Virus- Trojan? Redirects searches

amandabanana540 · 06-14-2009, 09:47 AM

I use Windows XP SP 3 and use Firefox as my web browser. I currently use AVG anit-virus and ZoneAlarm Firewall.
The computer was acting strangly- whenever I clicked a link in google, I would immediatley be redirected, no matter what the website was. The website I was redirected to varied, but was always an advertisment or store of some sorts, and the picture next to the web adress was always the same (a green icon with a swirly line through the middle).
I ran AVG antivirus and it found a trojan which it said it had deleted. The same thing continued happening even after I rebooted. I ran AVG again and it doens't detect anything. I have also ran Ad-Aware as well as a few other anti-virus/malware programs. Nothing is being detected.
I cleaned out my cache and temporary internet files using CCleaner. I am still being redirected and have also had my computer blue screen. I am currently using internet explorer and still having the same problem.

DDS (Ver_09-05-14.01) - NTFSx86
Run by Amanda R at 12:26:20.29 on Sun 06/14/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.756 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
D:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
D:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
D:\PROGRA~1\yahoo\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Amanda R\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - d:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - d:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D593DE91-7B41-45C2-830E-E9A99AB142AA} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Messenger (Yahoo!)] "d:\program files\yahoo\messenger\YahooMessenger.exe" -quiet
uRun: [SUPERAntiSpyware] d:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [HP Software Update] d:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ZoneAlarm Client] "d:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "d:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] d:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - d:\program files\java\jre6\bin\jp2iexp.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237256419796
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1237256378953
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - d:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\amanda~1\applic~1\mozilla\firefox\profiles\mqfxmvf3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gaiaonline.com
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=108&ei=utf-8&yahoo_domain=search.yahoo.com&p=
FF - component: d:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\amanda r\application data\mozilla\firefox\profiles\mqfxmvf3.default\extensions\createandprint@ag.com\platform\winnt_x86-msvc\plugins\NpPopup.dll
FF - plugin: c:\documents and settings\amanda r\application data\mozilla\firefox\profiles\mqfxmvf3.default\extensions\flashplugin@idm\platform\winnt\plugins\npidmdcp.dll
FF - plugin: d:\program files\adobe\reader 8.0\reader\browser\nppdf32.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: d:\program files\java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: d:\program files\java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin7.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-13 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-13 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-13 108552]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-5-24 127768]
R1 SASDIFSV;SASDIFSV;d:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;d:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-6-24 394952]
R2 aawservice;Lavasoft Ad-Aware Service;d:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 avg8wd;AVG Free8 WatchDog;d:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-13 298776]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-12-25 1373480]
R3 icm12blk;Intel(r) PC Camera CS780 Image Storage;c:\windows\system32\drivers\icm12blk.sys [2007-1-6 14184]
R3 icm12fil;Intel(r) CS780 Audio Filter Driver;c:\windows\system32\drivers\icm12fil.sys [2007-1-6 16312]
R3 ICM12USB;Intel(r) PC Camera CS780;c:\windows\system32\drivers\ICM12USB.sys [2007-1-6 428152]
R3 SASENUM;SASENUM;d:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S3 HabuFltr;Habu Mouse;c:\windows\system32\drivers\habu.sys [2007-5-22 27776]
S3 uisp;Freescale USB JW32 driver;c:\windows\system32\drivers\usbicp.sys --> c:\windows\system32\drivers\usbicp.sys [?]

=============== Created Last 30 ================

2009-06-13 23:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-13 23:14 <DIR> --d----- c:\docume~1\amanda~1\applic~1\SUPERAntiSpyware.com
2009-06-13 23:12 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-13 22:18 <DIR> --d----- c:\docume~1\amanda~1\applic~1\Malwarebytes
2009-06-13 22:18 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-13 22:18 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-13 22:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-13 09:55 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-06-13 09:41 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-13 09:41 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-13 09:41 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-13 09:41 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-06-13 09:41 <DIR> --d----- c:\program files\AVG
2009-05-17 20:45 140,488 a------- c:\windows\system32\COMDLG32.OCX
2009-05-17 20:45 101,888 a------- c:\windows\system32\VB6STKIT.DLL
2009-05-17 20:45 <DIR> --d----- c:\program files\FriendBlasterPro

==================== Find3M ====================

2009-06-13 17:18 43,911,200 ac-sh--- c:\windows\system32\drivers\fidbox.dat
2009-06-13 17:18 433,784 ac-sh--- c:\windows\system32\drivers\fidbox.idx
2007-06-22 23:12 87,608 a------- c:\docume~1\amanda~1\applic~1\inst.exe
2007-06-22 23:12 47,360 a------- c:\docume~1\amanda~1\applic~1\pcouffin.sys
2007-06-16 09:30 476,752 a------- c:\docume~1\alluse~1\applic~1\pswi_preloaded.exe
2007-06-18 13:23 88 ---shr-- c:\windows\system32\D51A9D8C16.sys
2007-06-18 13:24 2,516 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2008-05-24 17:01 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008052420080525\index.dat

============= FINISH: 12:28:09.32 ===============

**amateur** · 06-14-2009, 06:51 PM

Hello and welcome to TSF.

Please note that the fix may require more than one round to properly eradicate. Stay with me until you're given the "all clear", even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions in the order they are presented, and please do no self-fixing or running of scanners unless requested by me or another helper at this forum.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

===================================

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute file without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identity Theft, Internet Fraud, and CC Fraud?

============================

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

How to disable AVG

Please open the AVG 8 Control Center, by right clicking on the AVG 8 icon on task bar.

* Click on Tools.
* Select Advanced Settings.
* In the left hand pane, scroll down to "Resident Shield".
* In the main pane, deselect the option to "Enable Resident Shield."
* To re-enable AVG 8, please select "Enable Resident Shield" again.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

# Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: Please make sure that your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done

How to disable your security applications

amandabanana540 · 06-14-2009, 07:15 PM

thanks so much for helping out!

ComboFix 09-06-14.02 - Amanda R 06/14/2009 22:11.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1076 [GMT -4:00]
Running from: c:\documents and settings\Amanda R\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Amanda R\Application Data\inst.exe
c:\windows\system\msvbvm60.dll
c:\windows\system32\drivers\SKYNETfdamlthr.sys
c:\windows\system32\MabryObj.dll
c:\windows\system32\SKYNETemoxxrjp.dll
c:\windows\system32\SKYNETkyiratnp.dat
c:\windows\system32\SKYNETndgskxaa.dll
c:\windows\system32\SKYNETooxphhgn.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNEThcbinxqv

((((((((((((((((((((((((( Files Created from 2009-05-15 to 2009-06-15 )))))))))))))))))))))))))))))))
.

2009-06-14 03:15 . 2009-06-14 13:48 117760 ----a-w- c:\documents and settings\Amanda R\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-14 03:14 . 2009-06-14 03:14 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-14 03:14 . 2009-06-14 03:14 -------- d-----w- c:\documents and settings\Amanda R\Application Data\SUPERAntiSpyware.com
2009-06-14 03:12 . 2009-06-14 03:12 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-14 03:11 . 2009-06-14 03:11 152576 ----a-w- c:\documents and settings\Amanda R\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-14 02:18 . 2009-06-14 02:18 -------- d-----w- c:\documents and settings\Amanda R\Application Data\Malwarebytes
2009-06-14 02:18 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-14 02:18 . 2009-06-14 02:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-14 02:18 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-13 13:55 . 2009-06-14 13:54 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-13 13:41 . 2009-06-13 13:41 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-13 13:41 . 2009-06-13 13:41 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-13 13:41 . 2009-06-13 13:41 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-13 13:41 . 2009-06-13 13:41 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-13 13:41 . 2009-06-14 21:56 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-13 13:41 . 2009-06-13 13:41 -------- d-----w- c:\program files\AVG
2009-05-30 16:59 . 2009-05-26 23:50 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-05-18 00:45 . 2000-07-15 04:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2009-05-18 00:45 . 2009-05-18 00:48 -------- d-----w- c:\program files\FriendBlasterPro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-15 02:11 . 2008-12-25 19:50 -------- d-----w- c:\documents and settings\Amanda R\Application Data\WTablet
2009-06-15 02:11 . 2008-12-26 00:47 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2009-06-14 13:29 . 2007-01-06 20:09 -------- d-----w- c:\program files\Java
2009-06-14 03:13 . 2008-09-13 16:34 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-13 21:20 . 2009-01-18 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8
2009-06-13 21:18 . 2007-06-24 15:23 43911200 -csha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-13 21:18 . 2007-06-24 15:23 433784 -csha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-06 16:26 . 2008-01-16 23:01 12369382 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-05-30 16:59 . 2008-01-21 01:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-05-21 02:48 . 2008-09-09 21:41 -------- d-----w- c:\documents and settings\Amanda R\Application Data\U3
2009-05-19 05:36 . 2009-06-14 13:57 2884832 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\vwpt.exe
2009-05-19 05:36 . 2009-06-14 13:57 28 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\unregister.bat
2009-05-19 05:36 . 2009-06-14 13:57 1484856 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\toolbar.exe
2009-05-19 05:36 . 2009-06-14 13:57 25 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\register.bat
2009-05-19 05:36 . 2009-06-14 13:57 97072 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\bsetutil.exe
2009-05-19 05:36 . 2009-06-14 13:57 142040 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\alsetup.exe
2009-05-19 05:36 . 2009-06-14 13:57 30512 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\Uninstaller.exe
2009-05-19 05:36 . 2009-06-14 13:57 111920 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\AOLSearch.dll
2009-05-09 17:49 . 2009-05-09 17:48 -------- d-----w- c:\documents and settings\Amanda R\Application Data\Webcammax
2009-03-19 00:29 . 2007-01-06 17:03 37472 ----a-w- c:\documents and settings\Amanda R\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-06-18 17:23 . 2007-06-16 13:29 88 --sh--r- c:\windows\system32\D51A9D8C16.sys
2007-06-18 17:24 . 2007-06-16 13:29 2516 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-06-06 50528]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Messenger (Yahoo!)"="d:\program files\yahoo\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"SUPERAntiSpyware"="d:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"HP Software Update"="d:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"ZoneAlarm Client"="d:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-14 919016]
"QuickTime Task"="d:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"AVG8_TRAY"="d:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-13 1948440]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-06-14 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2006-10-22 86016]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-11-17 577536]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-13 13:41 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
"d:\\Program Files\\yahoo\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/13/2009 9:41 AM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/13/2009 9:41 AM 108552]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 avg8wd;AVG Free8 WatchDog;d:\progra~1\AVG\AVG8\avgwdsvc.exe [6/13/2009 9:41 AM 298776]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [12/25/2008 3:49 PM 1373480]
R3 icm12blk;Intel(r) PC Camera CS780 Image Storage;c:\windows\system32\drivers\icm12blk.sys [1/6/2007 3:11 PM 14184]
R3 icm12fil;Intel(r) CS780 Audio Filter Driver;c:\windows\system32\drivers\icm12fil.sys [1/6/2007 3:11 PM 16312]
R3 ICM12USB;Intel(r) PC Camera CS780;c:\windows\system32\drivers\ICM12USB.sys [1/6/2007 3:11 PM 428152]
S3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-06-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-14 22:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1801674531-1957994488-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:01,02,b7,c6,52,c3,6b,8d,6b,d6,61,38,21,2d,d8,51,eb,12,af,0d,f6,
fe,e1,6a,97,76,e0,b5,47,11,a6,ef,7a,31,42,6b,a6,52,a1,e7,cf,91,e4,9c,7d,11,\
"rkeysecu"=hex:fe,4a,93,a1,67,31,b2,05,34,1f,2a,1a,c4,45,76,3b
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
d:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-06-15 22:16
ComboFix-quarantined-files.txt 2009-06-15 02:16

Pre-Run: 292,429,824 bytes free
Post-Run: 273,403,904 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

170

**amateur** · 06-14-2009, 07:26 PM

Hi,

Combofix did an excellent job. The redirects should have stopped now, but we have a little more work to do.

It's important to check for any remnants.

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Also, let me know how your computer is running now.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

p.s. Please don't attach the logs unless specifically asked to do so.

amandabanana540 · 06-14-2009, 07:50 PM

I am getting an error that the Java applet failed to start when I try to download Kaspersky. My Java is the newest version, and I tried restarting my computer.

Otherwise, things seem to be running fine. No more redirects have occured.

**amateur** · 06-14-2009, 07:57 PM

In IE > Go to Tools > Internet Options > Advanced tab. Click Reset then OK and exit IE 7.

Re-open IE 7 and ensure the Java add-ons are enabled.

http://i28.photobucket.com/albums/c2...y_Java-err.gif

If still not able to run Kaspersky, try the following scanner:

Panda ActiveScan

Click on Scan Your PC Now
A "pop up" window will appear, or a new tab will open.
Click on Register
Choose the option you like most, but we recommend the Free Registration.
Click on Register
Enter your e-mail address, and create a password.
Select "I do not want to receive any type of information". (unless you want to receive such information)
Click on Send
Confirm registration, and continue by entering your user name and password, then click on Enter
Select Full Scan, then Click on Scan Now
Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
Please ignore the offer to buy the program. Click on Export To
Export the log and save it to your desktop.
Please attach the contents of that log to your reply, along with a new HijackThis log.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

amandabanana540 · 06-15-2009, 06:27 AM

Hmmm...I'm not sure why, but I can't use panda either. When it gets to the updating stage this message flashes "Sorry, updating is incomplete due to an error. Please try again." I've tried multiple times and the same thing happens. I still get the error in Kapersky that says the Java applet failed to start, and everything for Java is enabled in manage apps.

**amateur** · 06-15-2009, 07:32 AM

Hi,

Sorry that you're having a hard time with the online scanners, but it's important to check if there are any leftovers. Which browser are you using, IE, FireFox or another? Sometimes it helps to change the browser. Your version of java is slightly out of date. Try updating it. It can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

If you're still having problems, try this one with IE. I hope it'll work this time.

Go here to run an online scannner from ESET.

Note: You will need to use Internet explorer for this scan
Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic and also let me know how things are now.

amandabanana540 · 06-15-2009, 08:08 AM

After updating Java I was able to get Panda to work. Here are the results along with the HijackThis log that was requested.

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-06-15 11

47
PROTECTIONS: 1
MALWARE: 12
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AVG Anti-Virus Free 8.5 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00003428 adware/memorywatcher Adware No 0 Yes No hkey_classes_root\vbrad.trayicon
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Amanda R\Cookies\amanda_r@trafficmp[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Amanda R\Cookies\amanda_r@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Amanda R\Cookies\amanda_r@atdmt[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Amanda R\Cookies\amanda_r@fastclick[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Amanda R\Cookies\amanda_r@ad.yieldmanager[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Amanda R\Cookies\amanda_r@apmebf[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Amanda R\Cookies\amanda_r@advertising[2].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Amanda R\Cookies\amanda_r@adrevolver[2].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Amanda R\Cookies\amanda_r@atwola[2].txt
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{D4C07792-FF2D-44A3-BAF5-D57E34A26CEF}\RP669\A0163227.sys
03074964 Trj/CI.A Virus/Trojan No 0 Yes Yes C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\SKYNETfdamlthr.sys.vir
03074964 Trj/CI.A Virus/Trojan No 0 Yes Yes C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETemoxxrjp.dll.vir
03074964 Trj/CI.A Virus/Trojan No 0 Yes Yes C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETndgskxaa.dll.vir
03074964 Trj/CI.A Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{D4C07792-FF2D-44A3-BAF5-D57E34A26CEF}\RP669\A0163209.sys
03074964 Trj/CI.A Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{D4C07792-FF2D-44A3-BAF5-D57E34A26CEF}\RP669\A0163210.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{D4C07792-FF2D-44A3-BAF5-D57E34A26CEF}\RP669\A0163211.dll
;===================================================================================================================================================================================
SUSPECTS
Sent Location c
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description c
;===================================================================================================================================================================================
208380 HIGH MS09-015 c
208379 HIGH MS09-014 c
208378 HIGH MS09-013 c
208377 HIGH MS09-012 c
206981 HIGH MS09-007 c
206980 HIGH MS09-006 c
205735 HIGH MS09-002 c
204670 HIGH MS09-001 c
203806 HIGH MS08-078 c
203508 HIGH MS08-073 c
203505 HIGH MS08-071 c
201258 HIGH MS08-066 c
201255 HIGH MS08-063 c
201253 HIGH MS08-061 c
201250 HIGH MS08-058 c
209273 HIGH MS08-045 c
196455 MEDIUM MS08-037 c
194861 HIGH MS08-031 c
;===================================================================================================================================================================================

**amateur** · 06-15-2009, 09:15 AM

Hi,

Panda found some tracking cookies and files in the System Restore cache and the quarantine folders of Combofix which will be cleared when Combofix is uninstalled shortly. But, it also reports some vulnerabilities in the system. You need to update Windows as soon as possible.

I didn't need the HijackThis. I am sorry to have asked you to do an extra unnecessary step. Somehow, the part about HijackThis didn't get removed from the instructions.

Tracking cookies are small files that store information about what sites you visit online. Advertisers use these for statistical analysis and to target ads that you would be more likely to click on. They're not dangerous in and of themselves, per se, but are definitely a good idea to remove periodically.

They are not the normal, everyday cookies which are used for everything from saving form data to your login information for a particular site.

Here is some reference to cookies (it also tells you how to manage them):

http://www.microsoft.com/info/cookies.mspx

http://support.microsoft.com/default...b;en-us;260971

You can block the third party cookies if you'd like:

To block Third party cookies with IE:

1. Click on the Tools button on the Internet Explorer tool bar.
2. Highlight and click on Internet options at the bottom of the Tools menu.
3. Select the Privacy Tab of the Internet Options menu.
4. Select the Advanced button .
5. Select override automatic cookie handling button.
6. To block third party cookies select block under "Third-party cookies".
7. Select "always allow session cookies".
8. Click on the OK button at the bottom of the screen.

=================================

Open notepad. It must be notepad, not wordpad.
Copy and paste the text inside the code box below into notepad, including the blank line at the end. Make sure that wordwrap is turned off in notepad - click the format menu and uncheck wordwrap.
Choose file save as and set file type to all files.
Type fixreg.reg in the file name and save it to your desktop. It should look like this:

Code:

REGEDIT4

[-HKEY_CLASSES_ROOT\VBRAD.TRAYICON]

Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Close notepad. Make sure that all windows are closed.

Find the fixreg.reg file on your desktop.
Double click it.
It will then ask if you want the file merged to your registry.
Answer yes.

Reboot your computer.

=====================================

If you have no further malware issues, you're all set to go.

Click Start then Run
Now type Combofix /u in the runbox and click OK. Notice the space between the Combofix and the /

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points.

It’s vital that you keep all your software up-to-date as older versions may have some security vulnerabilities. Secunia Software Inspector Scan can help you find out which programs need to be updated.

Please respond to this thread one more time so we can mark this thread as resolved.

Happy Surfing and Think Prevention!

amandabanana540 · 06-15-2009, 09:30 AM

Thanks tons! Everything seems to be working fine. One question: can I delete fixreg.reg from my desktop or does it need to remain there?

**amateur** · 06-15-2009, 09:44 AM

Hi,

You're welcome. Glad to hear that everything is working fine. You can delete the fixreg.reg.