Google Redirect and possible Defogger problem

NLTY · July 31, 2011

Hello MBAM forum. My computer has been infected with a number of viruses, some of which were cleared by MBAM, others with Avira. I still have at least one piece of malware remaining, undetected by MBAM or Avira: a form of the Google Redirect Virus. There are no other problems with my system that I can detect just through normal use.

I began to follow the detailed instructions for virus removal, and ran Defogger. After selecting ‘Disable’, then ‘Yes’, the ‘Finished’ message appeared. I clicked ‘OK’, but was not then asked to reboot the system. I was returned to the “Disable” or “Re-enable” window instead. A “defogger_disable” log file was created on my desktop. The file’s contents are:

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 23:48 on 30/07/2011 (Monetary)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

Is it safe for me to continue with the DDS and GMER scans? Is the ‘defogger_disable’ file only generated when the Defogger program fails for some reason? Should I just restart the computer manually and then proceed with the other scanning tools?

If it may be of assistance, my most recent MBAM quick scan log file is:

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7332

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

7/30/2011 9:36:30 PM

mbam-log-2011-07-30 (21-36-30).txt

Scan type: Quick scan

Objects scanned: 168496

Time elapsed: 3 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

The most recent MBAM log file which detected malware is:

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7183

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

7/17/2011 10:53:10 PM

mbam-log-2011-07-17 (22-53-10).txt

Scan type: Quick scan

Objects scanned: 167108

Time elapsed: 4 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 2

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 8

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\Users\Monetary\AppData\Local\agehovojamazekud.dll (Trojan.Agent) -> Delete on reboot.

c:\Users\Monetary\AppData\Local\colusas.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ghawavecazucul (Trojan.Agent) -> Value: Ghawavecazucul -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qheqezudanaw (Trojan.Hiloti) -> Value: Qheqezudanaw -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\Monetary\AppData\Local\agehovojamazekud.dll (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Users\Monetary\AppData\Local\colusas.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

c:\Users\Monetary\AppData\Local\Temp\ms0cfg32.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.

c:\Users\Monetary\local settings\agehovojamazekud.dll (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Users\Monetary\local settings\colusas.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

c:\Users\Monetary\local settings\application data\agehovojamazekud.dll (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Users\Monetary\local settings\application data\colusas.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

c:\Users\Monetary\local settings\temporary internet files\Content.IE5\ZPN9A375\p6irutuy[1].exe (Trojan.Hiloti) -> Quarantined and deleted successfully.

Thank you, and please let me know how I should proceed regarding my possible/apparent failure of Defogger.

NLTY · August 1, 2011

Hello again. I have been backing up the files from the infected computer to an external harddrive, and while doing so noticed the following two files in my Users/Monetary folder (‘Monetary’ is the name of the only ‘user’ of the computer):

defogger_reenable 0KB (created when I ran Defogger) and

g2mdlhlpx.exe 70KB (created/modified/accessed March 22, 2009).

I do not know anything about the origin of that .exe file, or know how long it has been present at that location.

As stated above, I am not sure if Defogger was successful in disabling CD Emulation drivers (and I am not computer savvy enough to be able to tell myself), but I restarted the computer and performed the DDS and GMER scans. At the end of the GMER scan, the software simply gave a message saying that no modifications to the system were found. If my CD Emulation drivers are disabled, I have not used Defogger to re-enable them.

When I saved the GMER log file, as ark.txt, the result is apparently a 0 byte file. I have included it in a zip file along with the Attach.txt file produced by DDS.

The other things I can think of which may be of help:

An example of a google redirect:

When I recently searched the term “Katatonia”, and clicked on the first hit, I was redirected to an advertisement page with one sentence apparently from the Katatonia Wikipedia article.

The address bar at that point read:

http://

63.209.69.107/search/web/Katatonia/a53/itcg-20932/v5

(I broke that URL into two lines to prevent the forum from turning it into a hyperlink)

The google redirects seem to be the only symptom that I am experiencing.

My most recent MBAM quick scan log is as follows:

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7341

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

7/31/2011 5:27:44 PM

mbam-log-2011-07-31 (17-27-44).txt

Scan type: Quick scan

Objects scanned: 168590

Time elapsed: 2 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

And my DDS.txt file reads as follows:

.

DDS (Ver_2011-06-23.01) - NTFSAMD64

Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_21

Run by Monetary at 19:18:12 on 2011-07-31

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4093.2776 [GMT -5:00]

.

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\system32\Ati2evxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\Dell\DellDock\DockLogin.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\Ati2evxx.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\taskeng.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Kodak\KODAK Share Button App\Listener.exe

C:\Windows\system32\taskeng.exe

C:\Windows\RAVCpl64.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files (x86)\AIM\aim.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe

C:\Windows\system32\AERTSr64.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Program Files (x86)\APC\APC PowerChute Personal Edition\mainserv.exe

C:\Program Files\ShrewSoft\VPN Client\dtpd.exe

C:\Program Files\ShrewSoft\VPN Client\iked.exe

C:\Program Files (x86)\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uWindow Title = Internet Explorer provided by Dell

uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3090121

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - C:\Program Files (x86)\Dell\BAE\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe

uRun: [Aim] "C:\Program Files (x86)\AIM\aim.exe" /d locale=en-US

uRun: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [<NO NAME>]

mRun: [Display] C:\Program Files (x86)\APC\APC PowerChute Personal Edition\DataCollectionLauncher.exe

mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\APCUPS~1.LNK - C:\Program Files (x86)\APC\APC PowerChute Personal Edition\Display.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL

Trusted Zone: real.com\rhap-app-4-0

Trusted Zone: real.com\rhapreg

DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

TCP: DhcpNameServer = 192.168.0.1 192.168.0.1

TCP: Interfaces\{2991137F-7F4B-4209-83D8-D76E89B28E31} : DhcpNameServer = 192.168.0.1 192.168.0.1

TCP: Interfaces\{E54A0072-7AEC-41BD-A37F-866EC48BC7ED} : NameServer = 141.106.32.6,141.106.32.7

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Skype Plug-In: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO-X64: SkypeIEPluginBHO - No File

BHO-X64: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files (x86)\Dell\BAE\BAE.dll

BHO-X64: Browser Address Error Redirector - No File

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun-x64: [(Default)]

mRun-x64: [Display] C:\Program Files (x86)\APC\APC PowerChute Personal Edition\DataCollectionLauncher.exe

mRun-x64: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min

IE-X64: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Monetary\AppData\Roaming\Mozilla\Firefox\Profiles\zhi8y5vq.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll

FF - plugin: C:\Program Files (x86)\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - plugin: C:\Users\Monetary\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}

FF - Ext: Move Media Player: moveplayer@movenetworks.com - C:\Users\Monetary\AppData\Roaming\Move Networks

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: XULRunner: {B4CADE92-867F-4C2D-AD0E-B19858CD045B} - C:\Users\Monetary\AppData\Local\{B4CADE92-867F-4C2D-AD0E-B19858CD045B}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

============= SERVICES / DRIVERS ===============

.

R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]

R1 vflt;Shrew Soft Lightweight Filter;C:\Windows\system32\DRIVERS\vfilter.sys --> C:\Windows\system32\DRIVERS\vfilter.sys [?]

R2 AERTFilters;Andrea RT Filters Service;C:\Windows\system32\AERTSr64.exe --> C:\Windows\system32\AERTSr64.exe [?]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-7-30 136360]

R2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-7-30 269480]

R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]

R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2008-9-23 155648]

R2 dtpd;ShrewSoft DNS Proxy Daemon;C:\Program Files\ShrewSoft\VPN Client\dtpd.exe -service --> C:\Program Files\ShrewSoft\VPN Client\dtpd.exe -service [?]

R2 iked;ShrewSoft IKE Daemon;C:\Program Files\ShrewSoft\VPN Client\iked.exe -service --> C:\Program Files\ShrewSoft\VPN Client\iked.exe -service [?]

R2 ipsecd;ShrewSoft IPSEC Daemon;C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe -service --> C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe -service [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-12-17 497856]

S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]

S3 RivaTuner64;RivaTuner64;C:\Program Files (x86)\RivaTuner v2.24\RivaTuner64.sys [2009-2-25 19952]

S3 vnet;Shrew Soft Virtual Adapter;C:\Windows\system32\DRIVERS\virtualnet.sys --> C:\Windows\system32\DRIVERS\virtualnet.sys [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]

S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-10-21 93184]

.

=============== Created Last 30 ================

.

2011-07-30 23:54:28 -------- d-----w- C:\Users\Monetary\AppData\Roaming\Avira

2011-07-30 23:48:47 83120 ----a-w- C:\Windows\System32\drivers\avgntflt.sys

2011-07-30 23:48:47 -------- d-----w- C:\ProgramData\Avira

2011-07-30 23:48:47 -------- d-----w- C:\Program Files (x86)\Avira

2011-07-30 18:43:03 8578896 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{08D3C858-4A02-40BE-88A2-E186591E2E3D}\mpengine.dll

2011-07-18 15:36:37 -------- d-----w- C:\Users\Monetary\AppData\Local\Cisco

2011-07-18 03:43:05 0 ----a-w- C:\Users\Monetary\AppData\Local\Jtenig.bin

2011-07-18 03:43:02 -------- d-----w- C:\Users\Monetary\AppData\Local\{B4CADE92-867F-4C2D-AD0E-B19858CD045B}

2011-07-16 17:15:06 -------- d-----w- C:\Program Files (x86)\PyMOL

2011-07-16 16:37:53 -------- d-----w- C:\Program Files (x86)\Cisco

2011-07-16 16:34:39 -------- d-----w- C:\ProgramData\Cisco

2011-07-13 01:47:14 2762240 ----a-w- C:\Windows\System32\win32k.sys

2011-07-13 01:47:07 85504 ----a-w- C:\Windows\System32\csrsrv.dll

2011-07-13 01:47:07 450048 ----a-w- C:\Windows\System32\winsrv.dll

.

==================== Find3M ====================

.

2011-07-07 00:52:42 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys

2011-07-07 00:52:42 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys

2011-05-25 00:14:10 270720 ------w- C:\Windows\System32\MpSigStub.exe

.

============= FINISH: 19:18:46.60 ===============

Attached are the attach.txt and ark.txt files from DDS and GMER, together as one .zip file. Note again that the ark.txt file is apparently zero bytes.

Thank you very much in advance for your time in volunteering to help fix infected computers like mine. You MBAM forum members are doing the internet a tremendous service!

ark.zip

D-FRED-BROWN · August 2, 2011

Hello NLTY and welcome to Malwarebytes! :welcome:

I am D-FRED-BROWN and I will be helping you.

Don't worry about Defogger for now

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

-------------

Please download to your Desktop:

TDSSKiller.zip from here and extract it (right click on it => "Extract here").

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.

Click on the Start Scan button and wait for the scan and disinfection process to be over.
If an infected file is detected, the default action will be Cure, click on Continue
If a suspicious file is detected, the default action will be Skip, click on Continue
If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

In your next reply, please include the following (you may need to use two posts to get it all in):

TDSSKiller_log.txt

how the PC is running now?
-------------
Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
***IMPORTANT: save ComboFix to your Desktop***
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please go here to see a list of programs that should be disabled.
**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**
Please include the C:\ComboFix.txt in your next reply for further review.
Also, please let me know if any problems still remain.
-------------
Please download Security Check by screen317 from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-------------

In your next reply, please include:

C:\ComboFix.txt
TDSSKiller log
Security Check checkup.txt

How is your computer running now?

NLTY · August 2, 2011

Hello D-FRED-BROWN and thank you!

In the time since my last post I have been reading similar threads, and performed the following actions:

-Ran ATF Cleaner

-Ran GooredFix

-Ran TDSSkiller

GooredFix appears to have cleared my infection. Here is the GooredFix log:

GooredFix by jpshortstuff (03.07.10.1)

Log created at 22:32 on 01/08/2011 (Monetary)

Firefox version 3.6.18 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{B4CADE92-867F-4C2D-AD0E-B19858CD045B} -> Success!

Deleting C:\Users\Monetary\AppData\Local\{B4CADE92-867F-4C2D-AD0E-B19858CD045B} -> Success!

========== GooredLog ==========

C:\Program Files (x86)\Mozilla Firefox\extensions\

{972ce4c6-7e08-4474-a285-3208198ce6fd} [06:31 29/01/2009]

{AB2CE124-6272-4b12-94A9-7303C7397BD1} [03:41 05/03/2011]

{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [07:31 03/05/2010]

{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [17:28 28/08/2010]

C:\Users\Monetary\Application Data\Mozilla\Firefox\Profiles\zhi8y5vq.default\extensions\

{20a82645-c095-46ed-80e3-08825760534b} [02:55 01/07/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]

"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [02:00 22/10/2009]

-=E.O.F=-

TDSSkiller did not detect anything harmful.

This is the TDSSkiller log:

2011/08/01 22:37:32.0792 2924 TDSS rootkit removing tool 2.5.13.0 Jul 29 2011 17:24:11

2011/08/01 22:37:33.0354 2924 ================================================================================

2011/08/01 22:37:33.0354 2924 SystemInfo:

2011/08/01 22:37:33.0354 2924

2011/08/01 22:37:33.0354 2924 OS Version: 6.0.6001 ServicePack: 1.0

2011/08/01 22:37:33.0354 2924 Product type: Workstation

2011/08/01 22:37:33.0354 2924 ComputerName: MONETARY-PC

2011/08/01 22:37:33.0354 2924 UserName: Monetary

2011/08/01 22:37:33.0354 2924 Windows directory: C:\Windows

2011/08/01 22:37:33.0354 2924 System windows directory: C:\Windows

2011/08/01 22:37:33.0354 2924 Running under WOW64

2011/08/01 22:37:33.0354 2924 Processor architecture: Intel x64

2011/08/01 22:37:33.0354 2924 Number of processors: 4

2011/08/01 22:37:33.0354 2924 Page size: 0x1000

2011/08/01 22:37:33.0354 2924 Boot type: Normal boot

2011/08/01 22:37:33.0354 2924 ================================================================================

2011/08/01 22:37:34.0227 2924 Initialize success

2011/08/01 22:37:57.0830 3888 ================================================================================

2011/08/01 22:37:57.0830 3888 Scan started

2011/08/01 22:37:57.0830 3888 Mode: Manual;

2011/08/01 22:37:57.0830 3888 ================================================================================

2011/08/01 22:37:58.0595 3888 ACPI (8c99ed256a889d647935a97c543b7b85) C:\Windows\system32\drivers\acpi.sys

2011/08/01 22:37:58.0641 3888 adp94xx (f14215e37cf124104575073f782111d2) C:\Windows\system32\drivers\adp94xx.sys

2011/08/01 22:37:58.0673 3888 adpahci (7d05a75e3066861a6610f7ee04ff085c) C:\Windows\system32\drivers\adpahci.sys

2011/08/01 22:37:58.0704 3888 adpu160m (820a201fe08a0c345b3bedbc30e1a77c) C:\Windows\system32\drivers\adpu160m.sys

2011/08/01 22:37:58.0735 3888 adpu320 (9b4ab6854559dc168fbb4c24fc52e794) C:\Windows\system32\drivers\adpu320.sys

2011/08/01 22:37:58.0844 3888 AFD (9bb97042fa331a0fb4bdd98b9280a50a) C:\Windows\system32\drivers\afd.sys

2011/08/01 22:37:58.0953 3888 agp440 (f6f6793b7f17b550ecfdbd3b229173f7) C:\Windows\system32\drivers\agp440.sys

2011/08/01 22:37:59.0016 3888 aic78xx (222cb641b4b8a1d1126f8033f9fd6a00) C:\Windows\system32\drivers\djsvs.sys

2011/08/01 22:37:59.0047 3888 aliide (9544c2c55541c0c6bfd7b489d0e7d430) C:\Windows\system32\drivers\aliide.sys

2011/08/01 22:37:59.0063 3888 amdide (970fa5059e61e30d25307b99903e991e) C:\Windows\system32\drivers\amdide.sys

2011/08/01 22:37:59.0094 3888 AmdK8 (cdc3632a3a5ea4dbb83e46076a3165a1) C:\Windows\system32\drivers\amdk8.sys

2011/08/01 22:37:59.0172 3888 arc (ba8417d4765f3988ff921f30f630e303) C:\Windows\system32\drivers\arc.sys

2011/08/01 22:37:59.0203 3888 arcsas (9d41c435619733b34cc16a511e644b11) C:\Windows\system32\drivers\arcsas.sys

2011/08/01 22:37:59.0234 3888 AsyncMac (22d13ff3dafec2a80634752b1eaa2de6) C:\Windows\system32\DRIVERS\asyncmac.sys

2011/08/01 22:37:59.0250 3888 atapi (f988bb0690cd660318037908e9b8dbf7) C:\Windows\system32\drivers\atapi.sys

2011/08/01 22:37:59.0406 3888 atikmdag (c7d2bfbea0099ce29baa32eb93dac434) C:\Windows\system32\DRIVERS\atikmdag.sys

2011/08/01 22:37:59.0546 3888 ATITool (a6fad7a5ada4675ba9c9feaf4e0542ba) C:\Windows\system32\DRIVERS\ATITool64.sys

2011/08/01 22:37:59.0609 3888 avgntflt (39c2e2870fc0c2ae0595b883cbe716b4) C:\Windows\system32\DRIVERS\avgntflt.sys

2011/08/01 22:37:59.0655 3888 avipbb (c98fa6e5ad0e857d22716bd2b8b1f399) C:\Windows\system32\DRIVERS\avipbb.sys

2011/08/01 22:37:59.0718 3888 blbdrive (79feeb40056683f8f61398d81dda65d2) C:\Windows\system32\drivers\blbdrive.sys

2011/08/01 22:37:59.0780 3888 bowser (f0f035fcec3554cc1b70c5611bd87951) C:\Windows\system32\DRIVERS\bowser.sys

2011/08/01 22:37:59.0796 3888 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\drivers\brfiltlo.sys

2011/08/01 22:37:59.0811 3888 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\drivers\brfiltup.sys

2011/08/01 22:37:59.0858 3888 Brserid (f0f0ba4d815be446aa6a4583ca3bca9b) C:\Windows\system32\drivers\brserid.sys

2011/08/01 22:37:59.0921 3888 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\system32\drivers\brserwdm.sys

2011/08/01 22:37:59.0952 3888 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\system32\drivers\brusbmdm.sys

2011/08/01 22:37:59.0967 3888 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\system32\drivers\brusbser.sys

2011/08/01 22:37:59.0999 3888 BTHMODEM (e0777b34e05f8a82a21856efc900c29f) C:\Windows\system32\drivers\bthmodem.sys

2011/08/01 22:38:00.0014 3888 cdfs (b4d787db8d30793a4d4df9feed18f136) C:\Windows\system32\DRIVERS\cdfs.sys

2011/08/01 22:38:00.0045 3888 cdrom (3b2fb35363423ed60c8fbf15fc8680bd) C:\Windows\system32\DRIVERS\cdrom.sys

2011/08/01 22:38:00.0077 3888 circlass (02ea568d498bbdd4ba55bf3fce34d456) C:\Windows\system32\drivers\circlass.sys

2011/08/01 22:38:00.0123 3888 CLFS (c12c4ee07843b595036da0baa6317936) C:\Windows\system32\CLFS.sys

2011/08/01 22:38:00.0186 3888 cmdide (e5d5499a1c50a54b5161296b6afe6192) C:\Windows\system32\drivers\cmdide.sys

2011/08/01 22:38:00.0217 3888 Compbatt (7fb8ad01db0eabe60c8a861531a8f431) C:\Windows\system32\DRIVERS\compbatt.sys

2011/08/01 22:38:00.0233 3888 crcdisk (a8585b6412253803ce8efcbd6d6dc15c) C:\Windows\system32\drivers\crcdisk.sys

2011/08/01 22:38:00.0311 3888 DfsC (3725c43c9e90731eca651d506cc599a3) C:\Windows\system32\Drivers\dfsc.sys

2011/08/01 22:38:00.0357 3888 disk (2dc415fc05fb8a079f896cbbacb19324) C:\Windows\system32\drivers\disk.sys

2011/08/01 22:38:00.0420 3888 drmkaud (f1a78a98cfc2ee02144c6bec945447e6) C:\Windows\system32\drivers\drmkaud.sys

2011/08/01 22:38:00.0467 3888 DXGKrnl (412964040ce920ff83aff6b5b551bf99) C:\Windows\System32\drivers\dxgkrnl.sys

2011/08/01 22:38:00.0513 3888 e1express (a458e7d986f51c827640f5d1f1e886e4) C:\Windows\system32\DRIVERS\e1e6032e.sys

2011/08/01 22:38:00.0545 3888 E1G60 (264cee7b031a9d6c827f3d0cb031f2fe) C:\Windows\system32\DRIVERS\E1G6032E.sys

2011/08/01 22:38:00.0576 3888 Ecache (7343d950a34a95dcb7441642e3e6beef) C:\Windows\system32\drivers\ecache.sys

2011/08/01 22:38:00.0623 3888 elxstor (c4636d6e10469404ab5308d9fd45ed07) C:\Windows\system32\drivers\elxstor.sys

2011/08/01 22:38:00.0669 3888 ErrDev (bc3a58e938bb277e46bf4b3003b01abd) C:\Windows\system32\drivers\errdev.sys

2011/08/01 22:38:00.0701 3888 exfat (2a546b9a84658b0554b1ec35cd9adaf5) C:\Windows\system32\drivers\exfat.sys

2011/08/01 22:38:00.0732 3888 fastfat (fe731d345ed9eeabbc72a59b35941834) C:\Windows\system32\drivers\fastfat.sys

2011/08/01 22:38:00.0747 3888 fdc (81b79b6df71fa1d2c6d688d830616e39) C:\Windows\system32\DRIVERS\fdc.sys

2011/08/01 22:38:00.0779 3888 FileInfo (457b7d1d533e4bd62a99aed9c7bb4c59) C:\Windows\system32\drivers\fileinfo.sys

2011/08/01 22:38:00.0841 3888 Filetrace (d421327fd6efccaf884a54c58e1b0d7f) C:\Windows\system32\drivers\filetrace.sys

2011/08/01 22:38:00.0872 3888 flpydisk (230923ea2b80f79b0f88d90f87b87ebd) C:\Windows\system32\DRIVERS\flpydisk.sys

2011/08/01 22:38:00.0950 3888 FltMgr (7dacf1a3a4219575070c6dc7c957428a) C:\Windows\system32\drivers\fltmgr.sys

2011/08/01 22:38:01.0028 3888 Fs_Rec (29d99e860a1ca0a03c6a733fdd0da703) C:\Windows\system32\drivers\Fs_Rec.sys

2011/08/01 22:38:01.0059 3888 gagp30kx (c8e416668d3dc2be3d4fe4c79224997f) C:\Windows\system32\drivers\gagp30kx.sys

2011/08/01 22:38:01.0137 3888 HdAudAddService (df45f8142dc6df9d18c39b3effbd0409) C:\Windows\system32\drivers\HdAudio.sys

2011/08/01 22:38:01.0169 3888 HDAudBus (0c0d0f8a3ff09ecc81963d09ec6a0a84) C:\Windows\system32\DRIVERS\HDAudBus.sys

2011/08/01 22:38:01.0200 3888 HidBatt (68214c82fa6222591873677a72df2a66) C:\Windows\system32\DRIVERS\HidBatt.sys

2011/08/01 22:38:01.0231 3888 HidBth (b4881c84a180e75b8c25dc1d726c375f) C:\Windows\system32\drivers\hidbth.sys

2011/08/01 22:38:01.0278 3888 HidIr (4e77a77e2c986e8f88f996bb3e1ad829) C:\Windows\system32\drivers\hidir.sys

2011/08/01 22:38:01.0293 3888 HidUsb (128e2da8483fdd4dd0c7b3f9abd6f323) C:\Windows\system32\DRIVERS\hidusb.sys

2011/08/01 22:38:01.0325 3888 HpCISSs (d7109a1e6bd2dfdbcba72a6bc626a13b) C:\Windows\system32\drivers\hpcisss.sys

2011/08/01 22:38:01.0403 3888 HTTP (e690736da6c543f5d99c8fa27bea31db) C:\Windows\system32\drivers\HTTP.sys

2011/08/01 22:38:01.0434 3888 i2omp (da94c854cea5fac549d4e1f6e88349e8) C:\Windows\system32\drivers\i2omp.sys

2011/08/01 22:38:01.0465 3888 i8042prt (cbb597659a2713ce0c9cc20c88c7591f) C:\Windows\system32\DRIVERS\i8042prt.sys

2011/08/01 22:38:01.0496 3888 iaStorV (3e3bf3627d886736d0b4e90054f929f6) C:\Windows\system32\drivers\iastorv.sys

2011/08/01 22:38:01.0699 3888 igfx (50f15f9aee2e7692dfe58917e2d40498) C:\Windows\system32\DRIVERS\igdkmd64.sys

2011/08/01 22:38:01.0886 3888 iirsp (8c3951ad2fe886ef76c7b5027c3125d3) C:\Windows\system32\drivers\iirsp.sys

2011/08/01 22:38:01.0995 3888 IntcAzAudAddService (b3fb479a7c0626499eb5989bc087cf8d) C:\Windows\system32\drivers\RTKVHD64.sys

2011/08/01 22:38:02.0105 3888 intelide (df797a12176f11b2d301c5b234bb200e) C:\Windows\system32\drivers\intelide.sys

2011/08/01 22:38:02.0151 3888 intelppm (bfd84af32fa1bad6231c4585cb469630) C:\Windows\system32\DRIVERS\intelppm.sys

2011/08/01 22:38:02.0229 3888 IpFilterDriver (99b821f5bebd6a3cc3fe564f802ae0fd) C:\Windows\system32\DRIVERS\ipfltdrv.sys

2011/08/01 22:38:02.0276 3888 IPMIDRV (9c2ee2e6e5a7203bfae15c299475ec67) C:\Windows\system32\drivers\ipmidrv.sys

2011/08/01 22:38:02.0307 3888 IPNAT (b7e6212f581ea5f6ab0c3a6ceeeb89be) C:\Windows\system32\DRIVERS\ipnat.sys

2011/08/01 22:38:02.0354 3888 IRENUM (8c42ca155343a2f11d29feca67faa88d) C:\Windows\system32\drivers\irenum.sys

2011/08/01 22:38:02.0370 3888 isapnp (0672bfcedc6fc468a2b0500d81437f4f) C:\Windows\system32\drivers\isapnp.sys

2011/08/01 22:38:02.0417 3888 iScsiPrt (49e4ccbf74783fce5d2cc1ff6480e1f4) C:\Windows\system32\DRIVERS\msiscsi.sys

2011/08/01 22:38:02.0432 3888 iteatapi (63c766cdc609ff8206cb447a65abba4a) C:\Windows\system32\drivers\iteatapi.sys

2011/08/01 22:38:02.0463 3888 iteraid (1281fe73b17664631d12f643cbea3f59) C:\Windows\system32\drivers\iteraid.sys

2011/08/01 22:38:02.0495 3888 kbdclass (423696f3ba6472dd17699209b933bc26) C:\Windows\system32\DRIVERS\kbdclass.sys

2011/08/01 22:38:02.0510 3888 kbdhid (bf8783a5066cfecf45095459e8010fa7) C:\Windows\system32\DRIVERS\kbdhid.sys

2011/08/01 22:38:02.0588 3888 KSecDD (ccdcce6224e1e207e953af826b98a9d9) C:\Windows\system32\Drivers\ksecdd.sys

2011/08/01 22:38:02.0619 3888 ksthunk (1d419cf43db29396ecd7113d129d94eb) C:\Windows\system32\drivers\ksthunk.sys

2011/08/01 22:38:02.0666 3888 lltdio (96ece2659b6654c10a0c310ae3a6d02c) C:\Windows\system32\DRIVERS\lltdio.sys

2011/08/01 22:38:02.0697 3888 LSI_FC (acbe1af32d3123e330a07bfbc5ec4a9b) C:\Windows\system32\drivers\lsi_fc.sys

2011/08/01 22:38:02.0729 3888 LSI_SAS (799ffb2fc4729fa46d2157c0065b3525) C:\Windows\system32\drivers\lsi_sas.sys

2011/08/01 22:38:02.0760 3888 LSI_SCSI (f445ff1daad8a226366bfaf42551226b) C:\Windows\system32\drivers\lsi_scsi.sys

2011/08/01 22:38:02.0791 3888 luafv (52f87b9cc8932c2a7375c3b2a9be5e3e) C:\Windows\system32\drivers\luafv.sys

2011/08/01 22:38:02.0822 3888 megasas (5c5cd6aaced32fb26c3fb34b3dcf972f) C:\Windows\system32\drivers\megasas.sys

2011/08/01 22:38:02.0869 3888 MegaSR (859bc2436b076c77c159ed694acfe8f8) C:\Windows\system32\drivers\megasr.sys

2011/08/01 22:38:02.0916 3888 Modem (59848d5cc74606f0ee7557983bb73c2e) C:\Windows\system32\drivers\modem.sys

2011/08/01 22:38:02.0978 3888 monitor (c247cc2a57e0a0c8c6dccf7807b3e9e5) C:\Windows\system32\DRIVERS\monitor.sys

2011/08/01 22:38:03.0009 3888 mouclass (9367304e5e412b120cf5f4ea14e4e4f1) C:\Windows\system32\DRIVERS\mouclass.sys

2011/08/01 22:38:03.0025 3888 mouhid (c2c2bd5c5ce5aaf786ddd74b75d2ac69) C:\Windows\system32\DRIVERS\mouhid.sys

2011/08/01 22:38:03.0056 3888 MountMgr (11bc9b1e8801b01f7f6adb9ead30019b) C:\Windows\system32\drivers\mountmgr.sys

2011/08/01 22:38:03.0103 3888 mpio (f8276eb8698142884498a528dfea8478) C:\Windows\system32\drivers\mpio.sys

2011/08/01 22:38:03.0119 3888 mpsdrv (c92b9abdb65a5991e00c28f13491dba2) C:\Windows\system32\drivers\mpsdrv.sys

2011/08/01 22:38:03.0165 3888 Mraid35x (3c200630a89ef2c0864d515b7a75802e) C:\Windows\system32\drivers\mraid35x.sys

2011/08/01 22:38:03.0181 3888 MRxDAV (fe2706c15f8345c342820e4e4583fea0) C:\Windows\system32\drivers\mrxdav.sys

2011/08/01 22:38:03.0243 3888 mrxsmb (b698eb9acc7ecd4927d99d268918f912) C:\Windows\system32\DRIVERS\mrxsmb.sys

2011/08/01 22:38:03.0306 3888 mrxsmb10 (c3c8ad9591db473690a743b69de829f4) C:\Windows\system32\DRIVERS\mrxsmb10.sys

2011/08/01 22:38:03.0337 3888 mrxsmb20 (f9425d610712533107a264e2d5b2154b) C:\Windows\system32\DRIVERS\mrxsmb20.sys

2011/08/01 22:38:03.0368 3888 msahci (730b784962d22d2c6481eae2370e7c8c) C:\Windows\system32\drivers\msahci.sys

2011/08/01 22:38:03.0399 3888 msdsm (264bbb4aaf312a485f0e44b65a6b7202) C:\Windows\system32\drivers\msdsm.sys

2011/08/01 22:38:03.0446 3888 Msfs (704f59bfc4512d2bb0146aec31b10a7c) C:\Windows\system32\drivers\Msfs.sys

2011/08/01 22:38:03.0477 3888 msisadrv (00ebc952961664780d43dca157e79b27) C:\Windows\system32\drivers\msisadrv.sys

2011/08/01 22:38:03.0509 3888 MSKSSRV (0ea73e498f53b96d83dbfca074ad4cf8) C:\Windows\system32\drivers\MSKSSRV.sys

2011/08/01 22:38:03.0524 3888 MSPCLOCK (52e59b7e992a58e740aa63f57edbae8b) C:\Windows\system32\drivers\MSPCLOCK.sys

2011/08/01 22:38:03.0540 3888 MSPQM (49084a75bae043ae02d5b44d02991bb2) C:\Windows\system32\drivers\MSPQM.sys

2011/08/01 22:38:03.0571 3888 MsRPC (b8e32e6103fbba9fbb1d0c11ff0d13b5) C:\Windows\system32\drivers\MsRPC.sys

2011/08/01 22:38:03.0618 3888 mssmbios (855796e59df77ea93af46f20155bf55b) C:\Windows\system32\DRIVERS\mssmbios.sys

2011/08/01 22:38:03.0633 3888 MSTEE (86d632d75d05d5b7c7c043fa3564ae86) C:\Windows\system32\drivers\MSTEE.sys

2011/08/01 22:38:03.0649 3888 Mup (ddf133501f68d6988a0f55dfa88637b4) C:\Windows\system32\Drivers\mup.sys

2011/08/01 22:38:03.0711 3888 NativeWifiP (73b99c98fa3a2ed1566e02d6fe1913a5) C:\Windows\system32\DRIVERS\nwifi.sys

2011/08/01 22:38:03.0758 3888 NDIS (f9a3ae5c9f047d71a36a99f9abca7d02) C:\Windows\system32\drivers\ndis.sys

2011/08/01 22:38:03.0789 3888 NdisTapi (64df698a425478e321981431ac171334) C:\Windows\system32\DRIVERS\ndistapi.sys

2011/08/01 22:38:03.0821 3888 Ndisuio (8baa43196d7b5bb972c9a6b2bbf61a19) C:\Windows\system32\DRIVERS\ndisuio.sys

2011/08/01 22:38:03.0852 3888 NdisWan (52e3e8e35101399be9b2938c992aa087) C:\Windows\system32\DRIVERS\ndiswan.sys

2011/08/01 22:38:03.0867 3888 NDProxy (9cb77ed7cb72850253e973a2d6afdf49) C:\Windows\system32\drivers\NDProxy.sys

2011/08/01 22:38:03.0883 3888 NetBIOS (a499294f5029a7862adc115bda7371ce) C:\Windows\system32\DRIVERS\netbios.sys

2011/08/01 22:38:03.0914 3888 netbt (7a29ca243a629230799754162d80120f) C:\Windows\system32\DRIVERS\netbt.sys

2011/08/01 22:38:03.0977 3888 nfrd960 (4ac08bd6af2df42e0c3196d826c8aea7) C:\Windows\system32\drivers\nfrd960.sys

2011/08/01 22:38:04.0039 3888 Npfs (b06154e2a2c91e9be5599fca53bc4cd0) C:\Windows\system32\drivers\Npfs.sys

2011/08/01 22:38:04.0101 3888 nsiproxy (1523af19ee8b030ba682f7a53537eaeb) C:\Windows\system32\drivers\nsiproxy.sys

2011/08/01 22:38:04.0148 3888 Ntfs (fe86ba5ac3b50e2ca911e9c60c07b638) C:\Windows\system32\drivers\Ntfs.sys

2011/08/01 22:38:04.0211 3888 Null (dd5d684975352b85b52e3fd5347c20cb) C:\Windows\system32\drivers\Null.sys

2011/08/01 22:38:04.0226 3888 nvraid (2c040b7ada5b06f6facadac8514aa034) C:\Windows\system32\drivers\nvraid.sys

2011/08/01 22:38:04.0257 3888 nvstor (f7ea0fe82842d05eda3efdd376dbfdba) C:\Windows\system32\drivers\nvstor.sys

2011/08/01 22:38:04.0289 3888 nv_agp (19067ca93075ef4823e3938a686f532f) C:\Windows\system32\drivers\nv_agp.sys

2011/08/01 22:38:04.0351 3888 ohci1394 (7b58953e2f263421fdbb09a192712a85) C:\Windows\system32\drivers\ohci1394.sys

2011/08/01 22:38:04.0398 3888 Parport (aecd57f94c887f58919f307c35498ea0) C:\Windows\system32\drivers\parport.sys

2011/08/01 22:38:04.0413 3888 partmgr (5ab40c36894f4c06bdab0c9a2fba282d) C:\Windows\system32\drivers\partmgr.sys

2011/08/01 22:38:04.0460 3888 pci (2a5b2a51559066ea84742909b5b2cd69) C:\Windows\system32\drivers\pci.sys

2011/08/01 22:38:04.0476 3888 pciide (8d618c829034479985a9ed56106cc732) C:\Windows\system32\drivers\pciide.sys

2011/08/01 22:38:04.0491 3888 pcmcia (037661f3d7c507c9993b7010ceee6288) C:\Windows\system32\drivers\pcmcia.sys

2011/08/01 22:38:04.0523 3888 PEAUTH (58865916f53592a61549b04941bfd80d) C:\Windows\system32\drivers\peauth.sys

2011/08/01 22:38:04.0632 3888 PptpMiniport (f5739f2c6db2534c384ad5150808e8f5) C:\Windows\system32\DRIVERS\raspptp.sys

2011/08/01 22:38:04.0663 3888 Processor (5080e59ecee0bc923f14018803aa7a01) C:\Windows\system32\drivers\processr.sys

2011/08/01 22:38:04.0725 3888 PSched (0e0e205a296095fe4c631e6a4775ad6c) C:\Windows\system32\DRIVERS\pacer.sys

2011/08/01 22:38:04.0741 3888 PxHlpa64 (46851bc18322da70f3f2299a1007c479) C:\Windows\system32\Drivers\PxHlpa64.sys

2011/08/01 22:38:04.0788 3888 ql2300 (0b83f4e681062f3839be2ec1d98fd94a) C:\Windows\system32\drivers\ql2300.sys

2011/08/01 22:38:04.0850 3888 ql40xx (e1c80f8d4d1e39ef9595809c1369bf2a) C:\Windows\system32\drivers\ql40xx.sys

2011/08/01 22:38:04.0881 3888 QWAVEdrv (e8d76edab77ec9c634c27b8eac33adc5) C:\Windows\system32\drivers\qwavedrv.sys

2011/08/01 22:38:05.0084 3888 R300 (c7d2bfbea0099ce29baa32eb93dac434) C:\Windows\system32\DRIVERS\atikmdag.sys

2011/08/01 22:38:05.0162 3888 RasAcd (1013b3b663a56d3ddd784f581c1bd005) C:\Windows\system32\DRIVERS\rasacd.sys

2011/08/01 22:38:05.0225 3888 Rasl2tp (3b9085f91ef00abd15a6f36570e90e12) C:\Windows\system32\DRIVERS\rasl2tp.sys

2011/08/01 22:38:05.0256 3888 RasPppoe (2ce1703c27196094fb6e4c6e439f2c21) C:\Windows\system32\DRIVERS\raspppoe.sys

2011/08/01 22:38:05.0271 3888 RasSstp (fcd04fa67e8b40fa0ad361dd38593942) C:\Windows\system32\DRIVERS\rassstp.sys

2011/08/01 22:38:05.0303 3888 rdbss (33fa5b6136d92ee0f53f021c79091300) C:\Windows\system32\DRIVERS\rdbss.sys

2011/08/01 22:38:05.0318 3888 RDPCDD (603900cc05f6be65ccbf373800af3716) C:\Windows\system32\DRIVERS\RDPCDD.sys

2011/08/01 22:38:05.0365 3888 rdpdr (c045d1fb111c28df0d1be8d4bda22c06) C:\Windows\system32\drivers\rdpdr.sys

2011/08/01 22:38:05.0396 3888 RDPENCDD (cab9421daf3d97b33d0d055858e2c3ab) C:\Windows\system32\drivers\rdpencdd.sys

2011/08/01 22:38:05.0427 3888 RDPWD (7747082f672aa2846235c9cea42e2e72) C:\Windows\system32\drivers\RDPWD.sys

2011/08/01 22:38:05.0552 3888 RivaTuner64 (a10b40cf9eb57d24e44717a2d38a00f4) C:\Program Files (x86)\RivaTuner v2.24\RivaTuner64.sys

2011/08/01 22:38:05.0583 3888 rspndr (22a9cb08b1a6707c1550c6bf099aae73) C:\Windows\system32\DRIVERS\rspndr.sys

2011/08/01 22:38:05.0615 3888 sbp2port (cd9c693589c60ad59bbbcfb0e524e01b) C:\Windows\system32\drivers\sbp2port.sys

2011/08/01 22:38:05.0661 3888 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys

2011/08/01 22:38:05.0693 3888 Serenum (f71bfe7ac6c52273b7c82cbf1bb2a222) C:\Windows\system32\drivers\serenum.sys

2011/08/01 22:38:05.0724 3888 Serial (e62fac91ee288db29a9696a9d279929c) C:\Windows\system32\drivers\serial.sys

2011/08/01 22:38:05.0755 3888 sermouse (a842f04833684bceea7336211be478df) C:\Windows\system32\drivers\sermouse.sys

2011/08/01 22:38:05.0802 3888 sffdisk (14d4b4465193a87c127933978e8c4106) C:\Windows\system32\drivers\sffdisk.sys

2011/08/01 22:38:05.0817 3888 sffp_mmc (7073aee3f82f3d598e3825962aa98ab2) C:\Windows\system32\drivers\sffp_mmc.sys

2011/08/01 22:38:05.0849 3888 sffp_sd (35e59ebe4a01a0532ed67975161c7b82) C:\Windows\system32\drivers\sffp_sd.sys

2011/08/01 22:38:05.0864 3888 sfloppy (6b7838c94135768bd455cbdc23e39e5f) C:\Windows\system32\drivers\sfloppy.sys

2011/08/01 22:38:05.0895 3888 SiSRaid2 (7a5de502aeb719d4594c6471060a78b3) C:\Windows\system32\drivers\sisraid2.sys

2011/08/01 22:38:05.0927 3888 SiSRaid4 (3a2f769fab9582bc720e11ea1dfb184d) C:\Windows\system32\drivers\sisraid4.sys

2011/08/01 22:38:05.0958 3888 Smb (41eb2e8e005feedcafce301983eff932) C:\Windows\system32\DRIVERS\smb.sys

2011/08/01 22:38:06.0020 3888 spldr (f9cb0672162f7f04248e2b82c1ff4617) C:\Windows\system32\drivers\spldr.sys

2011/08/01 22:38:06.0098 3888 srv (a8abd7d0d907b45cf3831f4dd8644349) C:\Windows\system32\DRIVERS\srv.sys

2011/08/01 22:38:06.0161 3888 srv2 (6c72eea39e1c37b436a6d1532999f9ec) C:\Windows\system32\DRIVERS\srv2.sys

2011/08/01 22:38:06.0239 3888 srvnet (7f69bcf9e6fa3d93c82ee6b87812666d) C:\Windows\system32\DRIVERS\srvnet.sys

2011/08/01 22:38:06.0301 3888 swenum (8a851ca908b8b974f89c50d2e18d4f0c) C:\Windows\system32\DRIVERS\swenum.sys

2011/08/01 22:38:06.0332 3888 Symc8xx (2f26a2c6fc96b29beff5d8ed74e6625b) C:\Windows\system32\drivers\symc8xx.sys

2011/08/01 22:38:06.0363 3888 Sym_hi (a909667976d3bccd1df813fed517d837) C:\Windows\system32\drivers\sym_hi.sys

2011/08/01 22:38:06.0379 3888 Sym_u3 (36887b56ec2d98b9c362f6ae4de5b7b0) C:\Windows\system32\drivers\sym_u3.sys

2011/08/01 22:38:06.0457 3888 Tcpip (7d86275fb640011b372fd566c0eafa8d) C:\Windows\system32\drivers\tcpip.sys

2011/08/01 22:38:06.0535 3888 Tcpip6 (7d86275fb640011b372fd566c0eafa8d) C:\Windows\system32\DRIVERS\tcpip.sys

2011/08/01 22:38:06.0566 3888 tcpipreg (c29d4b3b08ad0b7e8564814e4ff6a57b) C:\Windows\system32\drivers\tcpipreg.sys

2011/08/01 22:38:06.0597 3888 TDPIPE (1d8bf4aaa5fb7a2761475781dc1195bc) C:\Windows\system32\drivers\tdpipe.sys

2011/08/01 22:38:06.0613 3888 TDTCP (7f7e00cdf609df657f4cda02dd1c9bb1) C:\Windows\system32\drivers\tdtcp.sys

2011/08/01 22:38:06.0644 3888 tdx (8c39c72e0e853de04748c0337d9b9216) C:\Windows\system32\DRIVERS\tdx.sys

2011/08/01 22:38:06.0660 3888 TermDD (3f0ebf6ee609f2a276c0d5faf244ec90) C:\Windows\system32\DRIVERS\termdd.sys

2011/08/01 22:38:06.0707 3888 tssecsrv (9e5409cd17c8bef193aad498f3bc2cb8) C:\Windows\system32\DRIVERS\tssecsrv.sys

2011/08/01 22:38:06.0738 3888 tunmp (89ec74a9e602d16a75a4170511029b3c) C:\Windows\system32\DRIVERS\tunmp.sys

2011/08/01 22:38:06.0769 3888 tunnel (2dc2c423572946e9a3131425bda73cb6) C:\Windows\system32\DRIVERS\tunnel.sys

2011/08/01 22:38:06.0800 3888 uagp35 (fec266ef401966311744bd0f359f7f56) C:\Windows\system32\drivers\uagp35.sys

2011/08/01 22:38:06.0831 3888 udfs (eca6629e33f122afff18a2ab7c3eb033) C:\Windows\system32\DRIVERS\udfs.sys

2011/08/01 22:38:06.0878 3888 uliagpkx (4ec9447ac3ab462647f60e547208ca00) C:\Windows\system32\drivers\uliagpkx.sys

2011/08/01 22:38:06.0925 3888 uliahci (697f0446134cdc8f99e69306184fbbb4) C:\Windows\system32\drivers\uliahci.sys

2011/08/01 22:38:06.0987 3888 UlSata (31707f09846056651ea2c37858f5ddb0) C:\Windows\system32\drivers\ulsata.sys

2011/08/01 22:38:07.0050 3888 ulsata2 (85e5e43ed5b48c8376281bab519271b7) C:\Windows\system32\drivers\ulsata2.sys

2011/08/01 22:38:07.0081 3888 umbus (46e9a994c4fed537dd951f60b86ad3f4) C:\Windows\system32\DRIVERS\umbus.sys

2011/08/01 22:38:07.0128 3888 usbccgp (89842ce16285b73405284224cc386dcf) C:\Windows\system32\DRIVERS\usbccgp.sys

2011/08/01 22:38:07.0159 3888 usbcir (9247f7e0b65852c1f6631480984d6ed2) C:\Windows\system32\drivers\usbcir.sys

2011/08/01 22:38:07.0190 3888 usbehci (07b738a1f57e4ec870406e74da5754af) C:\Windows\system32\DRIVERS\usbehci.sys

2011/08/01 22:38:07.0221 3888 usbhub (b668e8e0ef2910f28baf550b04de57f2) C:\Windows\system32\DRIVERS\usbhub.sys

2011/08/01 22:38:07.0253 3888 usbohci (eba14ef0c07cec233f1529c698d0d154) C:\Windows\system32\drivers\usbohci.sys

2011/08/01 22:38:07.0284 3888 usbprint (28b693b6d31e7b9332c1bdcefef228c1) C:\Windows\system32\DRIVERS\usbprint.sys

2011/08/01 22:38:07.0331 3888 USBSTOR (586d9876a4945779c8eea926c0d16889) C:\Windows\system32\DRIVERS\USBSTOR.SYS

2011/08/01 22:38:07.0346 3888 usbuhci (e76f2b26a5917f555844c128954bb52b) C:\Windows\system32\DRIVERS\usbuhci.sys

2011/08/01 22:38:07.0440 3888 vflt (8308cfbb52eaeaacec74b52e5def5594) C:\Windows\system32\DRIVERS\vfilter.sys

2011/08/01 22:38:07.0471 3888 vga (916b94bcf1e09873fff2d5fb11767bbc) C:\Windows\system32\DRIVERS\vgapnp.sys

2011/08/01 22:38:07.0487 3888 VgaSave (b83ab16b51feda65dd81b8c59d114d63) C:\Windows\System32\drivers\vga.sys

2011/08/01 22:38:07.0502 3888 viaide (8294b6c3fdb6c33f24e150de647ecdaa) C:\Windows\system32\drivers\viaide.sys

2011/08/01 22:38:07.0565 3888 vnet (86346fca6a587d0243c7121f179a125d) C:\Windows\system32\DRIVERS\virtualnet.sys

2011/08/01 22:38:07.0580 3888 volmgr (793d9b32a1c462c91f6f70358283ac97) C:\Windows\system32\drivers\volmgr.sys

2011/08/01 22:38:07.0611 3888 volmgrx (5aa217da5dc4ff5b9ac9ab86563b3223) C:\Windows\system32\drivers\volmgrx.sys

2011/08/01 22:38:07.0658 3888 volsnap (de4307412d98050239026e56a7dff3c0) C:\Windows\system32\drivers\volsnap.sys

2011/08/01 22:38:07.0736 3888 vpnva (0e4df91e83da5739ffb18535d4db10aa) C:\Windows\system32\DRIVERS\vpnva64.sys

2011/08/01 22:38:07.0767 3888 vsmraid (a68f455ed2673835209318dd61bfbb0e) C:\Windows\system32\drivers\vsmraid.sys

2011/08/01 22:38:07.0814 3888 WacomPen (fef8fe5923fead2cee4dfabfce3393a7) C:\Windows\system32\drivers\wacompen.sys

2011/08/01 22:38:07.0845 3888 Wanarp (aea75207e443c8623c36b8d03596f84f) C:\Windows\system32\DRIVERS\wanarp.sys

2011/08/01 22:38:07.0861 3888 Wanarpv6 (aea75207e443c8623c36b8d03596f84f) C:\Windows\system32\DRIVERS\wanarp.sys

2011/08/01 22:38:07.0892 3888 Wd (0c17a0816f65b89e362e682ad5e7266e) C:\Windows\system32\drivers\wd.sys

2011/08/01 22:38:07.0939 3888 Wdf01000 (d02e7e4567da1e7582fbf6a91144b0df) C:\Windows\system32\drivers\Wdf01000.sys

2011/08/01 22:38:08.0064 3888 WmiAcpi (e18aebaaa5a773fe11aa2c70f65320f5) C:\Windows\system32\drivers\wmiacpi.sys

2011/08/01 22:38:08.0142 3888 WpdUsb (6329d1990db931073b86ab5946d8e317) C:\Windows\system32\DRIVERS\wpdusb.sys

2011/08/01 22:38:08.0173 3888 ws2ifsl (8a900348370e359b6bff6a550e4649e1) C:\Windows\system32\drivers\ws2ifsl.sys

2011/08/01 22:38:08.0220 3888 WUDFRd (501a65252617b495c0f1832f908d54d8) C:\Windows\system32\DRIVERS\WUDFRd.sys

2011/08/01 22:38:08.0282 3888 MBR (0x1B8) (cdb4de4bbd714f152979da2dcbef57eb) \Device\Harddisk0\DR0

2011/08/01 22:38:08.0298 3888 Boot (0x1200) (3dfba14af92e5ffb4121740b84c67e09) \Device\Harddisk0\DR0\Partition0

2011/08/01 22:38:08.0313 3888 Boot (0x1200) (408f2120bb737ed1c985c1c2430cc02d) \Device\Harddisk0\DR0\Partition1

2011/08/01 22:38:08.0313 3888 ================================================================================

2011/08/01 22:38:08.0313 3888 Scan finished

2011/08/01 22:38:08.0313 3888 ================================================================================

2011/08/01 22:38:08.0329 3856 Detected object count: 0

2011/08/01 22:38:08.0329 3856 Actual detected object count: 0

When I first noticed my computer was infected, I replaced my normal antivirus program with Avira, and the first Avira scan found:

[DETECTION] Is the TR/Kazy.19685.2 Trojan

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[DETECTION] Is the TR/Spy.Banker.vk.1 Trojan

[DETECTION] Contains recognition pattern of the JAVA/Agent.AA.1 Java virus

[DETECTION] Contains recognition pattern of the JAVA/Agent.AA.2 Java virus

[DETECTION] Contains recognition pattern of the JAVA/Agent.AA Java virus

[DETECTION] Contains recognition pattern of the JAVA/Agent.D Java virus

[DETECTION] Contains recognition pattern of the EXP/Java.CVE-2009-3867.C.2 exploit

I was a little hesitant to run ComboFix ‘on my own’, and so have not done that yet. GooredFix appears to have solved my problem- the Google redirects are gone. Now the remaining concerns I have are (1) are there any other infections possibly remaining and (2) did any of my infections compromise the long-term security of my computer (backdoor)? The ‘Spy Banker’ program found by Avira concerns me a bit. My financial passwords have already been changed from a known clean computer so I am OK in that respect.

I have to leave for work now, but will run ComboFix and Security Check (as well as post fresh MBAM and DDS logs) later tonight unless you step in to give me the all clear beforehand.

Thank you again!

D-FRED-BROWN · August 2, 2011

I have to leave for work now, but will run ComboFix and Security Check (as well as post fresh MBAM and DDS logs) later tonight unless you step in to give me the all clear beforehand.

Sounds good

Thank you again!

No problem!

NLTY · August 3, 2011

Hey D-FRED-BROWN,

I have, since the last post:

-Disconnected from internet and disabled all antivirus/firewall software

-Run Combofix

-Run Security Check

-Run DDS

-Reactivated antivirus/firewall and reconnected to internet

-Updated MBAM and ran a quick scan

Among whatever else it may have done, Combofix deleted the suspicious g2mdlhlpx.exe file within C:Users/Monetary/

I do not know enough about these logs to be able to tell if that file has done any re-spawning of any of the previously identified and removed threats. But, hopefully this adventure is coming to a close.

My computer is behaving properly, as far as I can tell. The only symptom I had, the google redirects, have been gone since I ran GooredFix. These are the logs from the most recent scans. Note that my TDSSkiller log and GooredFix log are in my most recent post before this one.

Combofix:

ComboFix 11-08-02.03 - Monetary 08/02/2011 22:35:51.1.4 - x64

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4093.2967 [GMT -5:00]

Running from: c:\users\Monetary\Desktop\ComboFix.exe

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\users\Monetary\g2mdlhlpx.exe

.

((((((((((((((((((((((((( Files Created from 2011-07-03 to 2011-08-03 )))))))))))))))))))))))))))))))

.

2011-08-03 03:40 . 2011-08-03 03:41 -------- d-----w- c:\users\Monetary\AppData\Local\temp

2011-08-03 03:40 . 2011-08-03 03:40 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-08-03 00:52 . 2011-07-13 04:53 8578896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{29DDDDE0-9978-4F68-9419-06361208D5B3}\mpengine.dll

2011-08-02 04:21 . 2010-10-19 04:27 7680 ----a-w- c:\program files (x86)\Internet Explorer\iecompat.dll

2011-08-02 04:21 . 2010-10-19 04:56 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll

2011-08-02 03:52 . 2011-08-02 03:52 -------- d-----w- c:\users\Monetary\AppData\Local\AOL

2011-08-02 03:52 . 2011-08-02 03:52 -------- d-----w- c:\users\Monetary\AppData\Local\AIM

2011-07-30 23:54 . 2011-07-30 23:54 -------- d-----w- c:\users\Monetary\AppData\Roaming\Avira

2011-07-30 23:48 . 2011-08-02 03:43 88288 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-07-30 23:48 . 2011-08-02 03:43 123784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-07-30 23:48 . 2011-07-30 23:48 -------- d-----w- c:\programdata\Avira

2011-07-30 23:48 . 2011-07-30 23:48 -------- d-----w- c:\program files (x86)\Avira

2011-07-18 15:36 . 2011-07-18 15:36 -------- d-----w- c:\users\Monetary\AppData\Local\Cisco

2011-07-18 03:43 . 2011-07-18 03:43 0 ----a-w- c:\users\Monetary\AppData\Local\Jtenig.bin

2011-07-16 17:15 . 2011-07-16 17:15 -------- d-----w- c:\program files (x86)\PyMOL

2011-07-16 16:37 . 2011-07-16 16:37 -------- d-----w- c:\program files (x86)\Cisco

2011-07-16 16:34 . 2011-07-16 16:34 -------- d-----w- c:\programdata\Cisco

2011-07-13 01:47 . 2011-06-02 13:22 2762240 ----a-w- c:\windows\system32\win32k.sys

2011-07-13 01:47 . 2011-04-20 15:16 450048 ----a-w- c:\windows\system32\winsrv.dll

2011-07-13 01:47 . 2011-04-20 15:11 85504 ----a-w- c:\windows\system32\csrsrv.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-07 00:52 . 2009-05-28 01:30 25912 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-07 00:52 . 2009-01-29 05:52 41272 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys

2011-05-25 00:14 . 2009-10-21 02:28 270720 ------w- c:\windows\system32\MpSigStub.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]

"Aim"="c:\program files (x86)\AIM\aim.exe" [2009-10-05 3634024]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-04 61440]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2009-09-05 417792]

"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]

.

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 RivaTuner64;RivaTuner64;c:\program files (x86)\RivaTuner v2.24\RivaTuner64.sys [2009-03-17 19952]

R3 vnet;Shrew Soft Virtual Adapter;c:\windows\system32\DRIVERS\virtualnet.sys [x]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]

S1 vflt;Shrew Soft Lightweight Filter;c:\windows\system32\DRIVERS\vfilter.sys [x]

S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSr64.exe [x]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-04-21 136360]

S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-09-24 155648]

S2 dtpd;ShrewSoft DNS Proxy Daemon;c:\program files\ShrewSoft\VPN Client\dtpd.exe [2008-11-11 50688]

S2 iked;ShrewSoft IKE Daemon;c:\program files\ShrewSoft\VPN Client\iked.exe [2008-11-11 944640]

S2 ipsecd;ShrewSoft IPSEC Daemon;c:\program files\ShrewSoft\VPN Client\ipsecd.exe [2008-11-11 690688]

S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-12-17 497856]

S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]

S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]

.

--------- x86-64 -----------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="RAVCpl64.exe" [2008-07-18 6453760]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-05 137240]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-05 202264]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-05 165400]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: real.com\rhap-app-4-0

Trusted Zone: real.com\rhapreg

TCP: DhcpNameServer = 192.168.0.1 192.168.0.1

TCP: Interfaces\{E54A0072-7AEC-41BD-A37F-866EC48BC7ED}: NameServer = 141.106.32.6,141.106.32.7

DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab

CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll

FF - ProfilePath - c:\users\Monetary\AppData\Roaming\Mozilla\Firefox\Profiles\zhi8y5vq.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}

FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\Monetary\AppData\Roaming\Move Networks

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

.

- - - - ORPHANS REMOVED - - - -

.

Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe

HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe

HKLM-Run-Skytel - Skytel.exe

AddRemove-Final Fantasy VII - c:\program files (x86)\Square Soft

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10a.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10a.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]

@Denied: (A 2) (Everyone)

@="IFlashBroker2"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]

@Denied: (A 2) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]

@="Shockwave Flash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]

@Denied: (A 2) (Everyone)

@=""

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]

@="FlashBroker"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]

"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe

.

**************************************************************************

.

Completion time: 2011-08-02 22:46:30 - machine was rebooted

ComboFix-quarantined-files.txt 2011-08-03 03:46

.

Pre-Run: 270,810,308,608 bytes free

Post-Run: 270,666,555,392 bytes free

.

- - End Of File - - B71D3D86BF36BB71DDC9F1ACC0F1D4AE

Security Check (Note that this was done while all of my security software was temporarily disabled)

Results of screen317's Security Check version 0.99.18

Windows Vista (UAC is disabled!)

Out of date service pack!!

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

Avira AntiVir Personal - Free Antivirus

WMI entry may not exist for antivirus; attempting automatic update.

Avira successfully updated!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 21

Java 6 Update 7

Out of date Java installed!

Flash Player Out of Date!

Adobe Flash Player 10.1.82.76

````````````````````````````````

Process Check:

objlist.exe by Laurent

Windows Defender MSASCui.exe

Avira Antivir avguard.exe

Windows Defender MSASCui.exe

``````````End of Log````````````

A fresh DDS log:

.

DDS (Ver_2011-06-23.01) - NTFSAMD64

Internet Explorer: 8.0.6001.19019 BrowserJavaVersion: 1.6.0_21

Run by Monetary at 22:55:30 on 2011-08-02

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4093.2825 [GMT -5:00]

.

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\Dell\DellDock\DockLogin.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

C:\Windows\system32\atieclxx.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Windows\RAVCpl64.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files (x86)\AIM\aim.exe

C:\Windows\ehome\ehmsas.exe

C:\Windows\system32\AERTSr64.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\ShrewSoft\VPN Client\dtpd.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\ShrewSoft\VPN Client\iked.exe

C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe