Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Annoying Redirection of Web Browser

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Annoying Redirection of Web Browser

Unread postby Dave Hey » October 3rd, 2010, 3:38 am

Hello there and thanks for your help in advance.

I have attached the necessary files below for your reference.

The problem we have is that everynow and again our browser (IE8) gets redirected to another site. Usually a gaming site or a market retail site. It isn't always the same site and doesn't always happen. Sometimes you can go for a day and will be fine, then for no reason it will open another tab or sometimes another session of the browser and take you where you don't want to go. Very annoying.

Also, I don't know if it's related or not but I can't set the standard Windows XP Firewall up to work. Everytime I try it says "It can't do it and to do it manuallly by going to the control panel". It still won't turn on doing it manually?

I wondered if some bug was stopping it from turning the Firewall on?

Anyway, any help you could offer would be very much appreciated.

Rgards...

Dave Hey


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:50 p.m., on 3/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\VTTimer.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InternetSweeper\is.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.nzcity.co.nz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stuff.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.nzcity.co.nz/
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Internet Sweeper Pro] C:\Program Files\InternetSweeper\is.exe min
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://wixcam.citylink.co.nz//AxisCamControl.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Ghost 2003\GhostStartService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: SpyHunter 4 Service - Enigma Software Group USA, LLC. - C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/owner/LOCALS~1/Temp/msohtml1/02/clip_image002.jpg

--
End of file - 7805 bytes
Dave Hey
Active Member
 
Posts: 10
Joined: September 26th, 2010, 4:59 pm
Advertisement
Register to Remove

Re: Annoying Redirection of Web Browser

Unread postby askey127 » October 4th, 2010, 1:08 pm

Hi Dave hey,
------------------------------------------------
Download and Run Rkill
Please download Rkill from one of the following links and save to your Desktop:
One, Two,Three or Four
  • Double click on Rkill. (Right-click and "Run as administrator" in Vista/Win7).
  • A command window will open, then disappear upon completion, this is normal.
  • Please leave Rkill on the Desktop until otherwise advised.
Note: If your security software warns about Rkill, please ignore and allow the download to continue. If you cannot get one of the downloads to work for you, try one of the other links.
If you cannot get Rkill to run without being stopped, don't proceed further, and post back to tell me about it.
------------------------------------------------------------
Please download the GMER Rootkit Scanner from Here.
  • XP : Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • VISTA/Win7: Right click the .exe file and chose Run as Administrator. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than the System drive (which is typically C:\)
    • Show All (don't miss this one)
      See image below
      Image
  • Then click the Scan button & wait for it to finish
    **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
Note: Do not run any other programs while Gmer is running.
-----------------------------------------------------------
Retrieve the List of Installed programs Using HJT
Open HijackThis, click Open The Misc Tools Section. Then scroll down the list if you need to, click Open Uninstall Manager and Save List...
The List of installed programs will automatically be saved as uninstall_list.txt in your HiJackThis folder.
In addition, the list opens in Notepad so you can also save as another name in another location if you wish.
Please paste the contents into your next reply.

So we are looking for the log from GMer, and the Installed programs list. You don't need any log from RKill.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Annoying Redirection of Web Browser

Unread postby Dave Hey » October 5th, 2010, 4:02 am

Hello

As per your instructions if Rkill did not run. It posted this message in a log.

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as owner on 05/10/2010 at 20:48:29.


Services Stopped:


Processes terminated by Rkill or while it was running:


Rkill completed on 05/10/2010 at 20:48:37.
Dave Hey
Active Member
 
Posts: 10
Joined: September 26th, 2010, 4:59 pm

Re: Annoying Redirection of Web Browser

Unread postby askey127 » October 5th, 2010, 7:07 am

Try running this renamed file and see if it will run.
If it does, proceed to the Gmer procedure.
If it does not run, let me know.
------------------------------------------------
Download and Run A Special File
Please download the file from the following link HEREand save to your Desktop.
  • Double click on eXplorer.exe.
  • A command window will open, then disappear upon completion, this is normal.
  • Please leave eXplorer on the Desktop until otherwise advised.
Note: If your security software warns about the file, please ignore and allow the download to continue.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Annoying Redirection of Web Browser

Unread postby Dave Hey » October 5th, 2010, 1:16 pm

Hello there

Thank you for your help and persistance.

It did not run. The file 'log' that it displayed was as below -

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as owner on 06/10/2010 at 6:13:46.


Services Stopped:

Processes terminated by Rkill or while it was running:

C:\Documents and Settings\owner\Desktop\eXplorer.exe

Rkill completed on 06/10/2010 at 6:13:54.
Dave Hey
Active Member
 
Posts: 10
Joined: September 26th, 2010, 4:59 pm

Re: Annoying Redirection of Web Browser

Unread postby askey127 » October 5th, 2010, 2:16 pm

Dave Hey,
Try this one and see if you can get it to complete.
--------------------------------------------
TDSSKiller - Rootkit Removal Tool
Please download the TDSSKiller.exe by Kaspersky... save it to your Desktop. <-Important!!!
  1. Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista - W7 users: Right-click and select "Run As Administrator".
    If TDSSKiller does not run... rename it. Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. ektfhtw.com).
    If you don't see file extensions, please see: How to change the file extension.
  2. Click the Start Scan button. Do not use the computer during the scan!
  3. If the scan completes with nothing found, click Close to exit.
  4. If malicious objects are found, they will show in the "Scan results - Select action for found objects" and offer 3 options.
    • Ensure Cure (default) is selected... then click Continue > Reboot now to finish the cleaning process.
  5. A log file named TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt will be created and saved to the root directory. (usually Local Disk C:).
  6. Copy and paste the contents of that file in your next reply.
If, for some reason,you can't locate the text file to paste into your reply, just tell me, but DO NOT run the program a second time.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Annoying Redirection of Web Browser

Unread postby Dave Hey » October 7th, 2010, 3:59 am

Hello there

As instructed -

2010/10/07 20:49:00.0531 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2010/10/07 20:49:00.0531 ================================================================================
2010/10/07 20:49:00.0531 SystemInfo:
2010/10/07 20:49:00.0531
2010/10/07 20:49:00.0531 OS Version: 5.1.2600 ServicePack: 3.0
2010/10/07 20:49:00.0531 Product type: Workstation
2010/10/07 20:49:00.0531 ComputerName: BOB
2010/10/07 20:49:00.0531 UserName: owner
2010/10/07 20:49:00.0531 Windows directory: C:\WINDOWS
2010/10/07 20:49:00.0531 System windows directory: C:\WINDOWS
2010/10/07 20:49:00.0531 Processor architecture: Intel x86
2010/10/07 20:49:00.0531 Number of processors: 1
2010/10/07 20:49:00.0531 Page size: 0x1000
2010/10/07 20:49:00.0531 Boot type: Normal boot
2010/10/07 20:49:00.0531 ================================================================================
2010/10/07 20:49:07.0562 Initialize success
2010/10/07 20:49:20.0984 ================================================================================
2010/10/07 20:49:20.0984 Scan started
2010/10/07 20:49:20.0984 Mode: Manual;
2010/10/07 20:49:20.0984 ================================================================================
2010/10/07 20:49:21.0531 61883 (914a9709fc3bf419ad2f85547f2a4832) C:\WINDOWS\system32\DRIVERS\61883.sys
2010/10/07 20:49:21.0718 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/07 20:49:21.0796 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/07 20:49:21.0953 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/10/07 20:49:22.0031 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/10/07 20:49:22.0359 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
2010/10/07 20:49:22.0515 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/10/07 20:49:22.0796 Aspi32 (ed8cee58c1e4c5893f5b2fd686a272bf) C:\WINDOWS\system32\drivers\Aspi32.sys
2010/10/07 20:49:22.0875 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/07 20:49:22.0937 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/07 20:49:23.0046 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/07 20:49:23.0140 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/07 20:49:23.0234 Avc (f8e6956a614f15a0860474c5e2a7de6b) C:\WINDOWS\system32\DRIVERS\avc.sys
2010/10/07 20:49:23.0343 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\System32\Drivers\avgldx86.sys
2010/10/07 20:49:23.0453 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\System32\Drivers\avgmfx86.sys
2010/10/07 20:49:23.0546 AvgTdiX (22e3b793c3e61720f03d3a22351af410) C:\WINDOWS\System32\Drivers\avgtdix.sys
2010/10/07 20:49:23.0625 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/07 20:49:23.0734 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/07 20:49:23.0828 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/10/07 20:49:23.0953 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/07 20:49:24.0015 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/07 20:49:24.0078 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/07 20:49:24.0359 cmuda (5a2004f687d4e55914e6e8898fb51c9d) C:\WINDOWS\system32\drivers\cmuda.sys
2010/10/07 20:49:24.0734 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/07 20:49:24.0843 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/07 20:49:24.0953 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/07 20:49:25.0031 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/07 20:49:25.0109 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/07 20:49:25.0250 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/07 20:49:25.0359 esgiguard (051a2e2a75adb6d1c5c27e940fdabcba) C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys
2010/10/07 20:49:25.0453 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/07 20:49:25.0515 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/10/07 20:49:25.0609 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys
2010/10/07 20:49:25.0687 FETNDISB (a583bc166495b07f704533754ce29cbd) C:\WINDOWS\system32\DRIVERS\fetnd5b.sys
2010/10/07 20:49:25.0765 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/07 20:49:25.0828 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/10/07 20:49:25.0906 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/10/07 20:49:25.0984 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/07 20:49:26.0046 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/07 20:49:26.0125 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2010/10/07 20:49:26.0218 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/10/07 20:49:26.0328 GhPciScan (4d0e1ddfc571285a0bbabb0a534f4d3d) C:\Program Files\Ghost 2003\ghpciscan.sys
2010/10/07 20:49:26.0437 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/07 20:49:26.0546 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/10/07 20:49:26.0765 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/07 20:49:26.0953 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/10/07 20:49:27.0015 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/07 20:49:27.0250 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/10/07 20:49:27.0328 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/07 20:49:27.0390 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/07 20:49:27.0468 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/07 20:49:27.0531 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/07 20:49:27.0609 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/07 20:49:27.0687 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/07 20:49:27.0750 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/07 20:49:27.0812 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/10/07 20:49:27.0875 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/07 20:49:27.0953 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/07 20:49:28.0234 MASPINT (a2ae666cee860babe7fa6f1662b71737) C:\WINDOWS\system32\drivers\MASPINT.sys
2010/10/07 20:49:28.0328 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/07 20:49:28.0421 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/07 20:49:28.0484 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/07 20:49:28.0578 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/10/07 20:49:28.0640 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/07 20:49:28.0781 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/07 20:49:28.0875 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/07 20:49:28.0968 MSDV (1477849772712bac69c144dcf2c9ce81) C:\WINDOWS\system32\DRIVERS\msdv.sys
2010/10/07 20:49:29.0046 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/07 20:49:29.0125 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/07 20:49:29.0187 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/07 20:49:29.0250 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/07 20:49:29.0312 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/07 20:49:29.0390 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/10/07 20:49:29.0453 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/07 20:49:29.0515 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/10/07 20:49:29.0593 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/07 20:49:29.0656 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/10/07 20:49:29.0718 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/07 20:49:29.0796 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/07 20:49:29.0859 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/07 20:49:29.0921 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/07 20:49:29.0984 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/07 20:49:30.0031 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/07 20:49:30.0156 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/10/07 20:49:30.0234 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/07 20:49:30.0390 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/07 20:49:30.0515 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/07 20:49:30.0609 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/07 20:49:30.0671 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/07 20:49:30.0734 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/10/07 20:49:30.0812 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/10/07 20:49:30.0890 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/07 20:49:30.0953 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/07 20:49:31.0015 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/07 20:49:31.0218 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/10/07 20:49:31.0718 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/07 20:49:31.0796 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/10/07 20:49:31.0875 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/07 20:49:31.0921 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/07 20:49:32.0015 PxHelp20 (b5dfb86a6caeae9b2bf3dedb43be6393) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/10/07 20:49:32.0390 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/07 20:49:32.0484 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/07 20:49:32.0562 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/07 20:49:32.0609 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/07 20:49:32.0687 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/07 20:49:32.0765 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/07 20:49:32.0843 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/10/07 20:49:32.0937 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/07 20:49:33.0031 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/07 20:49:33.0218 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/07 20:49:33.0312 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/10/07 20:49:33.0375 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/10/07 20:49:33.0484 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/10/07 20:49:33.0625 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/10/07 20:49:33.0750 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/07 20:49:33.0843 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/07 20:49:33.0953 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/07 20:49:34.0062 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/10/07 20:49:34.0140 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/07 20:49:34.0218 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/07 20:49:34.0546 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/07 20:49:34.0671 Tcpip (02b2b3c6816a68b7312ecdf20db80543) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/07 20:49:34.0671 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\tcpip.sys. Real md5: 02b2b3c6816a68b7312ecdf20db80543, Fake md5: 9aefa14bd6b182d61e3119fa5f436d3d
2010/10/07 20:49:34.0703 Tcpip - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/10/07 20:49:34.0765 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/07 20:49:34.0843 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/07 20:49:34.0906 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/07 20:49:35.0109 uagp35 (d85938f272d1bcf3db3a31fc0a048928) C:\WINDOWS\system32\DRIVERS\uagp35.sys
2010/10/07 20:49:35.0187 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/07 20:49:35.0265 ULCDRHlp (8e6d8af8b2e589338292d8373195f206) C:\WINDOWS\system32\Drivers\ULCDRHlp.sys
2010/10/07 20:49:35.0406 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/07 20:49:35.0546 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/10/07 20:49:35.0625 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/10/07 20:49:35.0687 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/07 20:49:35.0765 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/07 20:49:35.0828 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/07 20:49:35.0906 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/10/07 20:49:35.0984 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/10/07 20:49:36.0046 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/07 20:49:36.0125 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/10/07 20:49:36.0187 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/10/07 20:49:36.0296 viaagp1 (4b039bbd037b01f5db5a144c837f283a) C:\WINDOWS\system32\DRIVERS\viaagp1.sys
2010/10/07 20:49:36.0375 viagfx (0cc705db634a3bc355887e3d478dd386) C:\WINDOWS\system32\DRIVERS\vtmini.sys
2010/10/07 20:49:36.0437 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/10/07 20:49:36.0500 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/07 20:49:36.0609 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/07 20:49:36.0734 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/07 20:49:36.0937 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2010/10/07 20:49:37.0031 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/10/07 20:49:37.0109 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/10/07 20:49:37.0187 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/10/07 20:49:37.0593 ================================================================================
2010/10/07 20:49:37.0593 Scan finished
2010/10/07 20:49:37.0593 ================================================================================
2010/10/07 20:49:37.0640 Detected object count: 1
2010/10/07 20:50:16.0390 Tcpip (02b2b3c6816a68b7312ecdf20db80543) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/07 20:50:16.0390 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\tcpip.sys. Real md5: 02b2b3c6816a68b7312ecdf20db80543, Fake md5: 9aefa14bd6b182d61e3119fa5f436d3d
2010/10/07 20:50:16.0562 Backup copy found, using it..
2010/10/07 20:50:16.0578 C:\WINDOWS\system32\DRIVERS\tcpip.sys - will be cured after reboot
2010/10/07 20:50:16.0578 Rootkit.Win32.TDSS.tdl3(Tcpip) - User select action: Cure
2010/10/07 20:50:34.0031 Deinitialize success
Dave Hey
Active Member
 
Posts: 10
Joined: September 26th, 2010, 4:59 pm

Re: Annoying Redirection of Web Browser

Unread postby askey127 » October 7th, 2010, 7:37 am

Dave Hey,
It is clear you have had a rootkit infection.
Some data on your PC may have been stolen.
Take precautions about any financial (credit cards, banking, etc.), or other critical data that may have passed through the machine.
We need to see what else may be on there. It should now be easier to detect any malware files.
-----------------------------------------------------------
Download and Run ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.
You will need to disable all your antivirus software after downloading but BEFORE running ComboFix.
.
  • Download ComboFix from here
  • Rename it while saving the download to zzz.exe and save it to your Desktop. Do not try to rename it after it has been saved to your desktop, or the infection may prevent you from using it.
    **Note: It is important that it is saved directly to your desktop and run from the desktop, not from any other folder on your computer**
  • DISABLE AVG
    Please open the AVG Control Center, by right clicking on the AVG icon in the task bar.
    • Click on Tools.
    • Select Advanced.
    • In the left hand pane, scroll down to "Resident Shield".
    • In the main pane, DESELECT the option to "Enable Resident Shield."
  • Now start ComboFix (zzz.exe)
  • The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it. (You would).
  • If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts.
    When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
  • It will run through about 50 procedures, then take a while to assemble its output log.
  • Do not touch the computer AT ALL while ComboFix is running.
  • When finished, the report will open. Post the log in your next reply, and then Reenable your protection software
A copy of the log will be located here if you need it-> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.

The Recovery Console produces a brief (2 second) black screen at bootup which allows an additional technical resource for repair in case of a major failure. In regular operation, you can ignore it.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Annoying Redirection of Web Browser

Unread postby Dave Hey » October 7th, 2010, 6:26 pm

Log attached as requested -

ComboFix 10-10-07.01 - owner 08/10/2010 11:17:06.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.64.1033.18.959.404 [GMT 13:00]
Running from: c:\documents and settings\owner\Desktop\zzz.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\owner\Favorites\Thumbs.db
C:\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2010-09-07 to 2010-10-07 )))))))))))))))))))))))))))))))
.

2010-10-04 19:48 . 2010-10-04 19:48 4100960 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-10-04 19:48 . 2010-10-04 19:48 4394336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-10-04 19:48 . 2010-10-04 19:48 2065760 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-10-03 01:24 . 2010-10-03 01:24 -------- d-----w- C:\rsit
2010-10-03 00:47 . 2010-10-03 00:47 -------- d-----w- c:\documents and settings\owner\Application Data\Malwarebytes
2010-10-03 00:47 . 2010-04-29 02:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-03 00:47 . 2010-10-03 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-03 00:47 . 2010-04-29 02:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-03 00:47 . 2010-10-03 00:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-23 20:31 . 2010-09-23 20:31 620896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2010-09-23 20:31 . 2010-09-23 20:31 3586912 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-09-23 20:31 . 2010-09-23 20:31 1619296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-09-23 20:31 . 2010-09-23 20:31 1377632 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll
2010-09-23 20:31 . 2010-09-23 20:31 942432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2010-09-23 20:31 . 2010-09-23 20:31 598368 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-09-23 20:31 . 2010-09-23 20:31 300896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-09-23 20:30 . 2010-09-23 20:30 1690952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-07 08:25 . 2010-07-25 04:31 0 ----a-w- c:\documents and settings\owner\Local Settings\Application Data\prvlcl.dat
2010-10-07 07:51 . 2001-08-23 12:00 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-10-03 02:11 . 2009-09-19 11:11 -------- d-----w- c:\program files\Registry Medic 2008
2010-10-03 02:11 . 2005-12-08 09:40 -------- d-----w- c:\program files\FinePixViewer
2010-10-03 01:24 . 2009-08-31 06:39 -------- d-----w- c:\program files\Trend Micro
2010-10-03 00:18 . 2005-12-07 08:12 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-10-03 00:16 . 2007-06-10 10:03 -------- d-----w- c:\program files\Java
2010-10-03 00:07 . 2007-08-21 06:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-09-16 08:42 . 2005-12-10 03:29 -------- d-----w- c:\documents and settings\owner\Application Data\Canon
2010-08-01 08:15 . 2010-08-01 08:15 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-31 05:26 . 2010-07-31 05:26 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-07-21 22:01 . 2010-07-21 22:01 110080 ----a-r- c:\documents and settings\owner\Application Data\Microsoft\Installer\{6239C519-FFFD-4F0A-938A-78C6F2FA0BFA}\IconF7A21AF7.exe
2010-07-21 22:01 . 2010-07-21 22:01 110080 ----a-r- c:\documents and settings\owner\Application Data\Microsoft\Installer\{6239C519-FFFD-4F0A-938A-78C6F2FA0BFA}\IconD7F16134.exe
2010-07-15 21:44 . 2010-03-02 05:41 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 21:44 . 2010-07-15 21:44 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 21:43 . 2008-06-11 06:43 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 00:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Internet Sweeper Pro"="c:\program files\InternetSweeper\is.exe" [2002-09-16 950272]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-07 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2004-01-15 49152]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-10-04 2067808]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter4.exe" [2010-07-14 3973464]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 21:44 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliType]
2002-03-22 04:41 94208 ----a-w- c:\program files\Microsoft Hardware\Keyboard\type32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Sweeper Pro]
2002-09-16 22:24 950272 ----a-w- c:\program files\InternetSweeper\is.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 09:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
2002-02-04 09:32 53248 ------w- c:\program files\REGSHAVE\REGSHAVE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/06/2008 7:43 p.m. 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/03/2010 6:41 p.m. 243024]
R1 GhPciScan;GhostPciScanner;c:\program files\Ghost 2003\GhPciScan.sys [14/08/2002 4:11 p.m. 5632]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [16/07/2010 10:44 a.m. 308136]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [27/01/2010 7:10 p.m. 5248]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [4/10/2004 4:47 a.m. 98304]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [4/10/2004 3:40 a.m. 118784]
S2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [14/07/2010 4:19 p.m. 326488]
S3 da6d10b4-99ce-4429-b984-28322454a799;da6d10b4-99ce-4429-b984-28322454a799;\??\g:\player\cds300.dll --> g:\player\cds300.dll [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\g:\ntglm7x.sys --> g:\NTGLM7X.sys [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/05/2010 1:35 a.m. 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 00:34]

2010-10-07 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 03:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.stuff.co.nz/
mStart Page = hxxp://home.nzcity.co.nz/
mWindow Title =
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\1fgserct.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.stuff.co.nz/
FF - prefs.js: keyword.URL - hxxp://au.yhs.search.yahoo.com/avg/sear ... -web_au&p=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl
HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe
SafeBoot-klmdb.sys


.
Completion time: 2010-10-08 11:24:39
ComboFix-quarantined-files.txt 2010-10-07 22:24

Pre-Run: 9,580,183,552 bytes free
Post-Run: 9,558,962,176 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 409851A86E23208FAE96700B1ED4B70A
Dave Hey
Active Member
 
Posts: 10
Joined: September 26th, 2010, 4:59 pm

Re: Annoying Redirection of Web Browser

Unread postby askey127 » October 8th, 2010, 6:52 am

Dave Hey,
You have had a rootkit infection.
Rootkits can do whatever they want with your machine.
With all infections of that type, there is a risk that any personal or financial data stored or passed through the machine may have been stolen.
Take whatever precautions you think sensible with any credit cards, account numbers, passwords.

We will finish up here, and after these procedures, do a final check of the ComboFix log.
-------------------------------------------------------------
  • Open a new Notepad window (Start>All programs>accessories>notepad). Choose File, New.
  • Highlight the contents of the codebox below and press Ctrl+C to copy it to the clipboard. Do Not copy the word "Code".
    Code: Select all
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000000
    
    
  • Paste the contents of the clipboard into the Notepad window by pressing Ctrl+V or Edit, Paste
  • Save it to your desktop as CFScript.txt

    Image
  • Now drag and drop the CFScript.txt icon onto combofix.exe (zzz.exe) as in the picture above, and follow the prompts.
  • Then post the resultant log, C:\ComboFix.txt, in your next reply.
-----------------------------------------------------------
REBOOT (RESTART) Your Machine
------------------------------------------------
Reset System Restore Points
  • Click Start, All Programs, Accessories, System Tools, System Restore
  • Click Create A Restore Point then click Next. Give it a name and then click Create, then Close.
  • Click Start, Run and type Cleanmgr
  • Select the Windows drive (usually C:), then click OK.
  • After it scans, Click the More Options tab.
  • Click Clean Up in the System Restore Section.
This will remove all previous restore points except the newly created one.

Reboot your machine to record the changes you have made.
This System Restore sequence is not to be done regularly, but only as a Special Case after the removal of malware or changes in the Restore settings.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Annoying Redirection of Web Browser

Unread postby Dave Hey » October 8th, 2010, 6:55 pm

Hello there

Thank you for all your efforts to help us get rid of this bug.

I have carried out the above and the log is below.

Dave

ComboFix 10-10-07.02 - owner 09/10/2010 9:39.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.64.1033.18.959.458 [GMT 13:00]
Running from: c:\documents and settings\owner\Desktop\zzz.exe
Command switches used :: c:\documents and settings\owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-09-08 to 2010-10-08 )))))))))))))))))))))))))))))))
.

2010-10-07 22:11 . 2010-10-07 22:24 -------- d-----w- C:\zzz
2010-10-04 19:48 . 2010-10-04 19:48 4100960 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-10-04 19:48 . 2010-10-04 19:48 4394336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-10-04 19:48 . 2010-10-04 19:48 2065760 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-10-03 01:24 . 2010-10-03 01:24 -------- d-----w- C:\rsit
2010-10-03 00:47 . 2010-10-03 00:47 -------- d-----w- c:\documents and settings\owner\Application Data\Malwarebytes
2010-10-03 00:47 . 2010-04-29 02:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-03 00:47 . 2010-10-03 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-03 00:47 . 2010-04-29 02:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-03 00:47 . 2010-10-03 00:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-23 20:31 . 2010-09-23 20:31 620896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2010-09-23 20:31 . 2010-09-23 20:31 3586912 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-09-23 20:31 . 2010-09-23 20:31 1619296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-09-23 20:31 . 2010-09-23 20:31 1377632 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll
2010-09-23 20:31 . 2010-09-23 20:31 942432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2010-09-23 20:31 . 2010-09-23 20:31 598368 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-09-23 20:31 . 2010-09-23 20:31 300896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-09-23 20:30 . 2010-09-23 20:30 1690952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-08 19:40 . 2010-07-25 04:31 0 ----a-w- c:\documents and settings\owner\Local Settings\Application Data\prvlcl.dat
2010-10-07 07:51 . 2001-08-23 12:00 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-10-03 02:11 . 2009-09-19 11:11 -------- d-----w- c:\program files\Registry Medic 2008
2010-10-03 02:11 . 2005-12-08 09:40 -------- d-----w- c:\program files\FinePixViewer
2010-10-03 01:24 . 2009-08-31 06:39 -------- d-----w- c:\program files\Trend Micro
2010-10-03 00:18 . 2005-12-07 08:12 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-10-03 00:16 . 2007-06-10 10:03 -------- d-----w- c:\program files\Java
2010-10-03 00:07 . 2007-08-21 06:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-09-16 08:42 . 2005-12-10 03:29 -------- d-----w- c:\documents and settings\owner\Application Data\Canon
2010-08-17 13:17 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-01 08:15 . 2010-08-01 08:15 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-31 05:26 . 2010-07-31 05:26 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-07-22 15:49 . 2001-08-23 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-17 21:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-21 22:01 . 2010-07-21 22:01 110080 ----a-r- c:\documents and settings\owner\Application Data\Microsoft\Installer\{6239C519-FFFD-4F0A-938A-78C6F2FA0BFA}\IconF7A21AF7.exe
2010-07-21 22:01 . 2010-07-21 22:01 110080 ----a-r- c:\documents and settings\owner\Application Data\Microsoft\Installer\{6239C519-FFFD-4F0A-938A-78C6F2FA0BFA}\IconD7F16134.exe
2010-07-15 21:44 . 2010-03-02 05:41 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 21:44 . 2010-07-15 21:44 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 21:43 . 2008-06-11 06:43 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-10-07_22.22.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-01-29 08:58 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe
+ 2007-01-29 08:58 . 2010-06-21 14:46 46080 c:\windows\system32\tzchange.exe
+ 2001-08-23 12:00 . 2010-10-08 19:54 59440 c:\windows\system32\perfc009.dat
- 2006-11-07 08:03 . 2010-05-06 10:41 55296 c:\windows\system32\msfeedsbs.dll
+ 2006-11-07 08:03 . 2010-06-24 12:21 55296 c:\windows\system32\msfeedsbs.dll
- 2001-08-23 12:00 . 2010-05-06 10:41 25600 c:\windows\system32\jsproxy.dll
+ 2001-08-23 12:00 . 2010-06-24 12:21 25600 c:\windows\system32\jsproxy.dll
+ 2001-08-23 12:00 . 2010-06-17 14:03 80384 c:\windows\system32\iccvid.dll
- 2001-08-23 12:00 . 2008-04-14 00:11 80384 c:\windows\system32\iccvid.dll
- 2009-06-20 20:35 . 2010-05-06 10:41 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2009-06-20 20:35 . 2010-06-24 12:22 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2010-08-17 13:17 . 2010-08-17 13:17 58880 c:\windows\system32\dllcache\spoolsv.exe
- 2007-05-10 05:36 . 2010-05-06 10:41 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2007-05-10 05:36 . 2010-06-24 12:21 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2006-05-10 05:22 . 2010-05-06 10:41 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2006-05-10 05:22 . 2010-06-24 12:21 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2005-12-07 08:58 . 2010-10-08 02:36 23040 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2005-12-07 08:58 . 2010-07-14 12:02 23040 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2005-12-07 08:58 . 2010-10-08 02:36 61440 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2005-12-07 08:58 . 2010-07-14 12:02 61440 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2005-12-07 08:58 . 2010-10-08 02:36 27136 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2005-12-07 08:58 . 2010-07-14 12:02 27136 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2005-12-07 08:58 . 2010-07-14 12:02 11264 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2005-12-07 08:58 . 2010-10-08 02:36 11264 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2005-12-07 08:58 . 2010-07-14 12:02 12288 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2005-12-07 08:58 . 2010-10-08 02:36 12288 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2010-10-08 02:33 . 2010-05-06 10:41 12800 c:\windows\ie8updates\KB2183461-IE8\xpshims.dll
+ 2010-10-08 02:33 . 2010-05-06 10:41 55296 c:\windows\ie8updates\KB2183461-IE8\msfeedsbs.dll
+ 2010-10-08 02:33 . 2010-05-06 10:41 25600 c:\windows\ie8updates\KB2183461-IE8\jsproxy.dll
+ 2005-12-07 08:58 . 2010-10-08 02:36 4096 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2005-12-07 08:58 . 2010-07-14 12:02 4096 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2001-08-23 12:00 . 2008-04-14 00:12 293376 c:\windows\system32\winsrv.dll
+ 2001-08-23 12:00 . 2010-06-18 17:45 293376 c:\windows\system32\winsrv.dll
+ 2001-08-23 12:00 . 2010-06-24 12:22 916480 c:\windows\system32\wininet.dll
- 2001-08-23 12:00 . 2010-05-06 10:41 916480 c:\windows\system32\wininet.dll
- 2001-08-23 12:00 . 2008-04-14 00:12 406016 c:\windows\system32\usp10.dll
+ 2001-08-23 12:00 . 2010-04-16 15:36 406016 c:\windows\system32\usp10.dll
+ 2001-08-23 12:00 . 2010-06-30 12:31 149504 c:\windows\system32\schannel.dll
+ 2001-08-23 12:00 . 2010-10-08 19:54 395200 c:\windows\system32\perfh009.dat
+ 2001-08-23 12:00 . 2010-06-24 12:22 206848 c:\windows\system32\occache.dll
- 2001-08-23 12:00 . 2010-05-06 10:41 206848 c:\windows\system32\occache.dll
- 2001-08-23 12:00 . 2010-05-06 10:41 611840 c:\windows\system32\mstime.dll
+ 2001-08-23 12:00 . 2010-06-24 12:22 611840 c:\windows\system32\mstime.dll
- 2006-11-07 08:03 . 2010-05-06 10:41 599040 c:\windows\system32\msfeeds.dll
+ 2006-11-07 08:03 . 2010-06-24 12:21 599040 c:\windows\system32\msfeeds.dll
- 2006-10-18 08:47 . 2006-10-18 08:47 317440 c:\windows\system32\MP4SDECD.dll
+ 2006-10-18 08:47 . 2010-03-29 23:24 317440 c:\windows\system32\mp4sdecd.dll
+ 2005-12-06 21:59 . 2010-06-09 07:43 692736 c:\windows\system32\inetcomm.dll
+ 2001-08-23 12:00 . 2010-06-24 12:21 184320 c:\windows\system32\iepeers.dll
- 2001-08-23 12:00 . 2010-05-06 10:41 184320 c:\windows\system32\iepeers.dll
- 2001-08-23 12:00 . 2010-05-06 10:41 387584 c:\windows\system32\iedkcs32.dll
+ 2001-08-23 12:00 . 2010-06-24 12:21 387584 c:\windows\system32\iedkcs32.dll
+ 2001-08-23 12:00 . 2010-06-23 12:08 173056 c:\windows\system32\ie4uinit.exe
- 2001-08-23 12:00 . 2010-05-05 13:30 173056 c:\windows\system32\ie4uinit.exe
+ 2005-12-07 10:28 . 2010-10-08 19:20 298848 c:\windows\system32\FNTCACHE.DAT
- 2005-12-07 10:28 . 2010-06-11 15:28 298848 c:\windows\system32\FNTCACHE.DAT
+ 2001-08-23 12:00 . 2010-06-21 15:27 354304 c:\windows\system32\drivers\srv.sys
+ 2010-06-18 17:45 . 2010-06-18 17:45 293376 c:\windows\system32\dllcache\winsrv.dll
+ 2006-05-10 05:23 . 2010-06-24 12:22 916480 c:\windows\system32\dllcache\wininet.dll
- 2006-05-10 05:23 . 2010-05-06 10:41 916480 c:\windows\system32\dllcache\wininet.dll
+ 2010-04-16 15:36 . 2010-04-16 15:36 406016 c:\windows\system32\dllcache\usp10.dll
+ 2008-10-16 04:46 . 2010-06-21 15:27 354304 c:\windows\system32\dllcache\srv.sys
+ 2008-12-05 06:54 . 2010-06-30 12:31 149504 c:\windows\system32\dllcache\schannel.dll
+ 2009-04-15 14:51 . 2010-07-22 15:49 590848 c:\windows\system32\dllcache\rpcrt4.dll
- 2006-10-16 23:04 . 2010-05-06 10:41 206848 c:\windows\system32\dllcache\occache.dll
+ 2006-10-16 23:04 . 2010-06-24 12:22 206848 c:\windows\system32\dllcache\occache.dll
- 2006-05-10 05:23 . 2010-05-06 10:41 611840 c:\windows\system32\dllcache\mstime.dll
+ 2006-05-10 05:23 . 2010-06-24 12:22 611840 c:\windows\system32\dllcache\mstime.dll
- 2007-05-10 05:36 . 2010-05-06 10:41 599040 c:\windows\system32\dllcache\msfeeds.dll
+ 2007-05-10 05:36 . 2010-06-24 12:21 599040 c:\windows\system32\dllcache\msfeeds.dll
+ 2010-03-29 23:24 . 2010-03-29 23:24 317440 c:\windows\system32\dllcache\mp4sdecd.dll
+ 2008-08-14 04:05 . 2010-06-09 07:43 692736 c:\windows\system32\dllcache\inetcomm.dll
- 2009-06-20 20:35 . 2010-05-06 10:41 247808 c:\windows\system32\dllcache\ieproxy.dll
+ 2009-06-20 20:35 . 2010-06-24 12:21 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2006-05-10 05:22 . 2010-05-06 10:41 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2006-05-10 05:22 . 2010-06-24 12:21 184320 c:\windows\system32\dllcache\iepeers.dll
- 2010-06-11 02:51 . 2010-05-06 10:41 743424 c:\windows\system32\dllcache\iedvtool.dll
+ 2010-06-11 02:51 . 2010-06-24 12:21 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2006-11-06 14:27 . 2010-05-06 10:41 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2006-11-06 14:27 . 2010-06-24 12:21 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2006-11-06 14:26 . 2010-06-23 12:08 173056 c:\windows\system32\dllcache\ie4uinit.exe
- 2006-11-06 14:26 . 2010-05-05 13:30 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2005-12-07 08:58 . 2010-10-08 02:36 409600 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2005-12-07 08:58 . 2010-07-14 12:02 409600 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2005-12-07 08:58 . 2010-10-08 02:36 286720 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2005-12-07 08:58 . 2010-07-14 12:02 286720 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2005-12-07 08:58 . 2010-10-08 02:36 249856 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2005-12-07 08:58 . 2010-07-14 12:02 249856 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2005-12-07 08:58 . 2010-07-14 12:02 794624 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2005-12-07 08:58 . 2010-10-08 02:36 794624 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2005-12-07 08:58 . 2010-07-14 12:02 135168 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2005-12-07 08:58 . 2010-10-08 02:36 135168 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2005-12-07 08:58 . 2010-07-14 12:02 593920 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2005-12-07 08:58 . 2010-10-08 02:36 593920 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2010-10-08 02:33 . 2010-05-06 10:41 916480 c:\windows\ie8updates\KB2183461-IE8\wininet.dll
+ 2010-10-08 02:33 . 2010-02-22 14:23 382840 c:\windows\ie8updates\KB2183461-IE8\spuninst\updspapi.dll
+ 2010-10-08 02:33 . 2009-05-26 09:01 231288 c:\windows\ie8updates\KB2183461-IE8\spuninst\spuninst.exe
+ 2010-10-08 02:33 . 2010-05-06 10:41 206848 c:\windows\ie8updates\KB2183461-IE8\occache.dll
+ 2010-10-08 02:33 . 2010-05-06 10:41 611840 c:\windows\ie8updates\KB2183461-IE8\mstime.dll
+ 2010-10-08 02:33 . 2010-05-06 10:41 599040 c:\windows\ie8updates\KB2183461-IE8\msfeeds.dll
+ 2010-10-08 02:33 . 2010-05-06 10:41 247808 c:\windows\ie8updates\KB2183461-IE8\ieproxy.dll
+ 2010-10-08 02:33 . 2010-05-06 10:41 184320 c:\windows\ie8updates\KB2183461-IE8\iepeers.dll
+ 2010-10-08 02:33 . 2010-05-06 10:41 743424 c:\windows\ie8updates\KB2183461-IE8\iedvtool.dll
+ 2010-10-08 02:33 . 2010-05-06 10:41 387584 c:\windows\ie8updates\KB2183461-IE8\iedkcs32.dll
+ 2010-10-08 02:33 . 2010-05-05 13:30 173056 c:\windows\ie8updates\KB2183461-IE8\ie4uinit.exe
+ 2001-08-23 12:00 . 2010-06-23 13:44 1851904 c:\windows\system32\win32k.sys
+ 2001-08-23 12:00 . 2010-06-24 12:22 1210368 c:\windows\system32\urlmon.dll
+ 2001-08-23 12:00 . 2010-07-27 06:30 8462336 c:\windows\system32\shell32.dll
- 2001-08-23 12:00 . 2010-02-16 21:10 2189952 c:\windows\system32\ntoskrnl.exe
+ 2001-08-23 12:00 . 2010-04-28 02:25 2189952 c:\windows\system32\ntoskrnl.exe
+ 2001-08-17 13:48 . 2010-04-27 13:05 2066816 c:\windows\system32\ntkrnlpa.exe
- 2001-08-17 13:48 . 2010-02-16 13:25 2066816 c:\windows\system32\ntkrnlpa.exe
- 2001-08-23 12:00 . 2009-07-31 04:35 1172480 c:\windows\system32\msxml3.dll
+ 2001-08-23 12:00 . 2010-06-14 07:41 1172480 c:\windows\system32\msxml3.dll
+ 2001-08-23 12:00 . 2010-06-24 12:22 5951488 c:\windows\system32\mshtml.dll
+ 2006-10-16 22:57 . 2010-06-24 12:21 1986560 c:\windows\system32\iertutil.dll
+ 2008-10-16 04:44 . 2010-06-23 13:44 1851904 c:\windows\system32\dllcache\win32k.sys
+ 2006-05-10 05:23 . 2010-06-24 12:22 1210368 c:\windows\system32\dllcache\urlmon.dll
+ 2008-06-17 19:02 . 2010-07-27 06:30 8462336 c:\windows\system32\dllcache\shell32.dll
+ 2008-10-16 04:44 . 2010-04-28 02:25 2189952 c:\windows\system32\dllcache\ntoskrnl.exe
- 2008-10-16 04:44 . 2010-02-16 21:10 2189952 c:\windows\system32\dllcache\ntoskrnl.exe
- 2008-10-16 04:44 . 2010-02-16 13:25 2024448 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-16 04:44 . 2010-04-27 13:05 2024448 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-16 04:44 . 2010-04-27 13:05 2066816 c:\windows\system32\dllcache\ntkrnlpa.exe
- 2008-10-16 04:44 . 2010-02-16 13:25 2066816 c:\windows\system32\dllcache\ntkrnlpa.exe
- 2008-10-16 04:44 . 2010-02-16 14:08 2146304 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2008-10-16 04:44 . 2010-04-27 13:59 2146304 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2008-11-12 18:50 . 2009-07-31 04:35 1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2008-11-12 18:50 . 2010-06-14 07:41 1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2006-05-19 15:08 . 2010-06-24 12:22 5951488 c:\windows\system32\dllcache\mshtml.dll
+ 2010-03-11 02:53 . 2010-06-18 13:36 3558912 c:\windows\system32\dllcache\moviemk.exe
- 2010-03-11 02:53 . 2009-10-23 15:28 3558912 c:\windows\system32\dllcache\moviemk.exe
+ 2007-05-10 05:36 . 2010-06-24 12:21 1986560 c:\windows\system32\dllcache\iertutil.dll
+ 2010-08-04 21:57 . 2010-08-04 21:57 4066304 c:\windows\Installer\3500e1.msp
+ 2010-06-28 03:01 . 2010-06-28 03:01 7677952 c:\windows\Installer\3500ba.msp
+ 2010-06-28 09:53 . 2010-06-28 09:53 6819840 c:\windows\Installer\3500a2.msp
+ 2010-08-20 00:50 . 2010-08-20 00:50 5518848 c:\windows\Installer\35008a.msp
+ 2010-08-25 04:06 . 2010-08-25 04:06 6479360 c:\windows\Installer\350072.msp
+ 2010-10-08 02:33 . 2010-05-06 10:41 1209344 c:\windows\ie8updates\KB2183461-IE8\urlmon.dll
+ 2010-10-08 02:33 . 2010-05-06 10:41 5950976 c:\windows\ie8updates\KB2183461-IE8\mshtml.dll
+ 2010-10-08 02:33 . 2010-05-06 10:41 1985536 c:\windows\ie8updates\KB2183461-IE8\iertutil.dll
- 2008-10-16 04:44 . 2010-02-16 21:10 2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-10-16 04:44 . 2010-04-28 02:25 2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2008-10-16 04:44 . 2010-02-16 13:25 2024448 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-16 04:44 . 2010-04-27 13:05 2024448 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2008-10-16 04:44 . 2010-02-16 13:25 2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-10-16 04:44 . 2010-04-27 13:05 2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-10-16 04:44 . 2010-04-27 13:59 2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe
- 2008-10-16 04:44 . 2010-02-16 14:08 2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2005-12-07 09:23 . 2010-09-10 01:34 35552200 c:\windows\system32\MRT.exe
+ 2006-11-07 08:03 . 2010-06-24 04:51 11077120 c:\windows\system32\ieframe.dll
+ 2007-05-10 05:36 . 2010-06-24 04:51 11077120 c:\windows\system32\dllcache\ieframe.dll
+ 2010-10-08 02:33 . 2010-05-06 10:41 11076096 c:\windows\ie8updates\KB2183461-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 00:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Internet Sweeper Pro"="c:\program files\InternetSweeper\is.exe" [2002-09-16 950272]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-07 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2004-01-15 49152]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-10-04 2067808]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter4.exe" [2010-07-14 3973464]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 21:44 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliType]
2002-03-22 04:41 94208 ----a-w- c:\program files\Microsoft Hardware\Keyboard\type32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Sweeper Pro]
2002-09-16 22:24 950272 ----a-w- c:\program files\InternetSweeper\is.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 09:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
2002-02-04 09:32 53248 ------w- c:\program files\REGSHAVE\REGSHAVE.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/06/2008 7:43 p.m. 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/03/2010 6:41 p.m. 243024]
R1 GhPciScan;GhostPciScanner;c:\program files\Ghost 2003\GhPciScan.sys [14/08/2002 4:11 p.m. 5632]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [16/07/2010 10:44 a.m. 308136]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [27/01/2010 7:10 p.m. 5248]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [4/10/2004 4:47 a.m. 98304]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [4/10/2004 3:40 a.m. 118784]
S2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [14/07/2010 4:19 p.m. 326488]
S3 da6d10b4-99ce-4429-b984-28322454a799;da6d10b4-99ce-4429-b984-28322454a799;\??\g:\player\cds300.dll --> g:\player\cds300.dll [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\g:\ntglm7x.sys --> g:\NTGLM7X.sys [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/05/2010 1:35 a.m. 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 00:34]

2010-10-08 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 03:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.stuff.co.nz/
mStart Page = hxxp://home.nzcity.co.nz/
mWindow Title =
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\1fgserct.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.stuff.co.nz/
FF - prefs.js: keyword.URL - hxxp://au.yhs.search.yahoo.com/avg/sear ... -web_au&p=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(616)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-10-09 09:46:33
ComboFix-quarantined-files.txt 2010-10-08 20:46
ComboFix2.txt 2010-10-07 22:24

Pre-Run: 9,022,099,456 bytes free
Post-Run: 9,005,895,680 bytes free

- - End Of File - - 8DC41AE15D9349727211384B440E398C
Dave Hey
Active Member
 
Posts: 10
Joined: September 26th, 2010, 4:59 pm

Re: Annoying Redirection of Web Browser

Unread postby askey127 » October 8th, 2010, 9:27 pm

Dave hey,
Looks quite good at this point.

You may already have a copy of Malwarebytes Anti-Malware on your machine.
If so, just update and run the scan as below.
Otherwise, please download it, update and run the scan.
You didn't post an installed programs list, so I have no way of knowing.
------------------------------------------------------------
Run MalwareBytes' Anti-Malware
  • Start Malwarebytes' Anti-Malware.
  • Click on The Update tab. Choose Check for Updates.
  • If an update is found, it will download and install the latest version.
  • If necessary, start Malwarebytes Anti-Malware again.
  • Once the program is running, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • If it shows any malware items, Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
  • The log can also be found using the "Logs" tab in the program. You can click any log listed to open its contents.
  • Recent logs are named by time/date stamp in this format : mbam-log-2010-mm-dd(hour-min-sec).txt
.
-----------------------------------------------------------
Retrieve the List of Installed programs Using HJT
Open HijackThis, click Open The Misc Tools Section. Then scroll down the list if you need to, click Open Uninstall Manager and Save List...
The List of installed programs will automatically be saved as uninstall_list.txt in your HiJackThis folder.
In addition, the list opens in Notepad so you can also save as another name in another location if you wish.
Please paste the contents into your next reply.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Annoying Redirection of Web Browser

Unread postby Dave Hey » October 9th, 2010, 3:04 am

Hello - Logs pasted below!

Thank you...

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4783

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/10/2010 7:55:39 p.m.
mbam-log-2010-10-09 (19-55-39).txt

Scan type: Quick scan
Objects scanned: 137539
Time elapsed: 7 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\owner\Desktop\eXplorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.



Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Elements 3.0
Adobe Reader 9.3.4
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVG Free 9.0
Bonjour
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DSLR 5 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon ScanGear Toolbox 3.0
Citrix Web Client
C-Media WDM Audio Driver
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
EndNote X.0.2 Volume License Edition
Free FLV Player V0.05
FUJIFILM USB Driver
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Internet Explorer (Enable DEP)
Internet Sweeper Pro v2.0
iTunes
Malwarebytes' Anti-Malware
MetaProducts StartUp Organizer
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Publisher 2000
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MicroStaff WINASPI
Mozilla Firefox (3.6.8)
Nero Suite
Norton Ghost
OGA Notifier 2.0.0048.0
Photo Viewer V208G2
QuickTime
RAW FILE CONVERTER LE
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Encoder (KB979332)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SpyHunter
Ulead Data-Add 2.0
Ulead DVD MovieFactory 3.5 Suite
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 8
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows PowerShell(TM) 1.0
Windows XP Service Pack 3
Dave Hey
Active Member
 
Posts: 10
Joined: September 26th, 2010, 4:59 pm

Re: Annoying Redirection of Web Browser

Unread postby askey127 » October 9th, 2010, 7:51 am

Dave,
Your machine looks clean now.
If it is running well, delete Combofix (zzz.exe), Rkill and TDSSKiller from your desktop.
That special file eXplorer has already been removed.

You should be good to go if you don't see any other symptoms.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Annoying Redirection of Web Browser

Unread postby Dave Hey » October 9th, 2010, 4:00 pm

Hi askey127

Many thanks for all your help and persistance! It is very much appreciated. It does look good now.

Am I allowed to ask if perhaps my anti-virus protection isn't good enough? I only run the free version of AVG and SpyHunter. Are they up to it? Any recommendations you could give would be again appreciated!

Regards...

Dave
Dave Hey
Active Member
 
Posts: 10
Joined: September 26th, 2010, 4:59 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 311 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware