Mark123

Any help would very much be appreciated. Thanks.

I am running Windows XP, Home Edition, Version 2002, SP3. Last night Zone Alarm asked me to allow lsass.exe to allow connections from the intenet. I denied it. I then ran AVG anti virus free. It ran, but it could not delete the viruses it found because access was denied. I didn't get a screen shot of the details because I thought a log would be available later - it wasn't. I then ran Malwarebytes. It deleted a couple of files. I ran defogger and saved the DDS and Attach files. GMER would start to run, but then it would autoboot my PC. When the PC recovered, an info box came up stating a Serious Error had occured. I tried running GMER 3 times all with the same result. Attached is a zip file containg: Mbam log, DDS.txt file, Attach.txt, and the AVG summary. Not sure whether or not to proceed on to Combofix. Many thanks for your help. Virus_Files1_072510.zip

Thanks for the help. Downloaded Combofix. I had problems uninstalling AVG Free Antivirus, but was finally able to get rid of it with program avgremover.exe. Ran Combofix. It found a Rootkit and I rebooted. Combofix ran again and created the attached log. I still have my CD emulation turned off via Defogger, and Combofix removed avgremover.exe which was a very handy little tool. I await your advice. Combofix_txt_70210_2345.zip

Darn that was tricky. I could not post the DDS.txt file as it was. After I changed the file name and the first few characters of the data, it seemed to post. Not sure what is going on with that. Please take a look at this post.

Now I will try adding the attacment previously mentioned. bugfiles70110_0738.zip

Doesn't want to post after pasting DDS.txt data: I've renamed the file and will try to submit after pasting from it. Changing first Line: DDS (Ver_10-03-17.01) - NTFSx86 Run by M F at 19:04:20.84 on Wed 06/30/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.1975 [GMT -5:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\AVG\AVG9\avgchsvx.exe C:\Program Files\AVG\AVG9\avgrsx.exe svchost.exe svchost.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Keymaestro\Multimedia Keyboard\nhksrv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\AVG\AVG9\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\AVG\AVG9\avgnsx.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Keymaestro\Multimedia Keyboard\MMKeybd.exe C:\WINDOWS\LTMSG.exe C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\AVG\AVG9\avgtray.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe C:\Program Files\Keymaestro\Multimedia Keyboard\TrayMon.exe C:\Program Files\Keymaestro\Onscreen Display\OSD.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe

I am checking to see if I can post a topic after pasting text. Sad Story: On Monday 6/28/10 I was queried by ZoneAlarm to allow ejdudohtssd.exe access to the net. Since I never heard of it, I denied the request. I then found ejdudohtssd.exe-0163BC33.pf and ejdudohtssd.exe. I deleted the .pf file, but access was denied when trying to delete the .exe file. My system then would no longer launch apps. I was forced to do a hard power off/on. I came up in safe mode, and was able to delete the .exe file. I rebooted and came up in normal mode. I checked for strange processes and found nothing. I then ran AVG which ran clean. I ran Malwarebytes and it found a few problems which I had fixed. I then ran Spybot which found (Fraud.sysguard) which I had removed. I thought all was well, so I got on the net (using Firefox) and started doing some research. When I awoke on Tuesday 6/29, my system would not launch applications again. I again had to power off/on my pc. Later, I reran AVG, Malwarebytes, and Spybot which all ran clean. I then poked around on the net looking for a solution and found that I should run GMER. This is when a second problem started. I noticed that random web pages were being autogened sending me to random virus software companies. Nevertheless, I down loaded GMER and ran it, but when I reviewed the log yesterday morning 6/30, it had run clean. I then got on the malwarebytes forum and looked around for my problem. I didn

First, many thanks for your help. I truely appreciate it. Sorry for opening a new topic, but I didn't know how to edit my first one. I didn't include the Hijackthis log the first time around. Problem: When I click on links produced by a search engine (yahoo, google, bing), I get redirected to random sites

When I click on links produced by a search engine (yahoo, google, bing), I get redirected to random sites – many times it is just a junk name with a bogus URL – I can’t detect any pattern to it. The problem happens when using Internet Explorer and Firefox. I’m also running Zone Alarm which identified a rogue program alc23.exe trying to access the internet. I quickly blocked the file from access, but I couldn’t locate it even when doing a command line file search. That’s when I downloaded Malwarebytes, hoping it would find the problem. I ran the full scan, but it didn’t find anything. Following is the log it produced. Malwarebytes' Anti-Malware 1.40 Database version: 2591 Windows 5.1.2600 Service Pack 3 8/10/2009 2:48:38 PM mbam-log-2009-08-10 (14-48-38).txt Scan type: Full Scan (C:\|) Objects scanned: 149892 Time elapsed: 50 minute(s), 42 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Hijackthis log: Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:58:09 PM, on 8/10/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: Normal Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Keymaestro\Multimedia Keyboard\MMKeybd.exeC:\WINDOWS\LTMSG.exeC:\Program Files\Java\jre1.5.0_02\bin\jusched.exeC:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\Keymaestro\Multimedia Keyboard\TrayMon.exeC:\Program Files\Keymaestro\Onscreen Display\OSD.exeC:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exeC:\Program Files\InterVideo\WinDVR\WinScheduler.exeC:\Program Files\Keymaestro\Multimedia Keyboard\nhksrv.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\PROGRA~1\AVG\AVG8\avgnsx.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\AVG\AVG8\avgcsrvx.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dllO4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exeO4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWndO4 - HKLM\..\Run: [TvRemoteVCR] C:\WINDOWS\Tvrmvcr.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initializeO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Keymaestro\Multimedia Keyboard\MMKeybd.exeO4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exeO4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exeO4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\system32\pmxinit.exeO4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exeO4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\WinDVR\WinScheduler.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1222187877187O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - AppInit_DLLs: c:\windows\system32\zodaveru.dllO20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dllO23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: Google Update Service (gupdate1c95c6b3e9016ba) (gupdate1c95c6b3e9016ba) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Keymaestro\Multimedia Keyboard\nhksrv.exeO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe --End of file - 7067 bytes Malwarebytes Log: Malwarebytes' Anti-Malware 1.40Database version: 2591Windows 5.1.2600 Service Pack 3 8/10/2009 2:48:38 PMmbam-log-2009-08-10 (14-48-38).txt Scan type: Full Scan (C:\|)Objects scanned: 149892Time elapsed: 50 minute(s), 42 second(s) Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0 Memory Processes Infected:(No malicious items detected) Memory Modules Infected:(No malicious items detected) Registry Keys Infected:(No malicious items detected) Registry Values Infected:(No malicious items detected) Registry Data Items Infected:(No malicious items detected) Folders Infected:(No malicious items detected) Files Infected:(No malicious items detected)