[Resolved] Redirected Searches, Delays in typing, System Slowed

[adammedonca]

I am confused on how to show the hidden files. I have Vista. Is it different?

[adammedonca]

oh. i think i got it.

jotti:  Scan finished. 1 out of 20 scanners reported malware.

virus total: 12/ 43 (27.9%)

tdsskiller would not open. I double click on it. Nothing happens.

[adammedonca]

firefox and internet explorer are still redirecting google searches

[Bear]

Hi Adam

Did you try right clicking and open as administrator?
The file you checked is malware.  We can delete it with CF.  I will send you a script.

[Bear]

Hi Adam

1.  Disable all Anti-virus, Anti-spyware programs as instructed earlier.  Do not forget to re-enable them before you reply to this post.

2.  I'd like you to run ComboFix again with some changes.  Open Notepad, click on Format and be sure Word Wrap is NOT checked.  Then copy the text in the code box below and paste it into the Notepad window.  Now name this file CFScript.txt and save it to your Desktop.

Code: [Select]


KILLALL::

ClearJavaCache::

RegLock::

File::

Folder::
c:\programdata\WSTB

Registry::

Driver::

Firefox::

dirlook::

FCopy::

DDS::


2. Close all open browsers.



3. Referring to the picture above, drag CFScript.txt onto the ComboFix.exe icon.  ComboFix will run and produce a report.  This report will be saved at C:\ComboFix.txt.
Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.  Reboot your computer.

Remember to be sure Word Wrap is NOT turned on in any Notepad files you post and to be sure and check that all the data you entered was posted.  

Now please post the following to me as a reply to this post:
ComboFix.txt
Let me know how your computer and both browsers are operating
If you have any other questions or problems, let me know that as well

[Bear]

Adam

You have a very clever rootkit on your laptop.  It is smart enough to try to prevent tools that can detect it from running.  But we have a lot of things to try.

[adammedonca]

ComboFix 11-12-25.03 - Adam 12/26/2011   1:29.5.1 - x86
Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1252.1.1033.18.2813.1718 [GMT -6:00]
Running from: c:\users\Adam\Desktop\ComboFix2.exe
Command switches used :: c:\users\Adam\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\WSTB
c:\programdata\WSTB\verosupd.exe
c:\users\Adam\AppData\Local\lfu.exe
c:\users\Adam\AppData\Local\uxw.exe
c:\windows\$NtUninstallKB18598$\1299510679
c:\windows\$NtUninstallKB18598$\4090149740\@
c:\windows\$NtUninstallKB18598$\4090149740\bckfg.tmp
c:\windows\$NtUninstallKB18598$\4090149740\cfg.ini
c:\windows\$NtUninstallKB18598$\4090149740\Desktop.ini
c:\windows\$NtUninstallKB18598$\4090149740\keywords
c:\windows\$NtUninstallKB18598$\4090149740\kwrd.dll
c:\windows\$NtUninstallKB18598$\4090149740\L\ogejidap
c:\windows\$NtUninstallKB18598$\4090149740\lsflt7.ver
c:\windows\$NtUninstallKB18598$\4090149740\U\00000001.@
c:\windows\$NtUninstallKB18598$\4090149740\U\00000002.@
c:\windows\$NtUninstallKB18598$\4090149740\U\00000004.@
c:\windows\$NtUninstallKB18598$\4090149740\U\80000000.@
c:\windows\$NtUninstallKB18598$\4090149740\U\80000004.@
c:\windows\$NtUninstallKB18598$\4090149740\U\80000032.@
c:\windows\$NtUninstallKB18598$ . . . . Failed to delete
.
.
(((((((((((((((((((((((((   Files Created from 2011-11-26 to 2011-12-26  )))))))))))))))))))))))))))))))
.
.
2011-12-26 08:28 . 2011-12-26 08:35   --------   d-----w-   c:\users\Adam\AppData\Local\temp
2011-12-26 08:28 . 2011-12-26 08:28   --------   d-----w-   c:\users\Default\AppData\Local\temp
2011-12-24 08:54 . 2011-12-25 00:21   --------   d-----w-   C:\ComboFix
2011-12-24 06:21 . 2011-12-24 06:22   --------   d-----w-   c:\users\Adam\AppData\Roaming\Qeen
2011-12-24 06:21 . 2011-12-24 06:21   --------   d-----w-   c:\users\Adam\AppData\Roaming\Bux
2011-12-24 02:46 . 2011-11-21 10:47   6823496   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{38694C1F-7DA6-442D-B4BD-0CE03300DB04}\mpengine.dll
2011-12-24 02:32 . 2011-12-24 02:32   --------   d-----w-   C:\_OTL
2011-12-22 05:35 . 2011-12-22 05:35   --------   d-----w-   c:\program files\ESET
2011-12-18 08:59 . 2011-12-19 07:54   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-12-18 08:44 . 2011-12-19 05:31   --------   d-----w-   c:\users\Adam\Tracing
2011-12-04 00:53 . 2011-12-04 00:53   --------   d-----w-   c:\program files\Microsoft Silverlight
2011-12-04 00:41 . 2011-12-04 00:41   --------   d-----w-   c:\programdata\ATI
2011-12-04 00:05 . 2011-12-04 00:36   --------   d-----w-   c:\program files\ATI Technologies
2011-12-04 00:01 . 2010-02-11 03:20   212992   ----a-w-   c:\program files\Common Files\InstallShield\Engine\6\Intel 32\ILog.dll
2011-12-04 00:01 . 2011-12-04 00:01   --------   d-----w-   C:\ATI
2011-11-27 01:32 . 2011-11-27 01:32   --------   d-----w-   c:\users\Adam\AppData\Local\doubleTwist Corporation
2011-11-27 01:32 . 2011-11-27 01:32   --------   d-----w-   c:\program files\Common Files\doubleTwist
2011-11-27 01:32 . 2008-12-18 01:22   57344   ----a-w-   c:\windows\system32\ff_vfw.dll
2011-11-27 01:32 . 2008-12-11 19:26   60273   ----a-w-   c:\windows\system32\pthreadGC2.dll
2011-11-27 01:32 . 2011-11-27 01:32   --------   d-----w-   c:\program files\ffdshow
2011-11-27 01:29 . 2011-11-27 01:32   --------   d-----w-   c:\program files\doubleTwist 2.0
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-04 01:15 . 2011-06-15 14:00   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-15 20:29 . 2009-10-05 15:13   222080   ------w-   c:\windows\system32\MpSigStub.exe
2011-09-30 23:06 . 2011-10-13 22:46   916480   ----a-w-   c:\windows\system32\wininet.dll
2011-09-30 23:02 . 2011-10-13 22:46   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2011-09-30 23:01 . 2011-10-13 22:46   1469440   ----a-w-   c:\windows\system32\inetcpl.cpl
2011-09-30 23:01 . 2011-10-13 22:46   71680   ----a-w-   c:\windows\system32\iesetup.dll
2011-09-30 23:01 . 2011-10-13 22:46   109056   ----a-w-   c:\windows\system32\iesysprep.dll
2011-09-30 22:07 . 2011-10-13 22:46   385024   ----a-w-   c:\windows\system32\html.iec
2011-09-30 21:29 . 2011-10-13 22:46   133632   ----a-w-   c:\windows\system32\ieUnatt.exe
2011-09-30 21:28 . 2011-10-13 22:46   1638912   ----a-w-   c:\windows\system32\mshtml.tlb
2011-11-25 00:02 . 2011-11-05 23:14   134104   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((   SnapShot@2011-12-24_09.35.36   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2011-12-26 07:23   66952              c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:02 . 2011-12-26 08:35   86142              c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-02 20:26 . 2011-12-26 08:35   20002              c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1000265405-3506121479-2019536667-1000_UserData.bin
+ 2011-12-21 03:14 . 2011-12-26 04:21   32768              c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
- 2011-12-21 03:14 . 2011-12-21 07:25   32768              c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
+ 2011-12-26 05:15 . 2011-12-26 05:15   14802              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RL5DWEGA\domainpark[1].com
+ 2011-12-26 05:12 . 2011-12-26 05:12   15320              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GQ0WJKXD\domainpark[1].com
+ 2011-12-26 05:15 . 2011-12-26 05:15   16282              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BL5HTZRR\domainpark[2].com
+ 2011-12-26 05:14 . 2011-12-26 05:14   15764              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BL5HTZRR\domainpark[1].com
+ 2011-12-21 03:14 . 2011-12-26 04:35   32768              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
- 2011-12-21 03:14 . 2011-12-21 07:25   32768              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2010-01-07 22:04 . 2011-12-26 08:33   16384              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-01-07 22:04 . 2011-12-24 08:47   16384              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-01-07 22:04 . 2011-12-26 08:33   32768              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-01-07 22:04 . 2011-12-24 08:47   32768              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-01-07 22:04 . 2011-12-24 08:47   16384              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-01-07 22:04 . 2011-12-26 08:33   16384              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-10-30 13:56 . 2011-12-26 03:34   16384              c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-10-30 13:56 . 2011-12-24 02:34   16384              c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-10-30 13:56 . 2011-12-26 03:34   16384              c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-10-30 13:56 . 2011-12-24 02:34   16384              c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-12-31 05:09 . 2011-12-26 07:16   2708              c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2011-12-26 08:33 . 2011-12-26 08:33   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-12-24 08:46 . 2011-12-24 08:46   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-12-26 08:33 . 2011-12-26 08:33   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-12-24 08:46 . 2011-12-24 08:46   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-12-26 08:33 . 2009-10-07 06:47   109080              c:\windows\temp\logishrd\LVPrcInj01.dll
+ 2009-07-02 20:08 . 2011-12-24 23:45   288428              c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2006-11-02 10:33 . 2011-12-26 08:41   607406              c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2011-12-26 08:41   109616              c:\windows\System32\perfc009.dat
- 2009-07-02 22:42 . 2011-12-21 07:25   262144              c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-02 22:42 . 2011-12-26 04:35   262144              c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-02 20:28 . 2011-12-26 08:34   196608              c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-02 20:28 . 2011-12-26 08:34   622592              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-12-26 01:11 . 2011-12-26 01:11   159853              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin
- 2011-11-27 01:34 . 2011-12-21 07:36   493344              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-11-27 01:34 . 2011-12-25 02:49   493344              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-02-12 06:35 . 2011-12-26 08:32   337404              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-02-12 06:35 . 2011-12-24 08:45   337404              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-02 20:28 . 2011-12-26 08:34   1933312              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-02 20:28 . 2011-12-24 08:29   1933312              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-07-07 06:59 . 2011-12-26 02:33   1686684              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1000265405-3506121479-2019536667-1000-12288.dat
- 2011-07-07 06:59 . 2011-12-24 08:45   1686684              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1000265405-3506121479-2019536667-1000-12288.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2011-03-18 2471240]
.
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-03-18 13:11   2471240   ----a-w-   c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2011-03-18 2471240]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2011-03-18 2471240]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"MusicManager"="c:\users\Adam\AppData\Local\Programs\Google\MusicManager\MusicManager.exe" [2011-11-12 13222400]
"{B1C7904F-E9CF-2B27-6D36-253D706D39C3}"="c:\users\Adam\AppData\Roaming\Bux\ulfusa.exe" [2010-04-25 188928]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-01-13 6711840]
"Acer ePower Management"="c:\program files\eMachines\eMachines Power Management\ePowerTray.exe" [2009-02-06 686624]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-01-09 1418536]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2009-01-17 862728]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59   937920   ----a-r-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-08 04:02   37296   ----a-w-   c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
2011-03-14 19:12   2071904   ----a-w-   c:\progra~1\AVG\AVG9\avgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2006-03-22 01:30   1191936   ----a-w-   c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-11-08 03:28   136176   ----atw-   c:\users\Adam\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-11-13 06:24   421736   ----a-w-   c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-10-14 18:36   2793304   ----a-w-   c:\program files\Logitech\Logitech WebCam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2006-03-21 19:19   69632   ----a-w-   c:\program files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-05-27 02:50   15147400   ----a-r-   c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-09-30 06:14   155648   ----a-r-   c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2010-02-11 05:32   61440   ----a-w-   c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44   248552   ----a-w-   c:\program files\Common Files\Java\Java Update\jusched.exe
.
R1 SASDIFSV;SASDIFSV;c:\users\Adam\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS

R1 SASKUTIL;SASKUTIL;c:\users\Adam\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-15 308136]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-10-02 136176]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [2011-03-18 947528]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-10-02 136176]
R3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-09-23 50424]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-07-15 216400]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2011-05-05 243152]
S2 ePowerSvc;Acer ePower Service;c:\program files\eMachines\eMachines Power Management\ePowerSvc.exe [2009-02-06 653856]
S2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys [2011-07-27 6656]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [2011-08-10 94880]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-09-23 144632]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C60x86.sys [2009-01-15 49664]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork   REG_MULTI_SZ      PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-02 23:13]
.
2011-12-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-02 23:13]
.
2011-12-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1000265405-3506121479-2019536667-1000Core.job
- c:\users\Adam\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-08 03:28]
.
2011-12-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1000265405-3506121479-2019536667-1000UA.job
- c:\users\Adam\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-08 03:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=2&o=vb32&d=0509&m=e625
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
FF - ProfilePath - c:\users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\jjlrltwk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-26 02:35
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\rundll32.exe
c:\program files\Launch Manager\LManager.exe
.
**************************************************************************
.
Completion time: 2011-12-26  03:07:48 - machine was rebooted
ComboFix-quarantined-files.txt  2011-12-26 09:06
ComboFix2.txt  2011-12-26 00:41
ComboFix3.txt  2011-12-25 01:29
ComboFix4.txt  2011-12-24 09:52
.
Pre-Run: 113,126,338,560 bytes free
Post-Run: 112,960,765,952 bytes free
.
- - End Of File - - AE2E46B3038E7AED6E34DC32EC8C4543

[Bear]

Hi Adam
I still need to know if you tried right clicking on Run as Administrator when you attempted to run aswMBR and TDSSKiller.

[adammedonca]

I do. tdsskiller does not open. I downloaded aswMBR again. now it opens but it says scan error.

[adammedonca]

actually, i take that back. after the last run of combofix, aswMBR does not open anymore

[Bear]

Hi Adam

I still don't believe we have eliminated the rootkit, so we need to keep going.

Once again disable all AV programs.

Please download RogueKiller and save it to your desktop.  Now quit all running programs.  Double click RogueKiller.exe to run it.  For Vista/Seven, right click and select run as administrator, for XP simply run RogueKiller.exe.   When prompted, type 1 and hit Enter.
A RKreport.txt should appear on your desktop.

Note: If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe .

Remember to be sure Word Wrap is NOT turned on in any Notepad files you post and to be sure and check that all the data you entered was posted. 

Now please post the following to me as a reply to this post:
RKreport.txt
Let me know how your computer and both browsers are operating
If you have any other questions or problems, let me know that as well

[adammedonca]

The link to rogue killer that you provided didnt seem to work. i downloaded it from here:
http://www.sur-la-toile.com/RogueKiller/



RogueKiller V6.2.0 [12/12/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User: Adam [Admin rights]
Mode: Scan -- Date : 12/27/2011 02:28:33

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 8 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : MusicManager ("C:\Users\Adam\AppData\Local\Programs\Google\MusicManager\MusicManager.exe") -> FOUND
[SUSP PATH] HKCU\[...]\Run : {B1C7904F-E9CF-2B27-6D36-253D706D39C3} (C:\Users\Adam\AppData\Roaming\Bux\ulfusa.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-1000265405-3506121479-2019536667-1000[...]\Run : MusicManager ("C:\Users\Adam\AppData\Local\Programs\Google\MusicManager\MusicManager.exe") -> FOUND
[SUSP PATH] HKUS\S-1-5-21-1000265405-3506121479-2019536667-1000[...]\Run : {B1C7904F-E9CF-2B27-6D36-253D706D39C3} (C:\Users\Adam\AppData\Roaming\Bux\ulfusa.exe) -> FOUND
[SUSP PATH] winupd.job : C:\Users\Adam\AppData\Local\Temp:winupd.exe -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤
--- User ---
[MBR] bb39d09c5749cfcf92d0e4f8d918d4e3
[BSP] 52c10e7468e16fcf5d9d5ad503cae518 : MBR Code unknown
Partition table:
0 - [XXXXXX] NTFS [HIDDEN!] Offset (sectors): 63 | Size: 13966 Mo
1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 27279360 | Size: 236091 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] abf6d7ba569e08804378ba9d42653344
[BSP] 52c10e7468e16fcf5d9d5ad503cae518 : MBR Code unknown
Partition table:
0 - [XXXXXX] NTFS [HIDDEN!] Offset (sectors): 63 | Size: 13966 Mo
1 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 27279360 | Size: 236091 Mo
2 - [ACTIVE] NTFS [HIDDEN!] Offset (sectors): 488394752 | Size: 1 Mo

Finished : << RKreport[1].txt >>
RKreport[1].txt

[adammedonca]

and the redirected searches are still occurring

[Bear]

Hi Adam

We need to run RogueKiller again.

1.  Once again disable all AV programs.

2.  Double click RogueKiller.exe to run it.  For Vista/Seven, right click and select run as administrator, for XP simply run RogueKiller.exe.   When prompted, type 2 and hit Enter.

3.  If the program notifies you about a proxy, Press on 1 to delete it.

A RKreport.txt should appear on your desktop.

4.  Now try running TDSSKiller again.   Right click on TDSSKiller.exe and run the application as Administrator. Now click Start Scan.

3.  Click on Change parameters and place a checkmark next to Verify Driver Digital Signature and Detect TDLFS file system, then click .

4.  If an infected file is detected, the default action will be Cure, click on Continue.  If a suspicious file is detected, the default action will be Skip, click on Continue.

Click on Reboot Now if you are asked to reboot the computer.

5.  If reboot is NOT required, click on Report.   Please copy that file.  If a reboot IS required, the report can also be found in your root directory (usually C:\ folder).   It's file name will take the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt]". Please copy that file.

Note: If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe .

Remember to be sure Word Wrap is NOT turned on in any Notepad files you post and to be sure and check that all the data you entered was posted. 

Now please post the following to me as a reply to this post:
RKreport.txt
TDSSKiller log
Let me know how your computer and both browsers are operating
If you have any other questions or problems, let me know that as well

[adammedonca]

RogueKiller V6.2.0 [12/12/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User: Adam [Admin rights]
Mode: Remove -- Date : 12/27/2011 17:58:07

¤¤¤ Bad processes: 1 ¤¤¤
[SUSP PATH] MusicManager.exe -- C:\Users\Adam\AppData\Local\Programs\Google\MusicManager\MusicManager.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 6 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : MusicManager ("C:\Users\Adam\AppData\Local\Programs\Google\MusicManager\MusicManager.exe") -> DELETED
[SUSP PATH] HKCU\[...]\Run : {B1C7904F-E9CF-2B27-6D36-253D706D39C3} (C:\Users\Adam\AppData\Roaming\Bux\ulfusa.exe) -> DELETED
[SUSP PATH] winupd.job : C:\Users\Adam\AppData\Local\Temp:winupd.exe -> DELETED
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤
--- User ---
[MBR] bb39d09c5749cfcf92d0e4f8d918d4e3
[BSP] 52c10e7468e16fcf5d9d5ad503cae518 : MBR Code unknown
Partition table:
0 - [XXXXXX] NTFS [HIDDEN!] Offset (sectors): 63 | Size: 13966 Mo
1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 27279360 | Size: 236091 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] abf6d7ba569e08804378ba9d42653344
[BSP] 52c10e7468e16fcf5d9d5ad503cae518 : MBR Code unknown
Partition table:
0 - [XXXXXX] NTFS [HIDDEN!] Offset (sectors): 63 | Size: 13966 Mo
1 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 27279360 | Size: 236091 Mo
2 - [ACTIVE] NTFS [HIDDEN!] Offset (sectors): 488394752 | Size: 1 Mo

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt