Google redirect virus problem

[uptowndowntown]

I picked up what looks like a Google re-direct virus late last week. Whenever I try to go to a web site through Google I am redirected to a completely unrelated page. My computer is running impossibly slow now on all tasks either on-line or off. Occasionally Internet Explorer will open a new page on its own. AVG 2011 and Spybot have been no help. AVG has sent a lot of stuff to the vault including SHeur3.CETU with no result.
I am running Windows XP Pro but I do not have an install or boot CD
I have completed the pre-posting steps to the best of my ability and am including the logs that resulted from the requested scans of my computer.
Any help, please.
.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.5.0_17
Run by User at 11:54:45 on 2011-05-16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.353 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\IObit\Advanced SystemCare 4\PMonitor.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe
C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
svchost.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*Yahoo! SearchBar Home Page
uStart Page = hxxp://msn.com/
uInternet Settings,ProxyOverride = <local>
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - AT&&T Toolbar
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} -
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [UpdateFlow.ATT-SST] c:\program files\att-sst\mccibrowser.exe -appkey=att-sst -url=file://c:\program files\att-sst\offlineupdate\redirector.htm
uRun: [Advanced SystemCare 4] "c:\program files\iobit\advanced systemcare 4\ASCTray.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"
mRun: [ISW.exe] "c:\program files\at&t\internet security wizard\ISW.exe" /AUTORUN
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\trendnet\tew-424ub\WlanCU.exe
uPolicies-explorer: NoInstrumentation = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: Add to AMV/AVI Video Converter... - c:\program files\media player utilities 4.25\amvconverter\grab.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: motive.com\patttbc.att
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{67A0532C-0894-439E-920A-CAEE57ACE2A6} : DhcpNameServer = 192.168.1.254
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: igfxcui - igfxdev.dll
LSA: Authentication Packages = msv1_0 nwprovau
Hosts: 184.95.59.211 www.google.com
Hosts: 184.95.59.212 search.yahoo.com
Hosts: 184.95.59.212 www.bing.com
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 297168]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-6-5 352656]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-8-24 92008]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-12 135664]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-11-20 517448]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-12 135664]
S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\RTL8187B.sys [2009-6-15 264576]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2002-10-3 13532]
.
=============== Created Last 30 ================
.
2011-06-06 01:08:12 -------- d-----w- c:\documents and settings\user\application data\IObit
2011-06-06 01:08:09 -------- d-----w- c:\program files\IObit
2011-06-02 16:37:44 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-06-02 16:37:44 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-15 23:32:35 -------- d-----w- c:\windows\system32\%APPDATA%
2011-05-15 22:47:19 389120 ----a-w- c:\windows\system32\igxpun.exe
2011-05-08 13:29:13 -------- d-----w- c:\documents and settings\user\application data\Suomet
2011-05-08 13:29:13 -------- d-----w- c:\documents and settings\user\application data\Axutmu
.
==================== Find3M ====================
.
2011-04-15 01:28:42 134480 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
2011-04-05 04:59:56 297168 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-03-16 20:03:20 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 2329 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 2329 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 2329 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 12:13:02 22992 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18:24 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18:03 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover
Windows 5.1.2600 Disk: ST340014AS rev.3.20 -> Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-17
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8630A4D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x863107f0]; MOV EAX, [0x8631086c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk1\DR1[0x863E7718]
3 CLASSPNP[0xF7616FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\0000006a[0x863CA9E8]
5 ACPI[0xF758D620] -> nt!IofCallDriver[0x804E13B9] -> [0x86350940]
\Driver\atapi[0x863CB500] -> IRP_MJ_CREATE -> 0x8630A4D0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8630A31B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 11:57:51.26 ===============

[Will Watts]

Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be patient with me during this time.

[Will Watts]

Hello and welcome to TSF

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. You may want to print and/or save the following instructions in Notepad as this webpage will not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back it up now just as a precaution.

------------------------------------------------------

For AVG antivirus and anti-spyware security software users only.

Quote:

Due to recent changes in AVG and how it interacts with CF, AVG must be uninstalled to run ComboFix. You will get a message from CF stating such.

If AVG will not uninstall, it is first recommended to uninstall it with this AppRemover by Opswat. The AVG uninstaller can be downloaded from here > Uninstall & Remove McAfee, Symantec, Norton, AVG, Avast & More Antivirus and Security Applications and Programs

------------------------------------------------------

Spybot Search & Destroy Tea Timer

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent our tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are clean.

• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident".
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• In the File menu click "Exit" to exit Spybot Search & Destroy.

------------------------------------------------------

Try to carry out the next set of instructions using Normal mode. If you cannot, be sure to boot into Safe Mode with Networking

**Read through these instructions in their entirety BEFORE executing them.** If you have any questions or are unsure about any of the following instructions PLEASE ASK for clarification before continuing. You may want to copy this page to notepad or print it as it will not be available while you run ComboFix.

Download ComboFix from one of the following locations:

• Link 1
• Link 2

* IMPORTANT !!! Place combofix.exe on your Desktop

Disable all your AntiVirus, AntiSpyware and Firewall applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

You can get help on disabling your protection programs here

Close all open browsers and windows and double click on combofix.exe & follow the prompts.

• The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
  
  
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
  
  
• ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. It will be a new screen you see on bootup which will last only a few seconds. You do not have to press or do anything for Windows to load normally. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to do so by a helper.
  
  
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
  
  The Recovery Console was successfully installed.
  
  
  
  
• Click on OK, to continue scanning for malware.

** NOTE: Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This, too, is normal.

When finished it will produce a log for you (C:\ComboFix.txt). Please include this log in your next reply.

Do not mouse-click Combofix's window while it is running. This may cause it to stall.
Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

--------------------------------------------------------

[uptowndowntown]

Thanks for your reply. I will be working through your instructions on Saturday. Please be patient with me. Pop-ups and other issues caused by this bug have slowed things down to a crawl. At times the clouds will clear though allowing me to do whatever I want to do for a short time. I hope to be getting things done through a few of these windows of opportunity.

[Will Watts]

Hi, that's fine.

If you find the computer unusable in normal mode, please boot into Safe Mode with Networking to download and run our tools:

Restart your computer and boot into Safe Mode with Networking by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode with Networking from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account.

[uptowndowntown]

ComboFix scan is complete. I attached the logs. I'm still getting pop-ups and a re-direct page at bootup that says the web page cannot be displayed.

ComboFix 11-06-17.04 - User 05/18/2011 17:36:27.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.752 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\{1D975A5E-1126-4F46-A423-41781934A63E}
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\instance.dat
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\mia.lib
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\24618E3F\611F5CA\Microsoft.VC80.MFC.manifest
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\29A73ACD\3E688669\stb0.dll
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\2A3DCDAF\611F5CA\SkinCrafterDll.dll
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\4DAC9037\611F5CA\gdiplus.dll
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\51B9750F\611F5CA\msvcr80.dll
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\62404B3E\3E688669\FFToolbar.xml
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\879169BE\611F5CA\mfc80.dll
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\9B242A8C\611F5CA\Microsoft.VC80.CRT.manifest
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\C90EEF64\3E688669\AxGifAnimator.dll
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\CC8FDF08\3E688669\OEActiveXDLL.dll
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\F0A80E14\5702F56C\home.juicyaccess.com.url
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\mFileBagIDE.dll\bag\AdwareSetup.exe
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\mFileBagIDE.dll\bag\cfcpxlog.mx
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\mFileBagIDE.dll\bag\FFToolbar.xpi
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\mFileBagIDE.dll\bag\HJSetup.exe
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\mFileBagIDE.dll\bag\libiconv2.dll
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\mFileBagIDE.dll\bag\libintl3.dll
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\mFileBagIDE.dll\bag\MsiZap.Exe
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\mFileBagIDE.dll\bag\msvcp60.dll
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\mFileBagIDE.dll\bag\ProductInfo.mx
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\mFileBagIDE.dll\bag\setup.exe
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\mFileBagIDE.dll\bag\sqlite3.dll
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\mFileBagIDE.dll\bag\SSD.exe
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\mFileBagIDE.dll\bag\tbcore.mx
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\mFileBagIDE.dll\bag\tre4.dll
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\mFileBagIDE.dll\mFileBagEXE.dll
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\mIDEFunc.dll\mEXEFunc.dll
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\mIDEWriteReg.dll\mEXEWriteReg.dll
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\mMSI.dll\mMSIExec.dll
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\Setup.dat
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\Setup.msi
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\Setup.par
c:\documents and settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\Setup.res
c:\documents and settings\NetworkService\Local Settings\Application Data\vxfkevnpha.exe
c:\documents and settings\NetworkService\Start Menu\Programs\Security Shield.lnk
c:\documents and settings\User\Application Data\MSA
c:\documents and settings\User\Application Data\MSA\download.list
c:\documents and settings\User\Application Data\MSA\w2_0.exe
c:\documents and settings\User\Application Data\Sun\ddee.dat
c:\documents and settings\User\Application Data\Sun\mnj.dat
c:\documents and settings\User\Application Data\Sun\mxd1.txt
c:\documents and settings\User\Application Data\Sun\ppkk.dat
c:\documents and settings\User\Application Data\Sun\uuoo.dat
c:\documents and settings\User\Media
c:\documents and settings\User\Media\CANYON.MID
c:\documents and settings\User\Media\CHIMES.WAV
c:\documents and settings\User\Media\CHORD.WAV
c:\documents and settings\User\Media\DING.WAV
c:\documents and settings\User\Media\Jungle Asterisk.wav
c:\documents and settings\User\Media\Jungle Close.wav
c:\documents and settings\User\Media\Jungle Critical Stop.wav
c:\documents and settings\User\Media\Jungle Default.wav
c:\documents and settings\User\Media\Jungle Error.wav
c:\documents and settings\User\Media\Jungle Exclamation.wav
c:\documents and settings\User\Media\Jungle Maximize.wav
c:\documents and settings\User\Media\Jungle Menu Command.wav
c:\documents and settings\User\Media\Jungle Menu Popup.wav
c:\documents and settings\User\Media\Jungle Minimize.wav
c:\documents and settings\User\Media\Jungle Open.wav
c:\documents and settings\User\Media\Jungle Question.wav
c:\documents and settings\User\Media\Jungle Recycle.wav
c:\documents and settings\User\Media\Jungle Restore Down.wav
c:\documents and settings\User\Media\Jungle Restore Up.wav
c:\documents and settings\User\Media\Jungle Windows Exit.wav
c:\documents and settings\User\Media\Jungle Windows Start.wav
c:\documents and settings\User\Media\LOGOFF.WAV
c:\documents and settings\User\Media\Musica Asterisk.wav
c:\documents and settings\User\Media\Musica Close.wav
c:\documents and settings\User\Media\Musica Critical Stop.wav
c:\documents and settings\User\Media\Musica Default.wav
c:\documents and settings\User\Media\Musica Error.wav
c:\documents and settings\User\Media\Musica Exclamation.wav
c:\documents and settings\User\Media\Musica Maximize.wav
c:\documents and settings\User\Media\Musica Menu Command.wav
c:\documents and settings\User\Media\Musica Menu Popup.wav
c:\documents and settings\User\Media\Musica Minimize.wav
c:\documents and settings\User\Media\Musica Open.wav
c:\documents and settings\User\Media\Musica Question.wav
c:\documents and settings\User\Media\Musica Recycle.wav
c:\documents and settings\User\Media\Musica Restore Down.wav
c:\documents and settings\User\Media\Musica Restore Up.wav
c:\documents and settings\User\Media\Musica Windows Exit.wav
c:\documents and settings\User\Media\Musica Windows Start.wav
c:\documents and settings\User\Media\NOTIFY.WAV
c:\documents and settings\User\Media\PASSPORT.MID
c:\documents and settings\User\Media\RECYCLE.WAV
c:\documents and settings\User\Media\Robotz Asterisk.wav
c:\documents and settings\User\Media\Robotz Close.wav
c:\documents and settings\User\Media\Robotz Critical Stop.wav
c:\documents and settings\User\Media\Robotz Default.wav
c:\documents and settings\User\Media\Robotz Error.wav
c:\documents and settings\User\Media\Robotz Exclamation.wav
c:\documents and settings\User\Media\Robotz Maximize.wav
c:\documents and settings\User\Media\Robotz Menu Command.wav
c:\documents and settings\User\Media\Robotz Menu Popup.wav
c:\documents and settings\User\Media\Robotz Minimize.wav
c:\documents and settings\User\Media\Robotz Open.wav
c:\documents and settings\User\Media\Robotz Question.wav
c:\documents and settings\User\Media\Robotz Recycle.wav
c:\documents and settings\User\Media\Robotz Restore Down.wav
c:\documents and settings\User\Media\Robotz Restore Up.wav
c:\documents and settings\User\Media\Robotz Windows Exit.wav
c:\documents and settings\User\Media\Robotz Windows Start.wav
c:\documents and settings\User\Media\START.WAV
c:\documents and settings\User\Media\TADA.WAV
c:\documents and settings\User\Media\The Microsoft Sound.wav
c:\documents and settings\User\Media\Utopia Asterisk.wav
c:\documents and settings\User\Media\Utopia Close.wav
c:\documents and settings\User\Media\Utopia Critical Stop.wav
c:\documents and settings\User\Media\Utopia Default.wav
c:\documents and settings\User\Media\Utopia Error.wav
c:\documents and settings\User\Media\Utopia Exclamation.wav
c:\documents and settings\User\Media\Utopia Maximize.wav
c:\documents and settings\User\Media\Utopia Menu Command.wav
c:\documents and settings\User\Media\Utopia Menu Popup.wav
c:\documents and settings\User\Media\Utopia Minimize.wav
c:\documents and settings\User\Media\Utopia Open.wav
c:\documents and settings\User\Media\Utopia Question.wav
c:\documents and settings\User\Media\Utopia Recycle.wav
c:\documents and settings\User\Media\Utopia Restore Down.wav
c:\documents and settings\User\Media\Utopia Restore Up.wav
c:\documents and settings\User\Media\Utopia Windows Exit.wav
c:\documents and settings\User\Media\Utopia Windows Start.wav
c:\documents and settings\User\Recent\bsredirect5[1].js.zip
c:\documents and settings\User\Templates\4256o56y1a8o6x33021iv38cljbeoo2456lvgt
c:\program files\INSTALL.LOG
c:\windows\desktop
c:\windows\desktop\buzz_300.asx
.
.
((((((((((((((((((((((((( Files Created from 2011-04-18 to 2011-05-18 )))))))))))))))))))))))))))))))
.
.
2011-06-06 01:08 . 2011-06-06 01:08 -------- d-----w- c:\documents and settings\User\Application Data\IObit
2011-06-06 01:08 . 2011-06-06 01:08 -------- d-----w- c:\program files\IObit
2011-06-02 16:37 . 2011-06-02 16:37 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-02 15:44 . 2011-06-02 15:44 -------- d-----w- c:\windows\system32\config\systemprofile\IETldCache
2011-05-15 23:32 . 2011-05-15 23:32 -------- d-----w- c:\windows\system32\%APPDATA%
2011-05-15 22:47 . 2011-05-15 22:47 389120 ----a-w- c:\windows\system32\igxpun.exe
2011-05-09 02:48 . 2011-05-09 02:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-05-08 22:03 . 2011-05-08 22:05 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-05-08 13:29 . 2011-05-08 13:30 -------- d-----w- c:\documents and settings\User\Application Data\Axutmu
2011-05-08 13:29 . 2011-05-08 13:29 -------- d-----w- c:\documents and settings\User\Application Data\Suomet
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2009-01-22 16:05 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2008-04-14 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2008-04-14 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-12 39408]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-08-24 247144]
"UpdateFlow.ATT-SST"="c:\program files\ATT-SST\McciBrowser.exe" [2010-07-27 1057792]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 143360]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2010-07-27 1573888]
"ISW.exe"="c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility.lnk - c:\program files\TRENDnet\TEW-424UB\WlanCU.exe [2007-7-10 634880]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
.
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/24/2010 5:38 AM 92008]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/12/2010 8:45 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/12/2010 8:45 PM 135664]
S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\RTL8187B.sys [6/15/2009 9:12 PM 264576]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [10/3/2002 12:57 AM 13532]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-13 00:45]
.
2011-06-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-13 00:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://msn.com/
uInternet Settings,ProxyOverride = <local>
IE: Add to AMV/AVI Video Converter... - c:\program files\Media Player Utilities 4.25\AMVConverter\grab.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
Trusted Zone: motive.com\patttbc.att
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
HKU-Default-RunOnce-vxfkevnpha - c:\docume~1\NETWOR~1\LOCALS~1\APPLIC~1\vxfkevnpha.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-05-18 17:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover
Windows 5.1.2600 Disk: ST340014AS rev.3.20 -> Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-17
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8635F31B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(792)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2296)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2011-05-18 1850 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-18 22:06
.
Pre-Run: 20,260,995,072 bytes free
Post-Run: 21,882,982,400 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 4F2DF0873A134BD7DB32ACC559F18C6F

[Will Watts]

Hi,

What message do the pop-ups give when they appear?

• Download TDSSKiller.exe to your desktop
• Execute TDSSKiller.exe by doubleclicking on it.
• Press Start Scan
  
• If Malicious objects are found, ensure Cure is selected (it should be by default) NOTE: If Cure is not an option, please select Skip.
• Click Continue then click Reboot now.
• Once complete, a log will be produced at the root drive which is typically C:\
  For example, C:\TDSSKiller.2.5.5.0_date_time_log.txt
• Attach that log, please.

--------------------------------------


Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:

@echo off
dir /a /s "c:\documents and settings\User\Application Data\Axutmu" >peek.txt 
dir /a /s "c:\documents and settings\User\Application Data\Suomet" >>peek.txt 
notepad peek.txt
del %0

Save this as peek.bat Choose to Save type as - All Files then close the Notepad file.
It should look like this:

Double-click on peek.bat and allow it to run. A Notepad file will open. Copy/paste that information into your next reply, please.
--------------------------------------

[uptowndowntown]

The pop-ups from stopped last night. Havn't had any more since I booted up this morning. I'm having trouble starting apps from my desktop now. I can open Internet Explorer after I first boot up but after the computer has been on for a while nothing happens when I try to open a new page. I am still getting a new page open on its own whenever I do get Internet Explorer to start. Mostly this new page is a Walmart ad but I am getting re-directed to other places as well.

[uptowndowntown]

TDSSKiller scan is complete and the log is attached. The peek.txt log is just below.

Volume in drive C has no label.
Volume Serial Number is F4C3-4E91
Directory of c:\documents and settings\User\Application Data\Axutmu
05/08/2011 09:30 AM <DIR> .
05/08/2011 09:30 AM <DIR> ..
0 File(s) 0 bytes
Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 21,180,473,344 bytes free
Volume in drive C has no label.
Volume Serial Number is F4C3-4E91
Directory of c:\documents and settings\User\Application Data\Suomet
05/08/2011 09:29 AM <DIR> .
05/08/2011 09:29 AM <DIR> ..
05/08/2011 09:30 AM 92,665 mayp.agr
1 File(s) 92,665 bytes
Total Files Listed:
1 File(s) 92,665 bytes
2 Dir(s) 21,180,469,248 bytes free

[Will Watts]

Hi,

How is the computer behaving now? Are the re-directs gone?

On it's run, Combofix deleted several .wav audio files:

Quote:

c:\documents and settings\User\Media\Jungle Asterisk.wav
c:\documents and settings\User\Media\Jungle Close.wav
c:\documents and settings\User\Media\Jungle Critical Stop.wav

These appear to be named as audiofiles from older versions of Windows. Do you know anything about these files?

Please go to: VirusTotal

• On the page you'll find a "Browse" button.
  
• Next to the browse button you'll see a box to enter text.
• Copy/paste the following bolded text into the File name: field one at a time
  
  
  C:\Qoobox\Quarantine\c\documents and settings\User\Media\CANYON.MID.vir
  C:\Qoobox\Quarantine\c\documents and settings\User\Media\Jungle Asterisk.wav.vir
  c:\documents and settings\User\Application Data\Suomet\mayp.agr
  
  
  
• Click open, then click the "Send File " button just below.
• This will scan the file. Please be patient.
• If the file is analyzed before click Reanalyse button.
• Wait until the file is analyzed.
• Once scanned, copy and paste the link to the results page in your next reply.

--------------------------------------

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Please save it to a convenient location.
• Please post contents of that file in your next reply.

--------------------------------------

After completing the above steps, please also post a new DDS log in your next reply.

[uptowndowntown]

HI!
The computer behaves pretty much like normal, now. No redirects in Google, no Internet Explorer pages opening on their own and the desk top is back in operation. Also, everything is very speedy now.
I'm not sure about the deleted wave files. They may have come from my old computer, maybe from this one. I had most of my old computer loaded onto this machine when I baught it second hand a few years ago.
I'll get the new logs to you shortly.

[uptowndowntown]

Virus Total Results:
VirusTotal - Free Online Virus, Malware and URL Scanner
VirusTotal - Free Online Virus, Malware and URL Scanner
VirusTotal - Free Online Virus, Malware and URL Scanner

[uptowndowntown]

Here are the results of the mbam and DDS scans you asked for.
.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.5.0_17
Run by User at 11:41:13 on 2011-05-20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.642 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\system32\wuauclt.exe
svchost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://msn.com/
uInternet Settings,ProxyOverride = <local>
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - AT&&T Toolbar
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} -
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [UpdateFlow.ATT-SST] c:\program files\att-sst\mccibrowser.exe -appkey=att-sst -url=file://c:\program files\att-sst\offlineupdate\redirector.htm
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"
mRun: [ISW.exe] "c:\program files\at&t\internet security wizard\ISW.exe" /AUTORUN
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\trendnet\tew-424ub\WlanCU.exe
uPolicies-explorer: NoInstrumentation = 1 (0x1)
IE: Add to AMV/AVI Video Converter... - c:\program files\media player utilities 4.25\amvconverter\grab.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: motive.com\patttbc.att
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{67A0532C-0894-439E-920A-CAEE57ACE2A6} : DhcpNameServer = 192.168.1.254
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-8-24 92008]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-12 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-12 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-5-20 39984]
S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\RTL8187B.sys [2009-6-15 264576]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2002-10-3 13532]
.
=============== Created Last 30 ================
.
2011-06-06 01:08:12 -------- d-----w- c:\documents and settings\user\application data\IObit
2011-06-06 01:08:09 -------- d-----w- c:\program files\IObit
2011-06-02 16:37:44 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-06-02 16:37:44 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-20 15:23:00 -------- d-----w- c:\documents and settings\user\application data\Malwarebytes
2011-05-20 15:22:38 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-20 15:22:38 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-05-20 15:22:34 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-20 15:22:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-18 21:28:31 -------- d-sha-r- C:\cmdcons
2011-05-18 21:22:32 98816 ----a-w- c:\windows\sed.exe
2011-05-18 21:22:32 518144 ----a-w- c:\windows\SWREG.exe
2011-05-18 21:22:32 256512 ----a-w- c:\windows\PEV.exe
2011-05-18 21:22:32 208896 ----a-w- c:\windows\MBR.exe
2011-05-15 23:32:35 -------- d-----w- c:\windows\system32\%APPDATA%
2011-05-15 22:47:19 389120 ----a-w- c:\windows\system32\igxpun.exe
2011-05-14 01:11:54 641536 ----a-w- c:\program files\common files\microsoft shared\vc\msdia80.dll
2011-05-08 13:29:13 -------- d-----w- c:\documents and settings\user\application data\Suomet
2011-05-08 13:29:13 -------- d-----w- c:\documents and settings\user\application data\Axutmu
.
==================== Find3M ====================
.
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 11:42:19.48 ===============

[uptowndowntown]

All that I can see seems normal, now, EXCET. Just after boot-up each time an Internet Explorer message opens up saying that IE can't display the page. All I have to do is close this message and go on about business. Just thought you should know.

[uptowndowntown]

New Virus Total results:
VirusTotal - Free Online Virus, Malware and URL Scanner
VirusTotal - Free Online Virus, Malware and URL Scanner
VirusTotal - Free Online Virus, Malware and URL Scanner

[Will Watts]

Hi,

When the IE page opens, what address does it try to connect to? (Please edit the address to hxxp when posting live links.)


As we've had to uninstall AVG to allow Combofix to run, please install this free antivirus from Microsoft. If you wish to reinstall AVG, please do so after we've finished here as it will interfere with the removal of Combofix.

Microsoft Security Essentials

----------------------

In previous logs there was evidence of the program Advanced SystemCare 4. Has this been uninstalled since?

We discourage the use of registry cleaners, such as this program, as they can cause serious damage to your computer, whilst giving very little benefits.

--------------------------

Uninstall the following via the Programs and Features Panel (Start->Control Panel->Add or Remove Programs):

J2SE Runtime Environment 5.0 Update 17

These are all outdated, and security risks by having them installed still. Reboot your computer once all those Java components are removed.

Going forward, Java will overwrite existing installs, so removing older versions should not be required after this.

In fact, you should be able to update your current Java, Java(TM) 6 Update 23, by going to Control Panel and double-clicking on the Java icon (looks like a coffee cup). Click on the Update tab. On the lower right, click on Update Now. An update should begin. Allow the install of the new Java.

Make sure you untick the box next to whatever free program they prompt you to install, unless you want it.

• After the install is complete, go back to your Control Panel and click the Java icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button.
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window.
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
  • Click OK to leave the Temporary Files Window.
  • Click OK to leave the Java Control Panel.

--------------------------------------

Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
• Copy and paste that log as a reply to this topic and also let me know how things are now.

--------------------------------------

[uptowndowntown]

HI
Advanced SystemCare 4 is gone as far as I know. I uninstalled it in preperation for getting in touch with you.
Java was up-dated
I installed Microsoft Security Essentials but turned off the real time scanning before running ESET scan. The log from that scan is below.
I'll have to reboot to see that start-up page again. I'll describe it in the next post.
As far as I can tell, things are back to or better than before the problem; maybe better than ever. I suppose most of that is do to AVG not running in the background while I worked through this with you.
Results of ESET scan:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6526
# api_version=3.0.2
# EOSSerial=b544914c3bf3944a8176f2e56610a8a2
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-05-21 12:28:03
# local_time=2011-05-20 08:28:03 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5891 16776869 42 87 0 17043529 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=88059
# found=7
# cleaned=0
# scan_time=2668
C:\Documents and Settings\User\Local Settings\Application Data\msrwmdev\msrwmdev.dll a variant of Win32/Agent.QHQ trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\User\My Documents\New Folder\registrybooster.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\29A73ACD\3E688669\stb0.dll.vir a variant of Win32/Adware.DoubleD.AB application (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{5EA804FD-5E7A-4405-A638-CAFBD22489D9}\OFFLINE\mFileBagIDE.dll\bag\FFToolbar.xpi.vir a variant of Win32/Adware.DoubleD.AL application (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\vxfkevnpha.exe.vir a variant of Win32/Kryptik.PEW trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\User\Application Data\MSA\w2_0.exe.vir a variant of Win32/Agent.QHQ trojan (unable to clean) 00000000000000000000000000000000 I
E:\Back-Up\My Docs\New Folder\registrybooster.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I

[uptowndowntown]

Just before the IE "can't read" meassage appears, a page tries to open up that looks like it is going to something like redirect.com. It's hard to tell; that first page is only up for a split second before the "cant read" message comes up. The title bar at the top is all that really has a chance to display. There is an icon by the title that looks like one ATT uses. All this happens about 5 to 10 seconds after the desktop shows up at start-up.

[Will Watts]

Hi,

I'm glad the computer is running better, recent versions of AVG have become a bit bloated.

--------------------------------------
Several of the ESET findings are files that have been quarantined by Combofix. We will deal with the ones that haven't been now.

Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Documents and Settings\User\My Documents\New Folder\registrybooster.exe
E:\Back-Up\My Docs\New Folder\registrybooster.exe
C:\Documents and Settings\User\Local Settings\Application Data\msrwmdev

--------------------------------------


The IE error looks like it might be your AT&T security program trying to update. As it's failing to update, I will remove the entry for the updater.

Please open notepad and copy/paste the contents of the following Codebox:

Code:

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateFlow.ATT-SST"=-

Save this as fix.reg Choose to Save type as - All Files then close the Notepad file.

Double-click on fix.reg and allow it to run.
--------------------------------------

Please reboot and let me know if this has fixed the issue, as well as any outstanding issues on the machine.

[uptowndowntown]

Okay, that took care of the AT&T/IE thing at start-up. As far as I can tell, all is well here now. Words can not tell how much I appreciate you help through this mess.
Is there anything else?
Will the Microsoft security program be enough to replace my old AVG 2011?
What more can I do to help keep this from happening again?