[Active]Search engine hijack w/ security update blocking

adamsmw · 13th January 2009

Using any search engine, from the tool bar or from direct site, valid results are shown but when clicking the link a new window opens with unrelated websites and advertisement.

First thing I tried was Spybot. The program installed but would not open or update. Then tried Ad-aware, it scanned but didnt find anything. It also updated but only after the scan completed. Then installed AVG, it would scan with zero results and would not update either.

Found this forum and tried to use RSIT but would not allow the file to be saved or opened. Then I tried to copy RSIT from another computer. Once pasted on the desktop, double clicked the icon and received an error: Autolt Error-Unable to open the script file.

Not sure where to go from here. Just to let you know I am running Windows XP. Any direction would be greatly appreciated.

**Geri** · 13th January 2009

Hi adamsmw
Welcome to WindowsBBS.

Lets see if you can get this one.

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs:

DDS.txt
Attach.txt

Save both reports to your desktop & post them here.

Thanks
Geri

adamsmw · 14th January 2009

I was able to get DDS to work by copying from another computer. None of the links worked from the hijacked computer. I wasnt sure about the script blocking but ran DDS anyways. Here is the DDS log:

DDS (Ver_09-01-07.01) - NTFSx86
Run by Owner at 21:33:42.79 on Tue 01/13/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1642 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.supermotojunkie.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {549B5CA7-4A86-11D7-A4DF-000874180BB3} - No File
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [e©ùýùäûïÕóÎÑøøËøôùÊýíñûÊÞó] c:\program files\xp antivirus\xpa.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {AEFDC890-3F45-4685-BE56-874E9C3C555D} = 68.28.90.91 68.28.82.91
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program files\mimectl.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\n1h8i5js.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-11 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-11 26824]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-10-12 99200]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-11 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-11 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-11 76040]
R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2007-9-6 13824]

=============== Created Last 30 ================

2009-01-11 23:12 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys
2009-01-11 23:12 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-01-11 18:08 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-11 18:08 76,040 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-11 18:08 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-11 18:08 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-11 18:08 <DIR> --d----- c:\docume~1\owner\applic~1\AVGTOOLBAR
2009-01-11 18:08 <DIR> --d----- c:\program files\AVG
2009-01-11 18:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-11 16:28 <DIR> --d----- c:\program files\Lavasoft
2009-01-11 16:27 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-11 15:32 <DIR> --d----- c:\windows\Downloaded Installations
2009-01-11 15:00 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-11 15:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-11 13:51 <DIR> --d----- c:\program files\Novatel Wireless

==================== Find3M ====================

2008-12-11 03:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-10-23 05:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 13:38 826,368 a------- c:\windows\system32\wininet.dll
2008-08-24 14:21 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082420080825\index.dat

============= FINISH: 21:35:04.53 ===============

adamsmw · 14th January 2009

Here is the Attach log:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT

POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-01-07.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 9/5/2007 3:42:33 PM
System Uptime: 1/13/2009 9:13:31 PM (0

hours ago)

Motherboard: Intel Corporation

| | D845GVSR
Processor: Intel(R)

Celeron(R) CPU 2.80GHz | J2E1 |

2800/133mhz

==== Disk Partitions

=========================

C: is FIXED (NTFS) - 37 GiB total, 27.013

GiB free.
D: is FIXED (NTFS) - 37 GiB total, 37.148

GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is Removable
K: is Removable

==== Disabled Device Manager Items

=============

Class GUID: {4D36E972-E325-11CE-BFC1-

08002BE10318}
Description: Linksys NC100 Fast Ethernet

Adapter
Device ID:

PCI\VEN_1317&DEV_0985&SUBSYS_05701317&REV_

11\4&29817089&0&00F0
Manufacturer: Linksys
Name: Linksys NC100 Fast Ethernet Adapter
PNP Device ID:

PCI\VEN_1317&DEV_0985&SUBSYS_05701317&REV_

11\4&29817089&0&00F0
Service: AN983

==== System Restore Points

===================

RP245: 10/16/2008 5:40:38 PM - Software

Distribution Service 3.0
RP246: 10/18/2008 4:12:30 AM - System

Checkpoint
RP247: 10/19/2008 4:42:35 AM - System

Checkpoint
RP248: 10/20/2008 7:52:49 AM - System

Checkpoint
RP249: 10/21/2008 8:45:55 AM - System

Checkpoint
RP250: 10/22/2008 11:42:17 AM - System

Checkpoint
RP251: 10/24/2008 11:46:26 AM - Software

Distribution Service 3.0
RP252: 10/24/2008 3:22:10 PM - Software

Distribution Service 3.0
RP253: 10/27/2008 4:27:31 AM - System

Checkpoint
RP254: 10/28/2008 5:29:35 AM - System

Checkpoint
RP255: 10/29/2008 5:33:19 AM - System

Checkpoint
RP256: 10/30/2008 3:38:10 AM - Software

Distribution Service 3.0
RP257: 10/31/2008 4:21:33 PM - System

Checkpoint
RP258: 11/1/2008 4:09:41 AM - Software

Distribution Service 3.0
RP259: 11/2/2008 4:46:18 AM - System

Checkpoint
RP260: 11/3/2008 5:26:22 AM - System

Checkpoint
RP261: 11/4/2008 6:13:14 AM - System

Checkpoint
RP262: 11/5/2008 12:40:10 AM - Software

Distribution Service 3.0
RP263: 11/6/2008 5:40:23 AM - System

Checkpoint
RP264: 11/7/2008 3:15:07 AM - Software

Distribution Service 3.0
RP265: 11/8/2008 4:26:33 AM - System

Checkpoint
RP266: 11/9/2008 4:52:43 AM - System

Checkpoint
RP267: 11/10/2008 4:58:09 AM - System

Checkpoint
RP268: 11/10/2008 2:37:49 PM - Windows

Defender Checkpoint
RP269: 11/13/2008 3:13:35 AM - System

Checkpoint
RP270: 1/11/2009 3:19:25 PM - System

Checkpoint
RP271: 1/11/2009 4:27:55 PM - Installed

Ad-Aware
RP272: 1/11/2009 6:08:34 PM - Installed

AVG Free 8.0
RP273: 1/13/2009 6:22:56 PM - System

Checkpoint

==== Installed Programs

======================

Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 6.0
Adobe Shockwave Player
AnswerWorks Runtime
AutoCAD LT 2002
AVG Free 8.0
Google Toolbar for Internet Explorer
Hotfix for Microsoft .NET Framework 3.0

(KB932471)
Hotfix for Windows Internet Explorer 7

(KB947864)
Hotfix for Windows Media Format 11 SDK

(KB929399)
Hotfix for Windows Media Player 11

(KB939683)
Hotfix for Windows XP (KB952287)
Intel(R) Extreme Graphics Driver
Intel(R) PRO Network Connections Drivers
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix

(KB928366)
Microsoft .NET Framework 2.0 Service Pack

1
Microsoft .NET Framework 3.0
Microsoft Base Smart Card Cryptographic

Service Provider Package
Microsoft Compression Client Pack 1.0 for

Windows XP
Microsoft Internationalized Domain Names

Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support

Downlevel APIs
Microsoft Outlook Web Access S/MIME
Microsoft User-Mode Driver Framework

Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mobile Broadband Generic Drivers
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Nero 7
neroxml
Scientific-Atlanta WebSTAR 2000 series

Cable Modem
Security Update for Windows Internet

Explorer 7 (KB937143)
Security Update for Windows Internet

Explorer 7 (KB938127)
Security Update for Windows Internet

Explorer 7 (KB942615)
Security Update for Windows Internet

Explorer 7 (KB944533)
Security Update for Windows Internet

Explorer 7 (KB950759)
Security Update for Windows Internet

Explorer 7 (KB953838)
Security Update for Windows Internet

Explorer 7 (KB956390)
Security Update for Windows Internet

Explorer 7 (KB958215)
Security Update for Windows Internet

Explorer 7 (KB960714)
Security Update for Windows Media Player

(KB911564)
Security Update for Windows Media Player

(KB952069)
Security Update for Windows Media Player

11 (KB936782)
Security Update for Windows Media Player

11 (KB954154)
Security Update for Windows Media Player

6.4 (KB925398)
Security Update for Windows Media Player 9

(KB936782)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-

v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Soft Data Fax Modem with SmartCP
Sprint Mobile Broadband (Novatel Wireless)

- Lite
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Volo View Express
WebFldrs XP
Windows Backup Utility
Windows Communication Foundation
Windows Defender
Windows Genuine Advantage Validation Tool

(KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Service Pack 3
XML Paper Specification Shared Components

Pack 1.0

==== Event Viewer Messages From Past Week

========

1/11/2009 6:08:01 PM, error: Service

Control Manager [7034] - The AVG Free8

WatchDog service terminated unexpectedly.

It has done this 1 time(s).
1/11/2009 4:16:55 PM, error: W32Time [17]

- Time Provider NtpClient: An error

occurred during DNS lookup of the manually

configured peer 'time.windows.com,0x1'.

NtpClient will try the DNS lookup again in

15 minutes. The error was: A socket

operation was attempted to an unreachable

host. (0x80072751)
1/11/2009 9:13:13 PM, error: Server [2505]

- The server could not bind to the

transport \Device\NetBT_Tcpip_{3B664EC7-

8962-44E0-86D6-8DC264388033} because

another computer on the network has the

same name. The server could not start.
1/11/2009 9:17:35 PM, error: Dhcp [1002]

- The IP address lease 192.168.1.100 for

the Network Card with network address

00121752E050 has been denied by the DHCP

server 192.168.0.254 (The DHCP Server sent

a DHCPNACK message).
1/12/2009 9:49:47 PM, error: ipnathlp

[31008] - The DNS proxy agent was unable

to read the local list of name-resolution

servers from the registry. The data is the

error code.
1/13/2009 7:03:12 AM, error: Service

Control Manager [7031] - The AVG Free8

WatchDog service terminated unexpectedly.

It has done this 1 time(s). The following

corrective action will be taken in 0

milliseconds: Restart the service.

==== End Of File

===========================

**Geri** · 14th January 2009

Hi
OK we need to download and transfer a tool to the infected machine.

Please rename the tool before saving it to "Fombocix.exe" or anything of your choosing. transfer it to the infected machine and run it as instructed.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

Close all open programs and windows
Double click combofix.exe and follow the prompts.
Vista users right click Combofix.exe and select Run As Administrator.
When finished, it shall produce a log for you. Post the Combofix log

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**NOTE - Allow ComboFix to update if prompted.

Thanks
Geri

adamsmw · 16th January 2009

Here is the ComboFix log. Thanks for the help. When the scan started it asked me to write down some files. Here they are:

C:\WINDOWS\system32\drivers\TDSSpqlt.sys
\TDSSoiqh.dll
\ " osvd.dat
\ " brsr.dll
\ " riqp.dll
\ " cfum.dll
\ " tkdv.log
\ " nmxh.log
\ " sihc.dll
\ " rhym.log

ComboFix 09-01-13.04 - Owner 2009-01-15 21:30:13.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1617 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\FomboCix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Antivirus 2009
c:\windows\system32\drivers\TDSSpqlt.sys
c:\windows\system32\ieupdates.exe
c:\windows\system32\TDSSbrsr.dll
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoiqh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsihc.dll
c:\windows\system32\TDSStkdv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys
-------\Legacy_TDSSserv.sys

((((((((((((((((((((((((( Files Created from 2008-12-16 to 2009-01-16 )))))))))))))))))))))))))))))))
.

2009-01-13 22:11 . 2009-01-13 22:30 <DIR> d-------- c:\windows\system32\NtmsData
2009-01-13 22:00 . 2006-01-06 12:07 185,344 --a------ c:\windows\system32\hpfinst.dll
2009-01-13 22:00 . 2006-01-06 12:07 69,632 --------- c:\windows\system32\hpodinet.dll
2009-01-13 22:00 . 2006-01-06 12:07 36,864 --a------ c:\windows\hpfsched.exe
2009-01-13 21:59 . 2009-01-13 22:20 <DIR> d-------- c:\temp\photosmart
2009-01-11 23:12 . 2008-04-13 11:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-01-11 23:12 . 2008-04-13 11:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2009-01-11 18:08 . 2009-01-15 21:31 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-11 18:08 . 2009-01-11 18:08 <DIR> d-------- c:\program files\AVG
2009-01-11 18:08 . 2009-01-11 18:40 <DIR> d-------- c:\documents and settings\Owner\Application Data\AVGTOOLBAR
2009-01-11 18:08 . 2009-01-11 18:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-11 18:08 . 2009-01-11 18:08 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-11 18:08 . 2009-01-11 18:08 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-01-11 18:08 . 2009-01-11 18:08 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-11 16:28 . 2009-01-11 16:28 <DIR> d-------- c:\program files\Lavasoft
2009-01-11 16:28 . 2009-01-11 16:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-11 16:27 . 2009-01-11 16:27 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-11 15:32 . 2009-01-11 15:32 <DIR> d-------- c:\windows\Downloaded Installations
2009-01-11 15:00 . 2009-01-11 16:15 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-11 15:00 . 2009-01-11 16:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-11 14:51 . 2009-01-11 14:51 0 --a------ c:\windows\nsreg.dat
2009-01-11 13:51 . 2009-01-11 13:51 <DIR> d-------- c:\program files\Novatel Wireless

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-12 01:06 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-17 11:58 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 21:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 21:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 21:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-24 21:21 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082420080825\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-02 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-07-03 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-11 1261336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-11 97928]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-10-12 99200]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-11 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-11 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-11 76040]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2007-09-06 13824]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{838f189e-e021-11dd-ac16-001111b0457e}]
\Shell\AutoRun\command - J:\LiteAuto.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 16:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.supermotojunkie.com/
TCP: {AEFDC890-3F45-4685-BE56-874E9C3C555D} = 68.28.90.91 68.28.82.91

c:\windows\system32\msstkprp.dll - c:\windows\system32\msvbvm60.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\olepro32.dll
c:\windows\system32\asycfilt.dll
c:\windows\system32\stdole2.tlb
c:\windows\system32\comcat.dll
c:\windows\system32\objsafe.tlb
c:\windows\system32\DLGOBJS.DLL
c:\windows\Downloaded Program Files\RraainAX.ocx
O16 -: {297DE2B6-509A-4B36-93C5-A65276606900}
hxxp://www.in.honda.com/rraaapps/rraasec/codebase/RRAAINAX/RraainAX.CAB
c:\windows\Downloaded Program Files\RraainAX.INF
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n1h8i5js.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-15 21:32:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-15 21:35:01
ComboFix-quarantined-files.txt 2009-01-16 04:34:40

Pre-Run: 28,825,202,688 bytes free
Post-Run: 28,927,864,832 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

153 --- E O F --- 2009-01-14 01:01:19

adamsmw · 16th January 2009

Ran Combofix and it deleted some files. The problem seems to be fixed at this time. Here is the log. Please let me know if I need to do anything else. Thanks a bunch.

ComboFix 09-01-13.04 - Owner 2009-01-15 21:30:13.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1617 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\FomboCix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Antivirus 2009
c:\windows\system32\drivers\TDSSpqlt.sys
c:\windows\system32\ieupdates.exe
c:\windows\system32\TDSSbrsr.dll
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoiqh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsihc.dll
c:\windows\system32\TDSStkdv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys
-------\Legacy_TDSSserv.sys

((((((((((((((((((((((((( Files Created from 2008-12-16 to 2009-01-16 )))))))))))))))))))))))))))))))
.

2009-01-13 22:11 . 2009-01-13 22:30 <DIR> d-------- c:\windows\system32\NtmsData
2009-01-13 22:00 . 2006-01-06 12:07 185,344 --a------ c:\windows\system32\hpfinst.dll
2009-01-13 22:00 . 2006-01-06 12:07 69,632 --------- c:\windows\system32\hpodinet.dll
2009-01-13 22:00 . 2006-01-06 12:07 36,864 --a------ c:\windows\hpfsched.exe
2009-01-13 21:59 . 2009-01-13 22:20 <DIR> d-------- c:\temp\photosmart
2009-01-11 23:12 . 2008-04-13 11:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-01-11 23:12 . 2008-04-13 11:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2009-01-11 18:08 . 2009-01-15 21:31 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-11 18:08 . 2009-01-11 18:08 <DIR> d-------- c:\program files\AVG
2009-01-11 18:08 . 2009-01-11 18:40 <DIR> d-------- c:\documents and settings\Owner\Application Data\AVGTOOLBAR
2009-01-11 18:08 . 2009-01-11 18:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-11 18:08 . 2009-01-11 18:08 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-11 18:08 . 2009-01-11 18:08 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-01-11 18:08 . 2009-01-11 18:08 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-11 16:28 . 2009-01-11 16:28 <DIR> d-------- c:\program files\Lavasoft
2009-01-11 16:28 . 2009-01-11 16:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-11 16:27 . 2009-01-11 16:27 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-11 15:32 . 2009-01-11 15:32 <DIR> d-------- c:\windows\Downloaded Installations
2009-01-11 15:00 . 2009-01-11 16:15 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-11 15:00 . 2009-01-11 16:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-11 14:51 . 2009-01-11 14:51 0 --a------ c:\windows\nsreg.dat
2009-01-11 13:51 . 2009-01-11 13:51 <DIR> d-------- c:\program files\Novatel Wireless

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-12 01:06 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-17 11:58 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 21:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 21:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 21:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-24 21:21 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082420080825\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-02 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-07-03 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-11 1261336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-11 97928]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-10-12 99200]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-11 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-11 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-11 76040]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2007-09-06 13824]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{838f189e-e021-11dd-ac16-001111b0457e}]
\Shell\AutoRun\command - J:\LiteAuto.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 16:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.supermotojunkie.com/
TCP: {AEFDC890-3F45-4685-BE56-874E9C3C555D} = 68.28.90.91 68.28.82.91

c:\windows\system32\msstkprp.dll - c:\windows\system32\msvbvm60.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\olepro32.dll
c:\windows\system32\asycfilt.dll
c:\windows\system32\stdole2.tlb
c:\windows\system32\comcat.dll
c:\windows\system32\objsafe.tlb
c:\windows\system32\DLGOBJS.DLL
c:\windows\Downloaded Program Files\RraainAX.ocx
O16 -: {297DE2B6-509A-4B36-93C5-A65276606900}
hxxp://www.in.honda.com/rraaapps/rraasec/codebase/RRAAINAX/RraainAX.CAB
c:\windows\Downloaded Program Files\RraainAX.INF
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n1h8i5js.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-15 21:32:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-15 21:35:01
ComboFix-quarantined-files.txt 2009-01-16 04:34:40

Pre-Run: 28,825,202,688 bytes free
Post-Run: 28,927,864,832 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

153 --- E O F --- 2009-01-14 01:01:19

**Geri** · 17th January 2009

Hi
OK looks good.

Lets get a on line scan.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Please do an online scan with Kaspersky WebScanner

It's best to disable real time protection applications as they sometimes interfere with the scan.
Check this link for any applicable programs you may have.

Click on “Accept” If your pop –up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.

The program will launch and then begin downloading the latest definition files:
Under Scan on the left side.Click on My Computer
This will start the program and scan your system.
Click the “Scan Report” On the left side.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
Save the text file to your desktop.
Copy and paste that information in your next post.

Please post the Kaspersky results.

Thanks
Geri