Malwarebytes Update Blocked & Capcha Issue

[TnTodd]

I have two problems that seem to have originated from Facebook.

1) I can't access malwarebytes.org, malwarebytes will not update, and I can't seem to access any other anti-virus related website. Checked the hosts file, all seems fine there. Checked for TDSSserv.sys not found, nor is any similar variation.

2) the system seems to have a captcha virus that pops up every few minutes. It looks official with a Windows XP logo and says "enter both words below separated by a space". Seems to be the KoobFace, infact I downloaded the newest version on Malwarebytes I could find to a flash drive, installed it and it found and removed 9 issues including KoobFace. But upon restart, the Captcha is starting again.

Possible 3rd problem is Google searches are being redirected, often to porn.

Thanks in advance!

[TnTodd]

Here is the HJT log

Logfile of HijackThis v1.99.1

Scan saved at 9:54:32 AM, on 3/16/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16981)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe

C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe

C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe

C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe

C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe

C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe

C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe

C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe

C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe

C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe

C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe

C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe

C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe

C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe

C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe

C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe

C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe

C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe

C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe

C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe

C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe

C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe

C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe

C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\mmc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.outdoors-411.com/home/cookeville.html

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on

O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1127229901376

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://hsbc.webex.com/client/wbs25-vzbprod...bex/ieatgpc.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE

O23 - Service: Port Emulator V2 (Star) (PortEmulatorV2) - Star Micronics Co., Ltd. - C:\Program Files\StarMicronics\VirtualPortEmulator\Software\portemu_umdf.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

O23 - Service: XBaseMS-Service - Transaction Software, D 81737 Munich - C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe

[TnTodd]

Sorry to post again, but wanted to update you.

I found the post about RootKit http://forums.malwarebytes.org/index.php?showtopic=12709

I downloaded Version 1.3.5 and tried to install it, but it says "initializing, please wait" and won't seem to launch the program. It semed to lock the system up, so I rebooted and tried again with the same results.

Thanks again!

[TeMerc]

User being assisted elsewhere, closing ticket