Tech Support Forum banner
Not open for further replies.
1 - 6 of 6 Posts

· Registered
3 Posts

I have had a problem for approximately 1 week now whereby I get redirected to ad sites when using google links. These can be ask, britannia, antivirus software. I had Microsoft Security Essentials and Zonelab on my computer and used Malwarebytes Antimalware to detect any problem but when scanned they all came back clean. I also noticed I couldn't boot up in Safe Mode i would continuously get sent round in a loop.

Then a couple of days ago MS Essentials found a trojan called Win32/Alureon and disinfected it but also required me to restart my computer. When I restarted I was directed to the safe mode/start windows normally/load known last good configuration screen - almost as if windows didn't load or restart properly. The only way I could boot up my computer was selecting Last Known Good Configuration.

I then decided to uninstall MS Essentials and Zonelab. I installed AVG and Adaware and it appears to have resolved the problem of redirects from google and I can boot up my computer in Safe Mode.

I don't know if I have resolved the issue or if it's waiting to rear its ugly head. I'm also hoping my OS has not been infected or my personal security compromised.

I have attached the Attach.txt log and DDS.txt logs. My OS is Windows XP Pro with SP3.

Any help greatly appreciated.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Gary McGuigan at 19:03:50.01 on 03/12/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.165 [GMT 0:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Gary McGuigan\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page =
uSearch Page = hxxp://
uSearch Bar = hxxp://
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://
uSearchURL,(Default) = hxxp://
mSearchURL = hxxp://
mSearchAssistant = hxxp://
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: IEPlugin Class: {11222041-111b-46e3-bd29-efb2449479b1} - c:\progra~1\arcsoft\mediac~1\intern~1\ARCURL~1.DLL
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [btbb_wcm_McciTrayApp] "c:\program files\bt broadband desktop help\btbb_wcm\McciTrayApp.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: &Search
IE: Add to Windows &Live Favorites -
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://
DPF: {96816368-C1E3-414D-A193-63C3CC921990} - hxxp://
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

==================== Find3M ====================

2009-12-03 02:30:36 4212 -c-ha-w- c:\windows\system32\zllictbl.dat
2009-12-03 00:26:56 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-29 19:21:25 9396 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-10-29 14:36:32 23428 -c--a-w- c:\windows\system32\emptyregdb.dat
2009-10-28 12:28:26 361600 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-10-11 04:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-25 05:48:59 81920 ------w- c:\windows\system32\ieencode.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2008-02-01 05:08:36 328 --sh--r- c:\windows\system32\5FECEBDBA5.sys
2008-09-05 20:38:14 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat
2007-05-18 03:13:31 2225696 -csha-w- c:\windows\system32\drivers\fidbox.dat
2007-05-18 03:13:31 32032 -csha-w- c:\windows\system32\drivers\fidbox2.dat
2009-07-20 21:17:00 16384 -csha-w- c:\windows\temp\cookies\index.dat
2009-07-20 21:17:00 16384 -csha-w- c:\windows\temp\history\history.ie5\index.dat
2009-07-20 21:17:00 32768 -csha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 19:05:43.35 ===============


· Registered
981 Posts
Hello Killeavy Welcome to the TSF Virus/Trojan/Spyware Help forum. I will be assisting you in cleaning up your system.

I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

After 3 days if a topic is not replied to we assume it has been abandoned and it is closed.

Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run on NO, then use the following settings for a more complete scan.

    Click the image to enlarge it

  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
[*]Save it where you can easily find it, such as your desktop, and post it in reply.

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries



· Registered
981 Posts
GMER scan looks OK, and I didn't see anything in the DDS log. Since you already have MalwareBytes on your machine why don't you go ahead and update it then run a Quick Scan and see if it returns anything.

You do need to go into your Add/Remove and take the following off your machine. It is a source of Malware exploitation:

J2SE Runtime Environment 5.0 Update 6

· Registered
981 Posts
Due to the lack of feedback This Topic is closed.

Should you need it reopened, please contact my by PM. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.
1 - 6 of 6 Posts
Not open for further replies.