Google Search Result Redirects

[rem524]

When I click on results from a Google search, I am re-directed to other sites (typically another search site but I have also been re-directed to a "click fraud" site). Looking through some of the other threads, this appears to be the "flavor of the day" for help requests.

I downloaded, updated and ran Malwarebytes which found ~25 infected objects and was able to delete everything except c:\Windows\system32\drivers\str.sys. MBAM suggested a re-boot to delete the file but the re-directs continue after 2 attempts to delete.

When running DDS, I received the following message four times:
"Not enough main memory to complete the sort."
I suspect that means the log will not show all of the needed information but I have included that output below. I have also attached the requested attach.txt and ark.txt files (zipped).

Thank you in advance for your help!

-Bob


DDS (Ver_09-06-26.01) - NTFSx86
Run by manning at 5:33:56.32 on Fri 07/10/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1471.829 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090709-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AccuRev\bin\accurev_server.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\AccuRev\bin\accurev_server.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\manning\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\PROGRAM FILES\CREATIVE\MEDIASOURCE\DETECTOR\CTDETECT.EXE
C:\PROGRAM FILES\VERIZON\MEDIA MANAGER\MEDIAMANAGER.EXE
C:\PROGRAM FILES\ETIVOSERVER\ETIVOCONTROL.EXE
C:\Program Files\Maxthon2\Maxthon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\manning\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Aim6] "c:\program files\aim6\AIM6.EXE" /d locale=en-US ee://aol/imApp
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [VTTimer] VTTimer.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [D066UUtility] c:\windows\twain_32\d66u\D066UUTY.EXE
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [<NO NAME>]
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
Trusted Zone: turbotax.com
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://idiom.webex.com/client/T26L/webex/ieatgpc.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-9 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-7-4 114768]
R2 AccuRev;AccuRev;c:\program files\accurev\bin\accurev_server.exe [2005-3-31 978944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-7-4 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-7-4 138680]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
R2 TivoBeacon2;TiVo Beacon;c:\program files\common files\tivo shared\beacon\TiVoBeacon.exe [2005-8-4 848896]
RUnknown anwkzf;anwkzf; [x]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-7-4 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-7-4 352920]
S3 EtiVoServer;EtiVoServer;c:\program files\etivoserver\EtiVoSrv.exe [2005-9-9 24576]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]
S3 usbvm328;HP Camera;c:\windows\system32\drivers\usbvm326.sys [2008-9-2 219648]
S3 vmfilter323;VC0326 filter service for Serome;c:\windows\system32\drivers\vmfilter323.sys [2008-9-2 475264]
S4 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
S4 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe --> c:\progra~1\mcafee\viruss~1\mcshield.exe [?]
UnknownUnknown aulbadu;aulbadu; [x]

=============== Created Last 30 ================

2009-07-09 22:37 <DIR> --d----- c:\docume~1\manning\applic~1\Malwarebytes
2009-07-09 22:37 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-09 22:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-09 00:08 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-29 13:29 <DIR> --dsh--- c:\documents and settings\manning\IECompatCache
2009-06-28 20:37 <DIR> --dsh--- c:\documents and settings\manning\PrivacIE
2009-06-27 05:32 <DIR> --dsh--- c:\documents and settings\manning\IETldCache

==================== Find3M ====================

2005-04-16 16:26 0 a--sh--- c:\windows\sminst\HPCD.sys
2007-06-18 22:08 10,856 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-11-04 08:02 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110420081105\index.dat
2009-03-30 08:27 32,768 a--sh--- c:\windows\temp\history\history.ie5\mshist012009032420090325\index.dat

============= FINISH: 5:35:24.59 ===============

[rem524]

Hi,

72 hour bump - just checking in. I am including fresh logs in case that is needed.

I did not get the "Not enough main memory to complete the sort." error when running DDS this morning. MBAM still shows just the str.sys file as the only malware on the system.

Regards,

-Bob


DDS (Ver_09-06-26.01) - NTFSx86
Run by manning at 6:59:24.90 on Mon 07/13/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1471.430 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090712-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AccuRev\bin\accurev_server.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\AccuRev\bin\accurev_server.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\manning\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\PROGRAM FILES\CREATIVE\MEDIASOURCE\DETECTOR\CTDETECT.EXE
C:\PROGRAM FILES\VERIZON\MEDIA MANAGER\MEDIAMANAGER.EXE
C:\PROGRAM FILES\ETIVOSERVER\ETIVOCONTROL.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\manning\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Aim6] "c:\program files\aim6\AIM6.EXE" /d locale=en-US ee://aol/imApp
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [VTTimer] VTTimer.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [D066UUtility] c:\windows\twain_32\d66u\D066UUTY.EXE
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [<NO NAME>]
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
Trusted Zone: turbotax.com
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://idiom.webex.com/client/T26L/webex/ieatgpc.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\manning\applic~1\mozilla\firefox\profiles\6mrjqkmz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\documents and settings\manning\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.10
============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-9 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-7-4 114768]
R2 AccuRev;AccuRev;c:\program files\accurev\bin\accurev_server.exe [2005-3-31 978944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-7-4 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-7-4 138680]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
R2 TivoBeacon2;TiVo Beacon;c:\program files\common files\tivo shared\beacon\TiVoBeacon.exe [2005-8-4 848896]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-7-4 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-7-4 352920]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-7-9 38160]
RUnknown anwkzf;anwkzf; [x]
S3 EtiVoServer;EtiVoServer;c:\program files\etivoserver\EtiVoSrv.exe [2005-9-9 24576]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]
S3 usbvm328;HP Camera;c:\windows\system32\drivers\usbvm326.sys [2008-9-2 219648]
S3 vmfilter323;VC0326 filter service for Serome;c:\windows\system32\drivers\vmfilter323.sys [2008-9-2 475264]
S4 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
S4 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe --> c:\progra~1\mcafee\viruss~1\mcshield.exe [?]
SUnknown aulbadu;aulbadu; [x]

=============== Created Last 30 ================

2009-07-09 23:38 213,024 -------- c:\windows\system32\drivers\str.sys
2009-07-09 22:37 <DIR> --d----- c:\docume~1\manning\applic~1\Malwarebytes
2009-07-09 22:37 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-09 22:37 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-09 22:37 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-09 22:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-09 08:49 15,688 a------- c:\windows\system32\lsdelete.exe
2009-07-09 00:15 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-09 00:08 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-07-04 14:06 <DIR> --d-h--- c:\windows\PIF
2009-07-04 05:15 74,752 a------- c:\windows\system32\drivers\gmwnydiwyxv.sys
2009-06-29 13:29 <DIR> --dsh--- c:\documents and settings\manning\IECompatCache
2009-06-28 20:37 <DIR> --dsh--- c:\documents and settings\manning\PrivacIE
2009-06-27 05:32 <DIR> --dsh--- c:\documents and settings\manning\IETldCache
2009-06-27 00:03 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-06-27 00:03 <DIR> --d----- c:\windows\ie8updates
2009-06-27 00:02 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-27 00:02 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-26 23:59 <DIR> -cd-h--- c:\windows\ie8

==================== Find3M ====================

2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-08 10:37 51,224 a------- c:\docume~1\manning\applic~1\GDIPFONTCACHEV1.DAT
2007-01-18 17:38 56,912 a------- c:\documents and settings\manning\g2mdlhlpx.exe
2005-04-18 18:05 0 a------- c:\docume~1\manning\applic~1\wklnhst.dat
2005-04-16 16:26 0 a--sh--- c:\windows\sminst\HPCD.sys
2007-06-18 22:08 10,856 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-11-04 08:02 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110420081105\index.dat
2009-03-30 08:27 32,768 a--sh--- c:\windows\temp\history\history.ie5\mshist012009032420090325\index.dat

============= FINISH: 7:01:31.09 ===============

[tetonbob]

Hello -

I'd like a look with a different rootkit scanner.

Go here, scroll down and download RootRepeal.zip to your Desktop. Unzip that, and then click RootRepeal.exe to open the scanner. Next click on the Report tab, and then click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click Ok.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

You will then be asked which drive to scan. Check C: and click Ok again. The scan will start. It will take a little while so please be patient. When the scan has finished, click on Save Report. Name the log RootRepeal.txt and save it to your Documents folder (it should default there). When you have done this, please copy and attach it to your next reply.

[rem524]

tetonbob,

RootRepeal.txt is attached.

Thank you,

-Bob

[tetonbob]

That shows us the problem.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

1. Download ComboFix from this location:
   
   Link 1
   
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
   
   You can get help on disabling your protection programs here
   
3. Double click on combofix.exe & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   
   
   
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   
   The Recovery Console was successfully installed.
   
   
   
   Click on Yes, to continue scanning for malware.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   
   ---------------------------------------------------------------------------------------------

[rem524]

tetonbob,

I followed the instructions for running Combo-Fix.exe. ComboFix ran for several minutes and then popped up a dialog saying that it had found five files that needed to be removed. It suggested writing down the names of the files in case they were needed later. Here are the five file names:

\WINDOWS\system32\drivers\hjgruiarrvjaxi.sys
\WINDOWS\system32\hjgruiasvciimr.dll
\WINDOWS\system32\hjgruiiejoypdq.dat
\WINDOWS\system32\hjgruibaywijkr.dll
\WINDOWS\system32\hjgruicopvquiy.dat

It then said it needed to re-boot. After booting, I logged back in as the same user. A command window was started and showed the following:

Please wait.
ComboFix is preparing to run.

It has been that way for at least 20 minutes now. I don't think I clicked in the command shell (I saw the warnings saying that could stall ComboFix). I don't hear any disk activity on the system now.

Should I just let this sit for now?

Thanks,

-Bob

[tetonbob]

Is Avast active still? Other than the ComboFix command window, is your desktop present?

Can you open Task Manager? Ctrl + Alt + Del

[rem524]

I did not explicitly re-activate Avast before the re-boot. I de-activated the active scanning before running ComboFix.

My Desktop is empty except for the ComboFix command window. I can start the Task Manager by pressing CTRL-ALT-DEL. There are two processes running that I think are part of Avast - ashServ.exe and avast.setup. There is also a process AAWService.exe (AdAware?).

-Bob

[tetonbob]

See if you can end process on those, and also let me know what other processes are running, especially with .cfexe extension

[rem524]

I was able to kill AAWService.exe but got an "Access is denied" message for ashServ.exe and avast.setup.

The only .cfexe process running is swsc.cfexe.

The full list of running processes:
accurev_server.exe (software version control application)
AppleMobileDeviceService.exe
ashServ.exe
aswUpdSv.exe
avast.setup
cmd.exe
csrss.exe
explorer.exe
lsass.exe
rundll32.exe
services.exe
smss.exe
spoolsv.exe
svchost.exe (6 processes)
swsc.cfexe
System
System Idle Process
taskmgr.exe
winlogon.exe

I didn't try it but I may be able to open a command window from the Task Manager and try to stop the Avast service from there (assuming I can find the service name).

-Bob

[tetonbob]

I see explorer.exe in the running processes, but you said you have no desktop, right?

Please end process on swsc.cfexe, and let me know if you get your desktop back. If that doesn't free it up, end process on the cmd.exe, or the CF*****.exe if present.

[rem524]

Correct, I do not have my Desktop (and have not had it since re-boot). I stopped swsc.cfexe and a new process NirCmd.cfexe started. No update in the command window.

Do you care which I stop at this point (cmd.exe or NirCmd.cfexe)?

BTW, it's getting late in NC. Let me know when you need to call it a night.

-Bob

[tetonbob]

Monitor the task manager for a little while (A few minutes). If more .cfexe processes spawn, that's a good thing, let me know.

[rem524]

No luck. NirCmd.cfexe is just sitting there. It is not using any CPU time and the Memory Usage is not changing at all. No signs of life.

Looks like the only process using CPU time is the Task Manager.

[tetonbob]

I'm loathe to force a hard boot at this point. I want to reestablish a normal working desktop before any restarts occur.

End process on the nircmd.cfexe, if that doesn't do much, kill the cmd.exe, the ComboFix window, and start explorer from File > New Task (run) if it does not start on it's own.

[rem524]

Stopped nircmd.exe
Could not stop catchme.cfexe
As soon as I stopped cmd.exe, the rest of the desktop came up and the rest of my auto-start apps came up (AIM, etc.)

The command window where CF was running did not close when I stopped cmd.exe and I am still unable to stop catchme.cfexe.

I do have a working desktop.

[tetonbob]

Ok, that's good.

Monitor catchme.cfexe for a few more minutes. If it's still just sitting there, not using any CPU time, and you can't end it, I'd like to see new logs from DDS if possible, and also the following log if present

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\ComboFix-quarantined-files.txt

Post the contents of the logfile which will open.

Please do not restart your machine until I've reviewed these logs.

[rem524]

I'm getting nowhere on either the DDS log (it has been sitting for 5 minutes and is not using CPU or grabbing more memory) or the *-quarantined-files.txt. What I can see is that the directory c:\qoobox\quarantine\c\windows\system32 has four files (all starting with "hjgrui" and ending with .dll.vir or .dat.vir extensions added to the end. There is a fifth file in a drivers subdirectory (similar name, .sys.vir extension).

It's weird but I can't work through the Windows File Explorer at all. I was able to see the contents of those directories by typing "C:\qoobox" in Firefox and navigating from there.

[tetonbob]

Ok, kill DDS.

Those files you identified earlier should be out of the way if they're in qoobox renamed.

Before we reboot and try again, I want you to confirm for me that the Windows Recovery Console was installed before ComboFix began it's removals.

[rem524]

CF did not install Windows Recovery Console. I did see a message indicating that it was (trying to) create a recovery point when CF ran.