davenuss

This has been happening on and off for about a month now, as I thought I had it fixed, but I either did not or they reverted. In FF 3.0, whenever I do a search (in Google, mainly). my search results take me to a different site. I've been able to "get around" the problem by "over-clicking" (clicking continuously until I am taken to the page I searched for), but aside from the fact its retarded to not address this, I now am taken to sites that are getting flagged by my Malwarebytes program as a bad site. No matter how many times I scan my computer, either in my admin account, the other accounts on this machine, or in Windows Safe Mode, I can't remove this nuisance. Can you help?

I have a Dell 8400 running Windows XP SP3. As far as anti-virus/anti-spyware goes, I am running Malwarebytes Anti-Malware 1.4, AVG Free 8.5, and I have Spybot on my computer that I run on demand when I think it might help.

And for the sake for "full disclosure", I tried to edit the users names on this machine. So if you see "USERNAME" in the log files, that's where I made the edit.

Anything you can do to assist is appreciated. Thanks in advance.

Dave



DDS (Ver_09-07-30.01) - NTFSx86
Run by David Nusspickel at 21:51:32.06 on Sun 08/16/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_04
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.470 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\USERNAME\Desktop\dds.pif

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DACSMiniApp] c:\program files\fisher-price\dacs\miniapp\DACSMiniApp.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.snapfish.com/SnapfishActivia.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181091615324
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxps://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://active.macromedia.com/flash2/cabs/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
LSA: Notification Packages = scecli c:\windows\system32\kupusalo.dll c:\windows\system32\wujeluhe.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\davidn~1\applic~1\mozilla\firefox\profiles\sq1g8p23.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NP2020Player.dll
FF - plugin: c:\windows\system32\20-20 technologies\20-20 3d viewer\NP2020Player.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-6 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-6 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-19 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-25 298776]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2008-12-6 232720]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-12-6 19096]
S2 218906848415EFF8;218906848415EFF8;\??\c:\documents and settings\USERNAME\desktop\218906848415eff8\218906848415eff8 --> c:\documents and settings\USERNAME\desktop\218906848415eff8\218906848415EFF8 [?]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2005-6-17 26488]

=============== Created Last 30 ================

2009-07-26 19:29 1,856 a------- c:\windows\system32\tmp.reg

==================== Find3M ====================

2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-09 13:28 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-28 20:29 389,120 a------- c:\windows\system32\CF25937.exe
2009-06-25 18:05 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-03-31 21:56 3,932 a------- c:\docume~1\davidn~1\applic~1\LMLayout.dat
2009-03-31 21:56 268 a------- c:\docume~1\davidn~1\applic~1\LMCPaper.dat

============= FINISH: 21:53:10.62 ===============

Attached Files

	Attach.zip.zip (5.6 KB, 3 views)
	DDS.txt (7.0 KB, 2 views)

Glaswegian

Hi

My name is Iain and I will be helping you clean your system.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.

Please do not install or uninstall any programmes, or run any other scanners or software, unless I specifically ask you to do so.




Combofix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please read all the information carefully!

You MUST disable your AntiVirus and AntiSpyware applications - please read this thread as a guide. They may otherwise interfere with our tools and interrupt the cleansing process.

Please include the log C:\ComboFix.txt in your next reply for further review.

davenuss

Thanks for the help. See the logfile attached.

Attached Files

combofix.txt (12.4 KB, 2 views)

Glaswegian

Hi again

How is your system running now?

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.


Combofix

• Close any open browsers.
  
• Open notepad and copy/paste the text in the box below into it:

Looking at the image below as an example



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript onto ComboFix.exe.

When finished, it will produce a log for you at "C:\ComboFix.txt"

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!


Please post the log C:\ComboFix.txt for further review.



Online Scan
Perform an online scan with Panda ActiveScan

• Click on Scan Your PC Now
• A "pop up" window will appear, or a new tab will open.
• Click on Register
• Choose the option you like most, but we recommend the Free Registration.
• Click on Register
• Enter your e-mail address, and create a password.
• Select "I do not want to receive any type of information". (unless you want to receive such information)
• Click on Send
• Confirm registration, and continue by entering your user name and password, then click on Enter
• Select Full Scan, then Click on Scan Now
• Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
• If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
• Please ignore the offer to buy the program. Click on Export To
  
• Export the log and save it to your desktop.
• Please attach the contents of that log to your reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan.

Avast users note:

Please do continue with the online scan at Panda if you receive an alert. It is a false positive from Avast because Panda Antivirus does not encrypt its virus database.

davenuss

Thanks for the response.

My computer seems to be the same, if not better, but nothing too noticeable either way. Were you able to see anything wrong?

Unfortunately I'll be off line through Sunday, so I'll follow through on this then and I'll get back to you w/ feedback/results. Thanks again.

Glaswegian

There were a few bad files and a rootkit, but they are gone now. Post the logs whenever you can - I'll be here.

davenuss

I'm back. See the files attached. Thanks again.

ComboFix 09-08-22.06 - USER1 08/23/2009 20:56.6.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.535 [GMT -4:00]
Running from: c:\documents and settings\USER1\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\USER1\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point

FILE ::
"C:\b830cfbe6f1e2579f7"
"c:\windows\SYSTEM32\tttss.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\Sonyhcp.dll
c:\windows\SYSTEM32\tttss.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_218906848415EFF8
-------\Service_218906848415EFF8


((((((((((((((((((((((((( Files Created from 2009-07-24 to 2009-08-24 )))))))))))))))))))))))))))))))
.

2009-08-23 23:33 . 2008-06-19 21:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-08-23 23:33 . 2009-08-23 23:33 -------- d-----w- c:\program files\Panda Security
2009-08-17 03:31 . 2009-08-17 03:31 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-17 03:31 . 2009-08-17 03:31 -------- d-----w- c:\program files\MSBuild
2009-08-17 03:31 . 2009-08-17 03:31 -------- d-----w- c:\program files\Reference Assemblies
2009-08-17 03:30 . 2009-08-17 03:31 -------- d-----w- C:\b830cfbe6f1e2579f7
2009-08-17 03:30 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-17 03:30 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-17 03:30 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-17 03:30 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-17 03:30 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-17 03:30 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-17 03:30 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-17 02:31 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-08 02:46 . 2009-08-08 02:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-02 23:31 . 2009-08-02 23:31 -------- d-----w- c:\documents and settings\USER3\Local Settings\Application Data\Help
2009-07-29 04:37 . 2009-07-29 04:37 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2009-07-29 04:37 . 2009-07-29 04:37 119808 ------w- c:\windows\system32\dllcache\t2embed.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-18 16:05 . 2009-02-03 03:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-18 16:05 . 2008-12-07 03:24 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-18 16:05 . 2008-12-07 03:24 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-18 00:23 . 2005-05-18 03:40 50312 ----a-w- c:\documents and settings\USER1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-17 22:33 . 2008-12-07 23:22 50312 ----a-w- c:\documents and settings\USER2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-17 16:25 . 2008-03-21 13:07 50312 ----a-w- c:\documents and settings\USER3\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-17 16:25 . 2008-11-08 02:53 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-07 15:21 . 2008-12-07 01:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-07 15:20 . 2008-12-07 01:41 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-07 00:23 . 2007-06-22 23:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 17:36 . 2008-12-07 01:41 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2008-12-07 01:41 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-03 01:01 . 2009-07-06 21:20 -------- d-sh--w- c:\documents and settings\USER3\Application Data\lowsec
2009-08-02 22:09 . 2009-07-07 00:55 -------- d-sh--w- c:\documents and settings\USER2\Application Data\lowsec
2009-07-29 04:37 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-17 19:01 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 10:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-05 00:52 . 2009-07-05 00:52 -------- d-----w- c:\documents and settings\USER3\Application Data\Malwarebytes
2009-07-04 22:36 . 2009-07-04 22:36 -------- d-----w- c:\documents and settings\USER2\Application Data\Malwarebytes
2009-06-26 16:50 . 2004-08-04 10:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 08:25 . 2004-08-04 10:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 10:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 10:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 10:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 10:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 10:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-12 12:31 . 2004-08-04 10:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-04 10:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2004-08-04 10:00 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-04 10:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2004-08-04 10:00 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-19_00.03.23 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-05-12 12:55 . 2009-08-18 00:23 72576 c:\windows\SYSTEM32\PERFC009.DAT
+ 2005-05-12 12:55 . 2009-08-19 00:07 72576 c:\windows\SYSTEM32\PERFC009.DAT
+ 2005-05-12 12:55 . 2009-08-19 00:07 445370 c:\windows\SYSTEM32\PERFH009.DAT
- 2005-05-12 12:55 . 2009-08-18 00:23 445370 c:\windows\SYSTEM32\PERFH009.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DACSMiniApp"="c:\program files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe" [2008-03-13 128256]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-18 2007832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-08-03 419088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 16:05 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBCSSvc]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\LMpdpsrv.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 pavboot;pavboot;c:\windows\SYSTEM32\DRIVERS\pavboot.sys [8/23/2009 7:33 PM 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [12/6/2008 11:24 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [3/19/2009 8:12 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/25/2009 6:05 PM 297752]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/6/2008 9:41 PM 232720]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [12/6/2008 9:41 PM 19096]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PAVBOOT
.
Contents of the 'Scheduled Tasks' folder

2009-08-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-08-24 c:\windows\Tasks\Malwarebytes' Scheduled Scan for USER1.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2008-12-07 17:36]

2009-08-23 c:\windows\Tasks\Malwarebytes' Scheduled Update for USER1.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2008-12-07 17:36]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\USER1\Application Data\Mozilla\Firefox\Profiles\sq1g8p23.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NP2020Player.dll
FF - plugin: c:\windows\system32\20-20 Technologies\20-20 3D Viewer\NP2020Player.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-23 21:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2408156893-1484086533-3868464913-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\SYSTEM32\HPZipm12.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-08-24 21:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-24 01:06
ComboFix2.txt 2009-08-19 00:07
ComboFix3.txt 2008-01-22 02:47

Pre-Run: 52,983,476,224 bytes free
Post-Run: 52,946,620,416 bytes free

178 --- E O F --- 2009-08-17 03:38

Attached Files

	combofix-02.txt (11.8 KB, 2 views)
	ActiveScan.txt (4.9 KB, 1 views)

Glaswegian

Looks good - how is your system running now? Are your search results still being re-directed?

davenuss

It's better. The search results are no longer being redirected. I think we're good. THANK YOU!!!

Glaswegian

Hi again

That’s good to hear. If there are no more problems we’ll just tidy up and I’ll let you go, along with my recommendations for staying safe and secure.


The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Referring to the image below



Click Start > Run and copy/paste, or type the following bold text into the Run box and click OK:


ComboFix /u



Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:


General Protection
Spyware Blaster to help prevent spyware from installing in the first place.
Spyware Guard to catch and block spyware before it can execute.
Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here.


Ad-aware 2008 Free Edition
Download and install Ad-Aware 2008 Free Edition. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here.



SnoopFree
SnoopFree is a real time monitor that notifies you when a programme wants to record your keystrokes or read your screen. Note that SnoopFree is only for XP systems.


MVPS Hosts File
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.

Alternate Browsers
Try the following free alternate browsers rather than Internet Explorer
Firefox
Opera
Chrome
Maxthon
Safari

Firewalls
A good firewall will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall for XP does not monitor outgoing traffic. If you do not have a firewall, here are 3 free ones available for personal use:
Comodo Personal Firewall
Sygate Personal Firewall
ZoneAlarm



Other Protection
Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.


Web of Trust
WOT warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

• Green to go
• Yellow for caution
• Red to stop

WOT has an addon available for both Firefox and IE.


ERUNT & NTREGOPT
ERUNT is a programme that will create automatic backups of your Registry. These backups can be used to help restore your system in the event of a serious crash.
NTREGOPT will compact and optimise your Registry, to assist the smooth running of your system.


Additional Reading
In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

PC Safety & Security - What Do I Need?.
Making Internet Explorer Safer.
Think Prevention!

Have a look here if your PC is still running a bit slow
Is your PC running slow...?


Keep clean and safe and enjoy your computing!

Please respond to this thread one more time so we can mark this thread as resolved.