.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EX E
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\Hijack-This\HijackTh is.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = partnerpage.google.com/sma llbiz.dell .com/en_us ?hl=en&cli ent=dell-u suk&channe l=us-smb&i bd=0080913
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Search,Default_Pa ge_URL = partnerpage.google.com/sma llbiz.dell .com/en_us ?hl=en&cli ent=dell-u suk&channe l=us-smb&i bd=0080913
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.d ll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5 164760863C 6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.d ll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0 445EE16191 0} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C E66B5AD205 D} - C:\Program Files\Google\GoogleToolbar Notifier\5 .3.4501.14 18\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-7 6C02E2E7C4 E} - C:\Program Files\Google\Google Toolbar\Component\fastsear ch_B7C5AC2 42193BB3E. dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9 C25C1C588A 9} - C:\Program Files\Java\jre6\bin\jp2ssv .dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-E ABFE594F69 C} - C:\Program Files\Java\jre6\lib\deploy \jqs\ie\jq s_plugin.d ll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0 819E2EAAC9 3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.d ll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast 4\ashDisp. exe
O4 - HKLM\..\Run: [NA1Messenger] C:\UPS\WSTD\UPSNA1Msgr.exe
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe " -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusche d.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\Update Service\IS USPM.exe" -scheduler
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe " /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QB Update\qbu pdate.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IECapture. html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IEAppend.h tml
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IECaptureS elLinks.ht ml
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IEAppendSe lLinks.htm l
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IECapture. html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IEAppend.h tml
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IECapture. html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IEAppend.h tml
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \Office12\ EXCEL.EXE/ 3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D 9FCDDC9D60 0} - C:\Program Files\Windows Live\Writer\WriterBrowserE xtension.d ll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D 9FCDDC9D60 0} - C:\Program Files\Windows Live\Writer\WriterBrowserE xtension.d ll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\Offic e12\REFIEB AR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-B E107C0EC16 6} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
O16 - DPF: {CAFEEFAC-0016-0000-0005-A BCDEFFEDCB A} (Java Plug-in 1.6.0_05) -
O16 - DPF: {CAFEEFAC-0016-0000-0007-A BCDEFFEDCB A} (Java Plug-in 1.6.0_07) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\T cpip\..\{7 2416BE3-01 0B-4335-98 B4-2FDF03E A1C20}: NameServer = 68.87.73.242,68.87.71.226
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-0 43BA1B54AE 3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggablePro tocol.dll
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-8 6486D72E74 9} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggablePro tocol.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc. exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.e xe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev xx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.ex e
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.e xe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.e xe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.ex e
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcC DA.exe
O23 - Service: Google Update Service (gupdate1c9c426ed159bec) (gupdate1c9c426ed159bec) - Google Inc. - C:\Program Files\Google\Update\Google Update.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.ex e
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AA WService.e xe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm 12.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QB CFMonitorS ervice.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FC S\Intuit.Q uickBooks. FCS.exe
O23 - Service: QuickBooksDB18 - Unknown owner - C:\PROGRA~1\Intuit\QUICKB~ 1\QBDBMgrN .exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 10927 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:01:51, on 10/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\Ati2ev
C:\Program Files\Alwil Software\Avast4\aswUpdSv.e
C:\Program Files\Lavasoft\Ad-Aware\AA
C:\Program Files\Alwil Software\Avast4\ashServ.ex
C:\WINDOWS\system32\spools
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.ex
C:\WINDOWS\system32\CTsvcC
C:\Program Files\Java\jre6\bin\jqs.ex
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\UPS\WSTD\MSSQL$UPSWSDBS
C:\WINDOWS\system32\HPZipm
C:\Program Files\Common Files\Intuit\QuickBooks\QB
C:\WINDOWS\system32\svchos
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.e
C:\Program Files\Alwil Software\Avast4\ashWebSv.e
C:\Program Files\Lavasoft\Ad-Aware\AA
C:\PROGRA~1\ALWILS~1\Avast
C:\UPS\WSTD\UPSNA1Msgr.exe
C:\WINDOWS\System32\svchos
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre6\bin\jusche
C:\Program Files\Common Files\InstallShield\Update
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbar
C:\WINDOWS\system32\ctfmon
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QB
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\System32\vssvc.
C:\WINDOWS\system32\dllhos
C:\WINDOWS\system32\dllhos
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EX
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\Hijack-This\HijackTh
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-7
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-E
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast
O4 - HKLM\..\Run: [NA1Messenger] C:\UPS\WSTD\UPSNA1Msgr.exe
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusche
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\Update
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbar
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QB
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {5ED80217-570B-4DA9-BF44-B
O16 - DPF: {CAFEEFAC-0016-0000-0005-A
O16 - DPF: {CAFEEFAC-0016-0000-0007-A
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O17 - HKLM\System\CCS\Services\T
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-0
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-8
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.e
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.ex
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.e
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.e
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.ex
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcC
O23 - Service: Google Update Service (gupdate1c9c426ed159bec) (gupdate1c9c426ed159bec) - Google Inc. - C:\Program Files\Google\Update\Google
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.ex
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AA
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QB
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FC
O23 - Service: QuickBooksDB18 - Unknown owner - C:\PROGRA~1\Intuit\QUICKB~
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 10927 bytes
Do your browsers have any proxy servers set? (tools, internet options, connections tab, lan settings button)
check the hosts file at c:\Windows\System32\driver s\etc
check the hosts file at c:\Windows\System32\driver
ASKER
No proxy servers and my hosts file is clean.
Can you power down and unplug that machine and the router for ten minutes.
Reboot all and see if redirection happens
Reboot all and see if redirection happens
ASKER
Powering down. I will let you know shortly. I am on a network and none of the other PC's have been affected but I will try anyways.
ASKER
OK, I powered down, unplugged everything and it is still the same.
Ok
Could you run autoruns (dont make any changes within autoruns)
Autoruns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
Within Autoruns,select the file tab and select save(Ctrl+S)
Upload that file(autoruns.arn) to http://www.ee-stuff.com/Expert/Upload/upload.php
If we cant see anything in autoruns, we acn try and get other experts in to review:)
Could you run autoruns (dont make any changes within autoruns)
Autoruns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
Within Autoruns,select the file tab and select save(Ctrl+S)
Upload that file(autoruns.arn) to http://www.ee-stuff.com/Expert/Upload/upload.php
If we cant see anything in autoruns, we acn try and get other experts in to review:)
OK, plan Q. Open up task manager and internet explorer, start killing tasks as you check the browser for redirects - maybe you'll hit the process that's causing it.
Plan R. rebuild the system and call it a day. You'll probably spend less time on it at this point.
Plan R. rebuild the system and call it a day. You'll probably spend less time on it at this point.
ASKER
OK, I have uploaded my autoruns.arn file
Searched for it there and nothing yet.
Attach it here. Rename it to autoruns.arn.txt or autoruns.txt to upload here
Attach it here. Rename it to autoruns.arn.txt or autoruns.txt to upload here
ASKER
OK, trying again. It should be attached here.
AutoRuns.arn.txt.txt
AutoRuns.arn.txt.txt
Thanks Wellzy, got that but nothing dodgy showing up :(
When the browsers are redirected what kinda sites are you ending up with?
When the browsers are redirected what kinda sites are you ending up with?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here is the ComboFix log. I will run the GMER Rootkit Scanner and post next.
ComboFix 09-10-25.02 - Stephen 10/26/2009 8:00.3.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18. 3326.2692 [GMT -4:00]
Running from: c:\documents and settings\Stephen\Desktop\C ombo-Fix.e xe
AV: avast! antivirus 4.8.1351 [VPS 091025-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1 A293FD8233 D}
* Created a new restore point
.
(((((((((((((((((((((((((( (((((((((( ((( Other Deletions )))))))))))))))))))))))))) )))))))))) )))))))))) )))
.
Infected copy of c:\windows\system32\DRIVER S\atapi.sy s was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2009-09-26 to 2009-10-26 )))))))))))))))))))))))))) )))))
.
2009-10-26 11:57 . 2008-01-31 21:23 308248 ----a-w- c:\windows\system32\driver s\iaStor.s ys
2009-10-22 20:26 . 2009-10-22 20:26 -------- d-----w- c:\program files\AVG
2009-10-22 15:26 . 2009-10-22 15:26 -------- d-----w- c:\windows\Performance
2009-10-22 15:26 . 2009-10-22 15:26 -------- d-----w- c:\documents and settings\Stephen\Local Settings\Application Data\Microsoft Corporation
2009-10-21 19:59 . 2009-10-21 19:58 411368 ----a-w- c:\windows\system32\deploy tk.dll
2009-10-21 17:23 . 2009-10-21 17:41 -------- d-----w- c:\documents and settings\Stephen\.housecal l6.6
2009-10-21 13:37 . 2009-10-21 13:42 -------- d-----w- C:\ComboFix
2009-10-20 13:25 . 2009-10-20 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-20 13:25 . 2009-10-21 20:08 -------- d-----w- c:\documents and settings\Stephen\Applicati on Data\SUPERAntiSpyware.com
2009-10-19 16:03 . 2009-10-20 15:32 -------- d-----w- c:\program files\BHODemon 2
2009-10-19 15:55 . 2009-10-23 14:07 -------- d-----w- c:\program files\Trend Micro
2009-10-19 15:06 . 2009-10-19 15:06 -------- d-----w- c:\program files\Safer Networking
2009-10-19 14:58 . 2009-10-23 16:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-19 14:58 . 2009-10-23 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-19 13:57 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\driver s\mbamswis sarmy.sys
2009-10-19 13:57 . 2009-10-19 13:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-19 13:57 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\driver s\mbam.sys
2009-10-19 13:18 . 2009-09-03 09:17 15688 ----a-w- c:\windows\system32\lsdele te.exe
2009-10-19 12:36 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\driver s\Lbd.sys
2009-10-19 12:34 . 2009-10-19 12:34 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-8 4F2-1EC861 9FADA6}
2009-10-19 12:34 . 2009-10-19 12:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-19 12:34 . 2009-10-19 12:34 -------- d-----w- c:\program files\Lavasoft
2009-10-19 12:27 . 2009-10-19 12:27 -------- d-sh--w- c:\windows\system32\config \systempro file\IETld Cache
2009-10-19 12:26 . 2009-10-19 12:26 -------- d-----w- c:\program files\CCleaner
2009-10-19 11:55 . 2009-10-19 11:55 -------- d-sh--w- c:\documents and settings\LocalService\IETl dCache
2009-10-15 14:21 . 2009-10-15 14:22 -------- d-----w- c:\program files\Microsoft IntelliPoint
2009-10-09 12:55 . 2009-10-09 12:55 -------- d-----w- c:\documents and settings\Stephen\Applicati on Data\Office Genuine Advantage
2009-10-05 18:41 . 2009-10-05 18:41 -------- d-----w- c:\program files\Microsoft
.
(((((((((((((((((((((((((( (((((((((( (((( Find3M Report )))))))))))))))))))))))))) )))))))))) )))))))))) ))))))
.
2009-10-26 11:48 . 2008-10-07 14:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-23 16:05 . 2008-09-19 15:16 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2009-10-23 16:00 . 2009-07-14 17:59 -------- d-----w- c:\documents and settings\Stephen\Applicati on Data\Amazon
2009-10-22 13:31 . 2008-09-19 19:48 -------- d-----w- c:\program files\Esi-Tools
2009-10-21 19:58 . 2008-09-13 04:07 -------- d-----w- c:\program files\Java
2009-10-21 19:55 . 2009-03-02 17:31 -------- d-----w- c:\documents and settings\Stephen\Applicati on Data\Move Networks
2009-10-21 18:30 . 2008-09-13 04:12 -------- d-----w- c:\program files\Google
2009-10-21 18:17 . 2009-01-22 21:43 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-19 15:33 . 2009-04-16 16:33 -------- d-----w- c:\documents and settings\Stephen\Applicati on Data\U3
2009-10-19 11:59 . 2009-10-19 11:59 361600 ----a-w- c:\windows\system32\driver s\TCPIP.SY S.ORIGINAL
2009-10-15 15:38 . 2008-09-13 04:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-15 14:39 . 2008-09-13 04:16 75848 ----a-w- c:\documents and settings\Administrator\Loc al Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-06 21:03 . 2008-09-13 04:11 -------- d-----w- c:\program files\Microsoft Works
2009-10-05 18:43 . 2008-09-18 13:30 -------- d-----w- c:\program files\Windows Live
2009-09-18 15:38 . 2008-09-18 12:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2009-09-18 15:20 . 2009-09-18 15:20 -------- d-----w- c:\documents and settings\Stephen\Applicati on Data\CSE
2009-09-11 14:18 . 2008-04-25 16:16 136192 ----a-w- c:\windows\system32\msv1_0 .dll
2009-09-11 11:56 . 2009-01-09 19:00 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 21:03 . 2008-04-25 16:16 58880 ----a-w- c:\windows\system32\msasn1 .dll
2009-08-29 08:08 . 2008-04-25 16:16 916480 ------w- c:\windows\system32\winine t.dll
2009-08-26 08:00 . 2008-04-25 16:16 247326 ----a-w- c:\windows\system32\strmdl l.dll
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.D LL
2009-08-17 16:10 . 2008-09-17 21:15 1279456 ----a-w- c:\windows\system32\aswBoo t.exe
2009-08-17 16:06 . 2008-09-17 21:15 93392 ----a-w- c:\windows\system32\driver s\aswmon.s ys
2009-08-17 16:06 . 2008-09-17 21:15 94160 ----a-w- c:\windows\system32\driver s\aswmon2. sys
2009-08-17 16:05 . 2008-09-17 21:15 114768 ----a-w- c:\windows\system32\driver s\aswSP.sy s
2009-08-17 16:05 . 2008-09-17 21:15 20560 ----a-w- c:\windows\system32\driver s\aswFsBlk .sys
2009-08-17 16:04 . 2008-09-17 21:15 51376 ----a-w- c:\windows\system32\driver s\aswTdi.s ys
2009-08-17 16:04 . 2008-09-17 21:15 23152 ----a-w- c:\windows\system32\driver s\aswRdr.s ys
2009-08-17 16:03 . 2008-09-17 21:15 26944 ----a-w- c:\windows\system32\driver s\aavmker4 .sys
2009-08-17 16:02 . 2008-09-17 21:15 97480 ----a-w- c:\windows\system32\AvastS S.scr
2009-08-05 09:01 . 2008-04-25 16:16 204800 ----a-w- c:\windows\system32\mswebd vd.dll
2009-08-04 15:13 . 2008-04-25 16:16 2145280 ------w- c:\windows\system32\ntoskr nl.exe
2009-08-04 14:20 . 2008-04-14 00:01 2023936 ------w- c:\windows\system32\ntkrnl pa.exe
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGAChe ckControl. dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAdd in.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXE C.exe
.
(((((((((((((((((((((((((( (((((((((( ( Reg Loading Points )))))))))))))))))))))))))) )))))))))) )))))))))) ))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\expl orer\shell iconoverla yidentifie rs\Carboni te.Green]
@="{95A27763-F62A-4114-907 2-E81D87DE 3B68}"
[HKEY_CLASSES_ROOT\CLSID\{ 95A27763-F 62A-4114-9 072-E81D87 DE3B68}]
2009-01-09 20:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\expl orer\shell iconoverla yidentifie rs\Carboni te.Partial ]
@="{E300CD91-100F-4E67-9AF 3-1384A612 4015}"
[HKEY_CLASSES_ROOT\CLSID\{ E300CD91-1 00F-4E67-9 AF3-1384A6 124015}]
2009-01-09 20:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\expl orer\shell iconoverla yidentifie rs\Carboni te.Yellow]
@="{5E529433-B50E-4bef-A63 B-16A6B71B 071A}"
[HKEY_CLASSES_ROOT\CLSID\{ 5E529433-B 50E-4bef-A 63B-16A6B7 1B071A}]
2009-01-09 20:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
[HKEY_CURRENT_USER\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\Update Service\IS USPM.exe" [2007-08-30 205480]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe " [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe" [2008-09-13 68856]
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run]
"avast!"="c:\progra~1\ALWI LS~1\Avast 4\ashDisp. exe" [2009-08-17 81000]
"NA1Messenger"="c:\ups\WST D\UPSNA1Ms gr.exe" [2008-12-04 24576]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-01-09 669840]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe " [2009-05-26 413696]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\p rogram files\Java\jre6\bin\jusche d.exe" [2009-10-21 149280]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QB Update\qbu pdate.exe [2009-7-16 984352]
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\C ontrol\Saf eBoot\Mini mal\Lavaso ft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^D ocuments and Settings^All Users^Start Menu^Programs^Startup^Adob e Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adob e Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adob e Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^D ocuments and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^D ocuments and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^D ocuments and Settings^All Users^Start Menu^Programs^Startup^Quic kBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quic kBooks Update Agent.lnk
backup=c:\windows\pss\Quic kBooks Update Agent.lnkCommon Startup
[HKLM\~\startupfolder\C:^D ocuments and Settings^All Users^Start Menu^Programs^Startup^Serv ice Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Serv ice Manager.lnk
backup=c:\windows\pss\Serv ice Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^D ocuments and Settings^All Users^Start Menu^Programs^Startup^UPS WorldShip Messaging Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\UPS WorldShip Messaging Utility.lnk
backup=c:\windows\pss\UPS WorldShip Messaging Utility.lnkCommon Startup
[HKLM\~\startupfolder\C:^D ocuments and Settings^All Users^Start Menu^Programs^Startup^UPS WorldShip PLD Reminder Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\UPS WorldShip PLD Reminder Utility.lnk
backup=c:\windows\pss\UPS WorldShip PLD Reminder Utility.lnkCommon Startup
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile\Auth orizedAppl ications\L ist]
"%windir%\\Network Diagnostic\\xpnetdiag.exe" =
"%windir%\\system32\\sessm gr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK. EXE"=
"c:\\UPS\\WSTD\\MSSQL$UPSW SDBSERVER\ \Binn\\sql servr.exe" =
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.ex e"=
"c:\\Program Files\\CoffeeCup Software\\FreeFTPFree-4.0. 1\\FreeFTP.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.ex e"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.e xe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSyn c.exe"=
"c:\\WINDOWS\\system32\\mm c.exe"=
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile\Glob allyOpenPo rts\List]
"1434:UDP"= 1434:UDP:UDP 1434
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22 009
R0 Lbd;Lbd;c:\windows\system3 2\drivers\ Lbd.sys [10/19/2009 8:36 AM 64288]
R1 aswSP;avast! Self Protection;c:\windows\syst em32\drive rs\aswSP.s ys [9/17/2008 5:15 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windo ws\system3 2\drivers\ aswFsBlk.s ys [9/17/2008 5:15 PM 20560]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32 \drivers\L ANPkt.sys [9/13/2008 12:07 AM 8960]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AA WService.e xe [9/24/2009 7:17 AM 1170768]
R2 MSSQL$UPSWSDBSERVER;MSSQL$ UPSWSDBSER VER;c:\ups \WSTD\MSSQ L$UPSWSDBS ERVER\Binn \sqlservr. exe -sUPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBS ERVER\Binn \sqlservr. exe -sUPSWSDBSERVER [?]
S2 gupdate1c9c426ed159bec;Goo gle Update Service (gupdate1c9c426ed159bec);c :\program files\Google\Update\Google Update.exe [4/23/2009 11:19 AM 133104]
S2 QuickBooksDB18;QuickBooksD B18;c:\pro gra~1\Intu it\QUICKB~ 1\QBDBMgrN .exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~ 1\QBDBMgrN .exe -hvQuickBooksDB18 [?]
S3 Diag69xp;Diag69xp;c:\windo ws\system3 2\drivers\ diag69xp.s ys [9/13/2008 12:07 AM 11264]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32 \drivers\m otccgp.sys [1/12/2009 9:47 AM 18688]
S3 motccgpfl;MotCcgpFlService ;c:\window s\system32 \drivers\m otccgpfl.s ys [1/12/2009 9:47 AM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\d rivers\mot port.sys [1/12/2009 9:47 AM 23680]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32 \drivers\R TLVLAN.SYS [9/13/2008 12:07 AM 16640]
S3 SQLAgent$UPSWSDBSERVER;SQL Agent$UPSW SDBSERVER; c:\ups\WST D\MSSQL$UP SWSDBSERVE R\Binn\sql agent.EXE -i UPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBS ERVER\Binn \sqlagent. EXE -i UPSWSDBSERVER [?]
--- Other Services/Drivers In Memory ---
*Deregistered* - mbr
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder
2009-10-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad -AwareAdmi n.exe [2009-10-01 12:35]
2009-10-21 c:\windows\Tasks\AppleSoft wareUpdate .job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2009-10-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe [2008-09-13 12:51]
2009-10-26 c:\windows\Tasks\GoogleUpd ateTaskMac hineCore.j ob
- c:\program files\Google\Update\Google Update.exe [2009-04-23 15:19]
2009-10-23 c:\windows\Tasks\GoogleUpd ateTaskMac hineUA.job
- c:\program files\Google\Update\Google Update.exe [2009-04-23 15:19]
.
.
------- Supplementary Scan -------
.
uStart Page = partnerpage.google.com/sma llbiz.dell .com/en_us ?hl=en&cli ent=dell-u suk&channe l=us-smb&i bd=0080913
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IECapture. html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IEAppend.h tml
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IECaptureS elLinks.ht ml
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IEAppendSe lLinks.htm l
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IECapture. html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IEAppend.h tml
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IECapture. html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IEAppend.h tml
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Offic e12\EXCEL. EXE/3000
TCP: {72416BE3-010B-4335-98B4-2 FDF03EA1C2 0} = 68.87.73.242,68.87.71.226
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-8 6486D72E74 9} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggablePro tocol.dll
FF - ProfilePath - c:\documents and settings\Stephen\Applicati on Data\Mozilla\Firefox\Profi les\398q7a wr.default \
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEng ine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCI Detect13.d ll
FF - plugin: c:\program files\Google\Update\1.2.18 3.7\npGoog leOneClick 8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.d ll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugi n.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-0 8825760534 b} - c:\windows\Microsoft.NET\F ramework\v 3.5\Window s Presentation Foundation\DotNetAssistant Extension\
.
************************** ********** ********** ********** ********** ********
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-26 08:07
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************** ********** ********** ********** ********** ********
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\Ati2ev xx.dll
.
Completion time: 2009-10-26 8:08
ComboFix-quarantined-files .txt 2009-10-26 12:08
ComboFix2.txt 2009-10-21 13:57
Pre-Run: 251,965,136,896 bytes free
Post-Run: 252,172,439,552 bytes free
- - End Of File - - F8F4E3FF23F6548623EE5FCED8 FB8B44
ComboFix 09-10-25.02 - Stephen 10/26/2009 8:00.3.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.
Running from: c:\documents and settings\Stephen\Desktop\C
AV: avast! antivirus 4.8.1351 [VPS 091025-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1
* Created a new restore point
.
((((((((((((((((((((((((((
.
Infected copy of c:\windows\system32\DRIVER
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2009-09-26 to 2009-10-26 ))))))))))))))))))))))))))
.
2009-10-26 11:57 . 2008-01-31 21:23 308248 ----a-w- c:\windows\system32\driver
2009-10-22 20:26 . 2009-10-22 20:26 -------- d-----w- c:\program files\AVG
2009-10-22 15:26 . 2009-10-22 15:26 -------- d-----w- c:\windows\Performance
2009-10-22 15:26 . 2009-10-22 15:26 -------- d-----w- c:\documents and settings\Stephen\Local Settings\Application Data\Microsoft Corporation
2009-10-21 19:59 . 2009-10-21 19:58 411368 ----a-w- c:\windows\system32\deploy
2009-10-21 17:23 . 2009-10-21 17:41 -------- d-----w- c:\documents and settings\Stephen\.housecal
2009-10-21 13:37 . 2009-10-21 13:42 -------- d-----w- C:\ComboFix
2009-10-20 13:25 . 2009-10-20 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-20 13:25 . 2009-10-21 20:08 -------- d-----w- c:\documents and settings\Stephen\Applicati
2009-10-19 16:03 . 2009-10-20 15:32 -------- d-----w- c:\program files\BHODemon 2
2009-10-19 15:55 . 2009-10-23 14:07 -------- d-----w- c:\program files\Trend Micro
2009-10-19 15:06 . 2009-10-19 15:06 -------- d-----w- c:\program files\Safer Networking
2009-10-19 14:58 . 2009-10-23 16:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-19 14:58 . 2009-10-23 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-19 13:57 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\driver
2009-10-19 13:57 . 2009-10-19 13:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-19 13:57 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\driver
2009-10-19 13:18 . 2009-09-03 09:17 15688 ----a-w- c:\windows\system32\lsdele
2009-10-19 12:36 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\driver
2009-10-19 12:34 . 2009-10-19 12:34 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-8
2009-10-19 12:34 . 2009-10-19 12:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-19 12:34 . 2009-10-19 12:34 -------- d-----w- c:\program files\Lavasoft
2009-10-19 12:27 . 2009-10-19 12:27 -------- d-sh--w- c:\windows\system32\config
2009-10-19 12:26 . 2009-10-19 12:26 -------- d-----w- c:\program files\CCleaner
2009-10-19 11:55 . 2009-10-19 11:55 -------- d-sh--w- c:\documents and settings\LocalService\IETl
2009-10-15 14:21 . 2009-10-15 14:22 -------- d-----w- c:\program files\Microsoft IntelliPoint
2009-10-09 12:55 . 2009-10-09 12:55 -------- d-----w- c:\documents and settings\Stephen\Applicati
2009-10-05 18:41 . 2009-10-05 18:41 -------- d-----w- c:\program files\Microsoft
.
((((((((((((((((((((((((((
.
2009-10-26 11:48 . 2008-10-07 14:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-23 16:05 . 2008-09-19 15:16 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2009-10-23 16:00 . 2009-07-14 17:59 -------- d-----w- c:\documents and settings\Stephen\Applicati
2009-10-22 13:31 . 2008-09-19 19:48 -------- d-----w- c:\program files\Esi-Tools
2009-10-21 19:58 . 2008-09-13 04:07 -------- d-----w- c:\program files\Java
2009-10-21 19:55 . 2009-03-02 17:31 -------- d-----w- c:\documents and settings\Stephen\Applicati
2009-10-21 18:30 . 2008-09-13 04:12 -------- d-----w- c:\program files\Google
2009-10-21 18:17 . 2009-01-22 21:43 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-19 15:33 . 2009-04-16 16:33 -------- d-----w- c:\documents and settings\Stephen\Applicati
2009-10-19 11:59 . 2009-10-19 11:59 361600 ----a-w- c:\windows\system32\driver
2009-10-15 15:38 . 2008-09-13 04:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-15 14:39 . 2008-09-13 04:16 75848 ----a-w- c:\documents and settings\Administrator\Loc
2009-10-06 21:03 . 2008-09-13 04:11 -------- d-----w- c:\program files\Microsoft Works
2009-10-05 18:43 . 2008-09-18 13:30 -------- d-----w- c:\program files\Windows Live
2009-09-18 15:38 . 2008-09-18 12:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2009-09-18 15:20 . 2009-09-18 15:20 -------- d-----w- c:\documents and settings\Stephen\Applicati
2009-09-11 14:18 . 2008-04-25 16:16 136192 ----a-w- c:\windows\system32\msv1_0
2009-09-11 11:56 . 2009-01-09 19:00 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 21:03 . 2008-04-25 16:16 58880 ----a-w- c:\windows\system32\msasn1
2009-08-29 08:08 . 2008-04-25 16:16 916480 ------w- c:\windows\system32\winine
2009-08-26 08:00 . 2008-04-25 16:16 247326 ----a-w- c:\windows\system32\strmdl
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.D
2009-08-17 16:10 . 2008-09-17 21:15 1279456 ----a-w- c:\windows\system32\aswBoo
2009-08-17 16:06 . 2008-09-17 21:15 93392 ----a-w- c:\windows\system32\driver
2009-08-17 16:06 . 2008-09-17 21:15 94160 ----a-w- c:\windows\system32\driver
2009-08-17 16:05 . 2008-09-17 21:15 114768 ----a-w- c:\windows\system32\driver
2009-08-17 16:05 . 2008-09-17 21:15 20560 ----a-w- c:\windows\system32\driver
2009-08-17 16:04 . 2008-09-17 21:15 51376 ----a-w- c:\windows\system32\driver
2009-08-17 16:04 . 2008-09-17 21:15 23152 ----a-w- c:\windows\system32\driver
2009-08-17 16:03 . 2008-09-17 21:15 26944 ----a-w- c:\windows\system32\driver
2009-08-17 16:02 . 2008-09-17 21:15 97480 ----a-w- c:\windows\system32\AvastS
2009-08-05 09:01 . 2008-04-25 16:16 204800 ----a-w- c:\windows\system32\mswebd
2009-08-04 15:13 . 2008-04-25 16:16 2145280 ------w- c:\windows\system32\ntoskr
2009-08-04 14:20 . 2008-04-14 00:01 2023936 ------w- c:\windows\system32\ntkrnl
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGAChe
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAdd
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXE
.
((((((((((((((((((((((((((
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\softwa
@="{95A27763-F62A-4114-907
[HKEY_CLASSES_ROOT\CLSID\{
2009-01-09 20:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
[HKEY_LOCAL_MACHINE\softwa
@="{E300CD91-100F-4E67-9AF
[HKEY_CLASSES_ROOT\CLSID\{
2009-01-09 20:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
[HKEY_LOCAL_MACHINE\softwa
@="{5E529433-B50E-4bef-A63
[HKEY_CLASSES_ROOT\CLSID\{
2009-01-09 20:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
[HKEY_CURRENT_USER\SOFTWAR
"ISUSPM"="c:\program files\Common Files\InstallShield\Update
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe
"swg"="c:\program files\Google\GoogleToolbar
[HKEY_LOCAL_MACHINE\SOFTWA
"avast!"="c:\progra~1\ALWI
"NA1Messenger"="c:\ups\WST
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-01-09 669840]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe
"IntelliPoint"="c:\program
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\p
c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QB
[HKEY_LOCAL_MACHINE\SYSTEM
@="Service"
[HKLM\~\startupfolder\C:^D
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adob
backup=c:\windows\pss\Adob
[HKLM\~\startupfolder\C:^D
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^D
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^D
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quic
backup=c:\windows\pss\Quic
[HKLM\~\startupfolder\C:^D
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Serv
backup=c:\windows\pss\Serv
[HKLM\~\startupfolder\C:^D
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\UPS WorldShip Messaging Utility.lnk
backup=c:\windows\pss\UPS WorldShip Messaging Utility.lnkCommon Startup
[HKLM\~\startupfolder\C:^D
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\UPS WorldShip PLD Reminder Utility.lnk
backup=c:\windows\pss\UPS WorldShip PLD Reminder Utility.lnkCommon Startup
[HKLM\~\services\sharedacc
"%windir%\\Network Diagnostic\\xpnetdiag.exe"
"%windir%\\system32\\sessm
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.
"c:\\UPS\\WSTD\\MSSQL$UPSW
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.ex
"c:\\Program Files\\CoffeeCup Software\\FreeFTPFree-4.0.
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.ex
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.e
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSyn
"c:\\WINDOWS\\system32\\mm
[HKLM\~\services\sharedacc
"1434:UDP"= 1434:UDP:UDP 1434
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22
R0 Lbd;Lbd;c:\windows\system3
R1 aswSP;avast! Self Protection;c:\windows\syst
R2 aswFsBlk;aswFsBlk;c:\windo
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AA
R2 MSSQL$UPSWSDBSERVER;MSSQL$
S2 gupdate1c9c426ed159bec;Goo
S2 QuickBooksDB18;QuickBooksD
S3 Diag69xp;Diag69xp;c:\windo
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32
S3 motccgpfl;MotCcgpFlService
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\d
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32
S3 SQLAgent$UPSWSDBSERVER;SQL
--- Other Services/Drivers In Memory ---
*Deregistered* - mbr
HKEY_LOCAL_MACHINE\SOFTWAR
BtwSrv
.
Contents of the 'Scheduled Tasks' folder
2009-10-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad
2009-10-21 c:\windows\Tasks\AppleSoft
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2009-10-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google
2009-10-26 c:\windows\Tasks\GoogleUpd
- c:\program files\Google\Update\Google
2009-10-23 c:\windows\Tasks\GoogleUpd
- c:\program files\Google\Update\Google
.
.
------- Supplementary Scan -------
.
uStart Page = partnerpage.google.com/sma
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Offic
TCP: {72416BE3-010B-4335-98B4-2
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-8
FF - ProfilePath - c:\documents and settings\Stephen\Applicati
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEng
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCI
FF - plugin: c:\program files\Google\Update\1.2.18
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.d
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugi
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-0
.
**************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-26 08:07
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\Ati2ev
.
Completion time: 2009-10-26 8:08
ComboFix-quarantined-files
ComboFix2.txt 2009-10-21 13:57
Pre-Run: 251,965,136,896 bytes free
Post-Run: 252,172,439,552 bytes free
- - End Of File - - F8F4E3FF23F6548623EE5FCED8
ASKER
ok, here is the GMER log. Not really a lot to it. I received no notifications while it was scanning.
GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-26 11:16:05
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Stephen\LOCALS ~1\Temp\ux tdypod.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drive rs\aswSP.S YS (avast! self protection module/ALWIL Software) ZwClose [0xAC9796B8]
SSDT \SystemRoot\System32\Drive rs\aswSP.S YS (avast! self protection module/ALWIL Software) ZwCreateKey [0xAC979574]
SSDT \SystemRoot\System32\Drive rs\aswSP.S YS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xAC979A52]
SSDT \SystemRoot\System32\Drive rs\aswSP.S YS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAC97914C]
SSDT \SystemRoot\System32\Drive rs\aswSP.S YS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAC97964E]
SSDT \SystemRoot\System32\Drive rs\aswSP.S YS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAC97908C]
SSDT \SystemRoot\System32\Drive rs\aswSP.S YS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAC9790F0]
SSDT \SystemRoot\System32\Drive rs\aswSP.S YS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAC97976E]
SSDT \SystemRoot\System32\Drive rs\aswSP.S YS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAC97972E]
SSDT \SystemRoot\System32\Drive rs\aswSP.S YS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xAC9798AE]
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\WINDOWS\system32\servic es.exe[824 ] @ C:\WINDOWS\system32\servic es.exe [ADVAPI32.dll!CreateProces sAsUserW] 00380002
IAT C:\WINDOWS\system32\servic es.exe[824 ] @ C:\WINDOWS\system32\servic es.exe [KERNEL32.dll!CreateProces sW] 00380000
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \FileSystem\Fastfat \Fat A8FDBD20
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)
---- EOF - GMER 1.0.15 ----
GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-26 11:16:05
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Stephen\LOCALS
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drive
SSDT \SystemRoot\System32\Drive
SSDT \SystemRoot\System32\Drive
SSDT \SystemRoot\System32\Drive
SSDT \SystemRoot\System32\Drive
SSDT \SystemRoot\System32\Drive
SSDT \SystemRoot\System32\Drive
SSDT \SystemRoot\System32\Drive
SSDT \SystemRoot\System32\Drive
SSDT \SystemRoot\System32\Drive
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\WINDOWS\system32\servic
IAT C:\WINDOWS\system32\servic
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \FileSystem\Fastfat \Fat A8FDBD20
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)
---- EOF - GMER 1.0.15 ----
ASKER
OK, now I have a question. Does the GMER Rootkit Scanner automatically remove unwanted items? The reason I ask is because my search results are no longer being redirected. I have been trying to get it to happen for half hour or so, but it appears to be fixed and I am trying to figure out exactly what fixed it.
I am doubting that ComboFix fixed it because I had run it two previous times. Anyway, I will keep trying it today and let you know if it starts redirecting again. If it stays clean I will post back tonight (and award points).
Thanks again for all your help.
I am doubting that ComboFix fixed it because I had run it two previous times. Anyway, I will keep trying it today and let you know if it starts redirecting again. If it stays clean I will post back tonight (and award points).
Thanks again for all your help.
Thanks for the log.
<<<"Does the GMER Rootkit Scanner automatically remove unwanted items? The reason I ask is because my search results are no longer being redirected.">>>
No. Gmer doesn't automatically remove any threats found.
Combofix must've fixed the redirects.. see line below from Combofix log. Recent nasties patched atapi.sys and also caused redirects.
<<<<Infected copy of c:\windows\system32\DRIVER S\atapi.sy s was found and disinfected >>>
<<<"Does the GMER Rootkit Scanner automatically remove unwanted items? The reason I ask is because my search results are no longer being redirected.">>>
No. Gmer doesn't automatically remove any threats found.
Combofix must've fixed the redirects.. see line below from Combofix log. Recent nasties patched atapi.sys and also caused redirects.
<<<<Infected copy of c:\windows\system32\DRIVER
ASKER
That's what I thought.Well, glad it is finally fixed. I had already run Combofix 2-3 times before I posted my problem on EE.
ASKER
Thanks for all the help! This thread can be closed.
No problem... though you fixed it yourself, well done...
When you're done with Combofix, please uninstall it. Uninstallation will delete its backups, reset System Restore and creates one restore point.
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:
ComboFix /u
Thanks!
When you're done with Combofix, please uninstall it. Uninstallation will delete its backups, reset System Restore and creates one restore point.
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:
ComboFix /u
Thanks!
ASKER
Already uninstalled :p
In fact, I downloaded so many programs to scan, etc I've spent the morning uninstalling most of them.
I know it is irrelevant, but just so you know I got this spyware from one of those fake video posts on my Facebook wall. Apparently a friends FB had been hijacked.
In fact, I downloaded so many programs to scan, etc I've spent the morning uninstalling most of them.
I know it is irrelevant, but just so you know I got this spyware from one of those fake video posts on my Facebook wall. Apparently a friends FB had been hijacked.
If you want to uninstall Gmer and need guidance let me know.
Thanks for the info on how your pc got infected.
Yes, since last year Myspace/Facebook had been targetted by malicious hackers and infecting many systems.
http://www.pcworld.com/businesscenter/article/149559/malicious_hackers_use_facebook_wall_for_malware_attack.html
Thanks for the info on how your pc got infected.
Yes, since last year Myspace/Facebook had been targetted by malicious hackers and infecting many systems.
http://www.pcworld.com/businesscenter/article/149559/malicious_hackers_use_facebook_wall_for_malware_attack.html
I just wanted to let everyone know what worked for me when I was in this situation with a PC I was working on.
The following programs were up to date and reported NO problems- Combofix, Malwarebytes, Spybot, Microsoft MSRT, SuperAntiSpyware.
I then found Dr. Web's CureIT (http://majorgeeks.com/Dr.Web_CureIT_d4783.html) and it revealed that explorer.exe and atapi.sys were infected. I HIGHLY recommend running this tool to fix search engine redirects!
The following programs were up to date and reported NO problems- Combofix, Malwarebytes, Spybot, Microsoft MSRT, SuperAntiSpyware.
I then found Dr. Web's CureIT (http://majorgeeks.com/Dr.Web_CureIT_d4783.html) and it revealed that explorer.exe and atapi.sys were infected. I HIGHLY recommend running this tool to fix search engine redirects!