Search engine Hijacker

[HollyKilpatrick]

Windows XP HOme sp3. Firefox browser. AVG virus software. Ad-Aware. Malbytes Antimalware. Problem: Clicking on any google item redirects to some undesired page. Yahoo search engine does the same thing. The first time I hit Scan in Gmer.exe, I got the blue screen, a problem has been detected and windows has shut down, etc. The message was Driver_IRQL_not_less_or_equal. I don't know if this is related to the virus problem or not. I rebooted, and ran gmer.exe with nothing open, and it ran. Ark.zip attached. Here is DDS.txt:

DDS (Ver_09-03-16.01) - NTFSx86
Run by User1 at 6:44:28.09 on 2009-06-21
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.732 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\User1\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.netflix.com/
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
mRun: [MXOBG] c:\windows\MXOALDR.EXE
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Open using &Advanced JPEG Compressor - c:\program files\advanced jpeg compressor\ajcieex.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: aol.com\free
Trusted Zone: heritagequestonline.com\www
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: umi.com
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://edownload.grisoft.cz/ewidoOnlineScan.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} - hxxp://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - hxxp://www.live365.com/players/play365.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - hxxp://entimg.msn.com/client/msnmusax4227.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: SystemCheck2 - - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap
LSA: Notification Packages = scecli nouing.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user1\applic~1\mozilla\firefox\profiles\zyr62jz5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.freerepublic.com/focus/f-news/browse
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: XUL Cache: {BF80861B-066E-4939-AD19-BF3BF3DF7266} - c:\documents and settings\user1\local settings\application data\{BF80861B-066E-4939-AD19-BF3BF3DF7266}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-29 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-27 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-27 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-27 108552]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-27 298776]
R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [2007-3-21 521786]
R2 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [2007-3-21 119864]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1005904]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2008-12-13 195856]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [2007-3-21 36188]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-12-13 19096]
S2 olwlvjejwikg;olwlvjejwikg;\??\c:\windows\system32\drivers\xlgvwll.sys --> c:\windows\system32\drivers\xlgvwll.sys [?]
S2 XEXITAUI;XEXITAUI;\??\c:\windows\system32\xexitaui.goy --> c:\windows\system32\xexitaui.goy [?]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-1-26 33752]

=============== Created Last 30 ================

2009-06-14 06:43 <DIR> --d----- c:\windows\system32\scripting
2009-06-14 06:43 <DIR> --d----- c:\windows\system32\en
2009-06-14 06:43 <DIR> --d----- c:\windows\l2schemas
2009-06-14 06:40 <DIR> --d----- c:\windows\network diagnostic
2009-06-14 06:10 127 a------- c:\windows\system32\MRT.INI
2009-06-13 21:29 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-06-13 21:28 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-14 06:46 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-06-12 03:16 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-02 03:49 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-02 03:49 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-29 00:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-29 00:46 81,920 -------- c:\windows\system32\ieencode.dll
2009-04-26 08:27 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-04 13:59 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-01 05:55 388,608 a------- c:\windows\system32\CF27825.exe
2009-04-01 05:55 388,608 a------- c:\windows\system32\CF27678.exe
2007-05-27 08:18 352 ac------ c:\documents and settings\user1\jobq.dat
2006-04-23 11:07 561,152 ac------ c:\documents and settings\user1\chatlnk.exe

============= FINISH: 6:46:39.48 ===============


Thank you,
Holly Kilpatrick

[Ried]

Hello Holly,

If you still require assistance, please run a new scan with dds, post the fresh dds.txt , and we'll get started.

[HollyKilpatrick]

DDS (Ver_09-03-16.01) - NTFSx86
Run by User1 at 6:09:21.06 on 2009-06-30
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.704 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Documents and Settings\User1\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.netflix.com/
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
mRun: [MXOBG] c:\windows\MXOALDR.EXE
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Open using &Advanced JPEG Compressor - c:\program files\advanced jpeg compressor\ajcieex.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: aol.com\free
Trusted Zone: heritagequestonline.com\www
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: umi.com
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://edownload.grisoft.cz/ewidoOnlineScan.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} - hxxp://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - hxxp://www.live365.com/players/play365.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - hxxp://entimg.msn.com/client/msnmusax4227.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: SystemCheck2 - - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap
LSA: Notification Packages = scecli nouing.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user1\applic~1\mozilla\firefox\profiles\zyr62jz5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.freerepublic.com/focus/f-news/browse
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: XUL Cache: {BF80861B-066E-4939-AD19-BF3BF3DF7266} - c:\documents and settings\user1\local settings\application data\{BF80861B-066E-4939-AD19-BF3BF3DF7266}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-29 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-27 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-27 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-27 108552]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-27 298776]
R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [2007-3-21 521786]
R2 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [2007-3-21 119864]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2008-12-13 195856]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [2007-3-21 36188]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-12-13 19096]
S2 olwlvjejwikg;olwlvjejwikg;\??\c:\windows\system32\drivers\xlgvwll.sys --> c:\windows\system32\drivers\xlgvwll.sys [?]
S2 XEXITAUI;XEXITAUI;\??\c:\windows\system32\xexitaui.goy --> c:\windows\system32\xexitaui.goy [?]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-1-26 33752]

=============== Created Last 30 ================

2009-06-25 10:11 47,104 a------- c:\windows\system32\pcmfd3.dll
2009-06-25 10:11 148 a------- c:\windows\system32\ijw
2009-06-14 06:43 <DIR> --d----- c:\windows\system32\scripting
2009-06-14 06:43 <DIR> --d----- c:\windows\system32\en
2009-06-14 06:43 <DIR> --d----- c:\windows\l2schemas
2009-06-14 06:40 <DIR> --d----- c:\windows\network diagnostic
2009-06-14 06:10 127 a------- c:\windows\system32\MRT.INI
2009-06-13 21:29 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-06-13 21:28 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-14 06:46 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-06-12 03:16 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-02 03:49 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-02 03:49 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-29 00:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-29 00:46 81,920 -------- c:\windows\system32\ieencode.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-04 13:59 410,984 a------- c:\windows\system32\deploytk.dll
2007-05-27 08:18 352 ac------ c:\documents and settings\user1\jobq.dat
2006-04-23 11:07 561,152 ac------ c:\documents and settings\user1\chatlnk.exe

============= FINISH: 6:11:35.31 ===============

[Ried]

Hi Holly,

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT- Save ComboFix.exe to your Desktop

--------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Quote:

FireFox::
FF - ProfilePath - c:\docume~1\user1\applic~1\mozilla\firefox\profiles\zyr62jz5.default\
FF - HiddenExtension: XUL Cache: {BF80861B-066E-4939-AD19-BF3BF3DF7266} - c:\documents and settings\user1\local settings\application data\{BF80861B-066E-4939-AD19-BF3BF3DF7266}

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

=================================

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

=================================





Refering to the picture above, drag CFScript into ComboFix.exe


Follow the prompts. When finished, it shall produce a log for you at C:\ComboFix.txt. Please post that here for further review along with an update on system behavior.

[HollyKilpatrick]

I will have to finish this after work. I tried but it says AVG is not disabled, even though I unchecked the two active components in Advanced, Link Scanners, as it says in Help. So I will have to research that. I may not have time tonight because I have a dog training class, so if I don't reply right away, it is just because I am busy. I still need to do it, google is still redirecting everything. Thanks,
Holly

[Ried]

try this, Holly,

Open the AVG 8.5 Control Center, by right clicking on the AVG icon on task bar.

• Click on Open AVG Interface.
• Double click on Resident Shield
• Deselect the option to "Enable Resident Shield."
• Save changes, and exit the application.
• To re-enable AVG 8.5, please select "Enable Resident Shield" again.

[HollyKilpatrick]

I ran combofix. It finally created the log, and at that time, I did not have time to post the log, because I had to leave, and I had to shut the computer down because we were about to have a bad electrical storm. The computer would not shut down. I did start/shutdown 5 or 6 times. Nothing happened. So finally I had to hold down the power button, because I had to get it shut down.

Now I am back home, and I turned it on, and it will only come up to the blue windows logo screen, but there is no User to click on. So I cannot get into the computer, so I cannot get to the log file to post it.

Before Combofix ran, it came up with a window called Rootkit!! and it said I should write down the names of certain files because they might be needed later. I saw that they were among the files that were deleted by combofix. Let me know if you need to know what they were.

As Combofix was creating the log file, after it ran, twice a google logo appeared in the system tray and there was a message "Google has blocked an attempt by another program to change your search settings." I left it on "Keep Google as default" and "Notify of changes".

I hope you will be able to help with this very soon, because now we can't even get into the computer at all. I am using another computer to post this. I will have to check my email on another computer. I will check as often as possible.

Thank you,
Holly

[Ried]

Did ComboFix reboot the machine at all?

Yes - I need to know what that file was since your gmer scan showed no rootkit at all.

Shut down the computer and see if you can load Windows in Safe Mode

As your computer is starting up, tap F8 (on some systems it is F5)

[HollyKilpatrick]

No, I can't start in safe mode. I get only as far as the Windows logo screen, the light blue screen with dark blue top and bottom.

I had a ticket open last year here, Chemist worked on it, and as I remember, this same thing happened after the fixing process ran. I forget how he fixed it though.

Yes, ComboFix rebooted the machine. After the reboot it created the log.

[HollyKilpatrick]

No, I can't start in safe mode. I get only as far as the Windows logo screen, the light blue screen with dark blue top and bottom.

I had a ticket open last year here, Chemist worked on it, and as I remember, this same thing happened after the fixing process ran. I forget how he fixed it though.

Yes, ComboFix rebooted the machine. After the reboot it created the log.

[Ried]

Hi Holly,

Try those methods again.

1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start.
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded entries one at a time, and press Enter:

cd \

cd erdnt\hiv-backup

6. At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

7. The erunt backups will begin copying.
8. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading.

------------------------------------------------------

Let me know

[HollyKilpatrick]

When I type
cd erdnt\hiv-backup

it tells me Access is denied.

[Ried]

Quote:

Before Combofix ran, it came up with a window called Rootkit!! and it said I should write down the names of certain files because they might be needed later. I saw that they were among the files that were deleted by combofix. Let me know if you need to know what they were.

Quote:

Originally Posted by Ried

Yes - I need to know what that file was since your gmer scan showed no rootkit at all.

What were those file names, Holly?

[HollyKilpatrick]

c:\windows\system32\drivers\SKYNETvbotqldr.sys
c:\windows\system32\SKYNETqhalpsml.dll
c:\windows\system32\SKYNETdsdcxmye.dat
c:\windows\system32\SKYNETxxymtbya.dll
c:\windows\system32\SKYNETppburbrs.dat

[Ried]

Thank you, and good work writing those down.

I'm going to send you on a mission. Boot into Recovery Console again, and at the prompt, type in the following:

Listsvc

A long list of services will display for you, alphabetically. Look for any that say Skynet and write down the exact name(s) you see.

List them here for me, please.

[HollyKilpatrick]

There were none with Skynet in the name or description. Maybe there is something with a nondescript name? Many were disabled, quite a few were Auto or Manual, and a few were Boot.

[Ried]

Quite a few should be boot and are very important. What I'm looking for is a disrupted removal of a rootkit. Look for any that begin with these letters, and post the full name here for me if you find them:

gaopd
hjgrui
kungsfud
MSIVXser
ovfsth
tdss
UAC

[HollyKilpatrick]

None of those. All the Boot files are:
ACPI
agp440
atapi
Disk
drvmcdb (no description)
FltMgr
Ftdisk
isapnp
KSecDD
Lbd
MountMgr
Mup
NDIS
PartMgr
PCI
PCIIde
PxHelp20 (no desc)
Snapman
sr
timounter
Volsnap
WudfPf

[Ried]

We're going to try disabling some legit services and see if the system will boot for you.

From the Recovery Console, type each of the following linesexactly as below, one at a time, pressing Enter after each one.


Disable AvgLdx86
Disable AvgMfx86
Disable AvgTdiX
Disable AdobeActiveFileMonitor
Disable avg8wd
Disable "Lavasoft Ad-Aware Service"
Disable MBAMService
Disable PhotoshopElementsDeviceConnect
Disable MBAMProtector
Disable olwlvjejwikg
Disable XEXITAUI

Now type in exit and Windows should try to load. Let me know what happens.

[HollyKilpatrick]

No, it still only boots up to the Windows logo screen. No user to click on.

For the last one, XEXITAUI, it said registry entry can't be found. I hope I wasn't supposed to write down the existing setting, because I thought they all said Service_System_start until I realized they had various settings, and I wrote down the last three.

I'm going to get to bed now, so I will check in the morning, and see what we should do next.
Thanks,
Holly