Browser Redirects/MBAM Won't Open Options

[kwlafayette]

Hello everyone.

First of all I want to thank you all for providing such a wonderful service to the users of this forum. It seems to be a great help that has provided many people solutions to troubling problems.

My issue: I am using an office computer at work that appears to have been infected since the day I began here. The most common problems I encounter are browser hijacks/redirects which send me to fake spyware removal websites. These sites often automatically install "spyware removal programs" such as Internet Security 2010 and so on. It makes for working on this office computer very difficult.

I am unable to open either MBAM or HijackThis as they close seconds after opening. The anti-virus program that was installed on this computer - AVG - will not update, and visiting online scanners such as NOD32's free scan and others is impossible as images and whole sections of each page will not load.

If any of you could help me determine which steps I should take to try and immunize this computer, I would greatly appreciate it!

Thank you in advance.

Here is my DDS log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Andie at 9:56:28.51 on Tue 01/26/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.991.458 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ShowingTime\ShowingDesk Web Edition\ShowingTime.DeskWE.Client.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Andie\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://lraor.fnismls.com/Paragon/Login.asp?
uURLSearchHooks: KW.com Toolbar: {e682e50f-a793-4bfd-a3d6-4a38ee2ae13b} - c:\program files\kw.com\tbKW.1.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: KW.com Toolbar: {e682e50f-a793-4bfd-a3d6-4a38ee2ae13b} - c:\program files\kw.com\tbKW.1.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: KW.com Toolbar: {e682e50f-a793-4bfd-a3d6-4a38ee2ae13b} - c:\program files\kw.com\tbKW.1.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Wisdom-soft ScreenHunter 5.1 Pro] 0
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRunOnce: [RunNarrator] Narrator.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Search - ?p=ZSzeb012YCUS_ZZzer000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: fnismls.com
Trusted Zone: getmedianow.com
Trusted Zone: live.com
Trusted Zone: showingdesk.com
Trusted Zone: showingtime.com
Trusted Zone: sitexdata.com
Trusted Zone: spellchecker.net
Trusted Zone: transactionpoint.com
Trusted Zone: trpoint.com
Trusted Zone: virtualearth.net
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {0854D220-A90A-466D-BC02-6683183802B7} - hxxp://lraor.fnismls.com/Paragon/Codebase/FNISPrintControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137800015343
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169178463140
DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://www.kw.com/listings/includes/ImageUploader4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andie\applic~1\mozilla\firefox\profiles\lt1td9ap.default\
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-12-28 40840]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-12-23 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-12-23 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-12-23 360584]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-12-28 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-12-28 81288]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-12-23 285392]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-12-28 356920]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-12-28 1079176]
R3 ip100xp;ENCORE 10/100Mbps Fast Ethernet PCI Adapter NT Driver;c:\windows\system32\drivers\ipfnd51.sys [2008-10-27 26752]
S3 NETGEAR_WAG311_SERVICE;NETGEAR WAG311 Wireless PCI Adapter Service;c:\windows\system32\drivers\wag311n5.sys [2007-1-28 322560]

=============== Created Last 30 ================

2010-01-25 19:09:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-25 19:09:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-25 13:27:02 0 d-----w- c:\windows\system32\wbem\Repository
2010-01-22 22:20:14 2931 ----a-w- c:\windows\system32\warning.html
2010-01-16 17:43:39 0 d-----w- c:\docume~1\alluse~1\applic~1\LogMeIn
2010-01-11 15:33:11 327168 ----a-w- c:\windows\IsUn040a.exe
2009-12-28 21:07:41 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2009-12-28 21:07:41 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2009-12-28 21:07:41 40840 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2009-12-28 21:07:41 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
2009-12-28 21:07:33 0 d-----w- c:\program files\Spyware Doctor
2009-12-28 21:07:33 0 d-----w- c:\docume~1\andie\applic~1\PC Tools
2009-12-28 20:21:01 0 d-----w- C:\spoolerlogs
2009-12-28 19:15:38 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-12-28 19:15:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2009-12-23 15:56:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-23 15:56:47 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-23 15:56:18 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet(3).dll
2009-10-29 07:46:58 1168384 ----a-w- c:\windows\system32\urlmon(3).dll
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet(5).dll
2009-10-29 07:45:37 1208832 ----a-w- c:\windows\system32\urlmon(5).dll

============= FINISH: 9:58:03.37 ===============

Attached is the other scan I could run. GMER will not complete a scan as it freezes before finishing.

Attached File(s)

 Attach.zip ( 3.4K ) Number of downloads: 13

 

[JSntgRvr]

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

1. If you are using Firefox, make sure that your download settings are as follows:
   
   • Tools->Options->Main tab
   • Set to "Always ask me where to Save the files".
2. During the download, rename Combofix to Combo-Fix as follows:
   
   
   
   
   
   
3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
   -----------------------------------------------------------
   
   
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
     
     -----------------------------------------------------------
   
   
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
   
   
   -----------------------------------------------------------
7. Double click on combo-Fix.exe & follow the prompts.
8. Install the Recovery Console if prompted.
9. When finished, it will produce a report for you.
10. Please post the "C:\Combo-Fix.txt" .

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

[kwlafayette]

Hello. Thank you very much for the reply. Here is my ComboFix log:

ComboFix 10-01-29.01 - Andie 01/29/2010 13:06:29.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.991.511 [GMT -5:00]
Running from: c:\documents and settings\Andie\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
PEV Error: ProgramsFolder

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Andie\My Documents\avira_antivir_personal_en.bat
c:\windows\fyxo.bak
c:\windows\system32\warning.html

.
((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-30 )))))))))))))))))))))))))))))))
.

2010-01-26 18:08 . 2010-01-26 18:08 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-25 19:09 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-25 19:09 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-16 17:43 . 2010-01-16 17:43 -------- d-----w- c:\documents and settings\Andie\Local Settings\Application Data\LogMeIn
2010-01-16 17:43 . 2010-01-16 17:43 -------- d-----w- c:\documents and settings\All Users\Application Data\LogMeIn
2010-01-11 15:33 . 1998-10-07 00:34 327168 ----a-w- c:\windows\IsUn040a.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-30 13:50 . 2009-10-26 18:32 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-29 13:34 . 2008-01-29 18:03 74520 ----a-w- c:\documents and settings\Andie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-26 18:07 . 2009-12-15 22:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-25 19:01 . 2009-12-28 19:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-11 14:41 . 2009-08-24 14:34 -------- d-----w- c:\documents and settings\Andie\Application Data\U3
2009-12-30 14:48 . 2009-12-23 14:53 -------- d-----w- c:\program files\AVG
2009-12-30 13:17 . 2009-12-28 21:07 -------- d-----w- c:\program files\Spyware Doctor
2009-12-28 21:07 . 2009-12-28 21:07 -------- d-----w- c:\documents and settings\Andie\Application Data\PC Tools
2009-12-28 19:36 . 2009-12-28 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-23 15:56 . 2009-12-23 15:56 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-23 15:56 . 2009-12-23 15:56 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-23 15:56 . 2009-12-23 15:56 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-12-23 15:56 . 2009-12-23 15:56 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-23 15:56 . 2009-12-23 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-12-23 15:09 . 2009-12-23 15:07 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-23 15:06 . 2009-12-23 15:06 -------- d-----w- c:\program files\Conduit
2009-12-23 14:54 . 2009-12-23 14:54 -------- d-----w- c:\program files\Sun
2009-12-23 14:52 . 2009-12-22 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9(2)
2009-12-23 14:49 . 2007-06-11 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-23 14:49 . 2009-12-23 14:08 -------- dc----w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-22 17:30 . 2007-01-19 02:31 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-12-21 19:14 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 13:30 . 2009-12-18 13:30 -------- d-----w- c:\program files\MSBuild
2009-12-18 13:30 . 2009-12-18 13:30 -------- d-----w- c:\program files\Reference Assemblies
2009-12-18 13:25 . 2009-12-18 13:25 -------- d-----w- c:\program files\MSXML 6.0
2009-12-16 19:51 . 2009-12-16 19:45 -------- d-----w- c:\program files\EASY TRINITY
2009-12-15 22:27 . 2009-12-15 22:27 -------- d-----w- c:\documents and settings\Andie\Application Data\Malwarebytes
2009-12-15 22:27 . 2009-12-15 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-23 19:37 . 2009-11-23 19:37 152576 ----a-w- c:\documents and settings\Andie\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-23 19:37 . 2009-11-23 19:37 79488 ----a-w- c:\documents and settings\Andie\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-23 17:06 . 2009-11-23 17:06 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-21 16:36 . 2006-02-28 12:00 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-19 18:51 . 2009-11-19 18:51 0 ----a-w- c:\windows\nsreg.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wisdom-soft ScreenHunter 5.1 Pro"="0" [X]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-03-03 49152]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 77824]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-23 2033432]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-02-28 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-23 15:56 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi9"=c:\windows\fyxo.bak 2yAPFDOFNF

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\Installer\\{2BDAE5C3-4CC3-4281-8129-7549B1D1CCA3}\\WeStarter.exe1_1A7D3903460949A481C0D68751FF8123.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/23/2009 10:56 AM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/23/2009 10:56 AM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [12/23/2009 10:56 AM 285392]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [12/28/2009 4:07 PM 356920]
R3 ip100xp;ENCORE 10/100Mbps Fast Ethernet PCI Adapter NT Driver;c:\windows\system32\drivers\ipfnd51.sys [10/27/2008 2:10 PM 26752]
S3 NETGEAR_WAG311_SERVICE;NETGEAR WAG311 Wireless PCI Adapter Service;c:\windows\system32\drivers\wag311n5.sys [1/28/2007 2:46 PM 322560]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://lraor.fnismls.com/Paragon/Login.asp?
IE: &Search - ?p=ZSzeb012YCUS_ZZzer000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: fnismls.com
Trusted Zone: getmedianow.com
Trusted Zone: live.com
Trusted Zone: showingdesk.com
Trusted Zone: showingtime.com
Trusted Zone: sitexdata.com
Trusted Zone: spellchecker.net
Trusted Zone: transactionpoint.com
Trusted Zone: trpoint.com
Trusted Zone: virtualearth.net
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Andie\Application Data\Mozilla\Firefox\Profiles\lt1td9ap.default\
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{e682e50f-a793-4bfd-a3d6-4a38ee2ae13b} - c:\program files\KW.com\tbKW.1.dll
BHO-{e682e50f-a793-4bfd-a3d6-4a38ee2ae13b} - c:\program files\KW.com\tbKW.1.dll
Toolbar-{e682e50f-a793-4bfd-a3d6-4a38ee2ae13b} - c:\program files\KW.com\tbKW.1.dll
WebBrowser-{E682E50F-A793-4BFD-A3D6-4A38EE2AE13B} - c:\program files\KW.com\tbKW.1.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-30 08:50
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-682003330-1220945662-839522115-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{162D5BD0-4320-B256-B032-3A4A0F728BBA}*]
"oadofihaapiemfnhdbdckmjjibimfm"=hex:6b,61,68,70,6d,63,70,61,6d,63,6c,61,65,63,
6b,6d,6e,67,67,66,62,6a,00,00
"nabaimaflkfmfeplhccegnnhicdi"=hex:6b,61,68,70,6c,63,65,61,64,69,65,69,6e,62,
63,6b,6e,63,62,66,6c,6d,00,00
"oahnomjgockahifmimopdpbngfcdlg"=hex:64,61,6b,61,64,65,66,6d,00,7c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1804)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2010-01-30 08:54:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-30 13:54

Pre-Run: 139,527,155,712 bytes free
Post-Run: 140,187,869,184 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 1119474674654EF15F35DFB8D957F31B

I look forward to your next reply!

[kwlafayette]

Just wanted to note that I can now get MBAM to run. A scan produced this logfile:

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

1/30/2010 9:42:22 AM
mbam-log-2010-01-30 (09-42-18).txt

Scan type: Quick Scan
Objects scanned: 133046
Time elapsed: 4 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Additionally, I can now get AVG to update - the program would not update previously. I will turn this over to you now and see if my problem has somehow already been rectified by ComboFix (but I have a feeling it isn't really that easy).

[JSntgRvr]

I would like to review a file:

Please go here:
The Spy Killer Forum

• Click on "New Topic"
• Put your name, e-mail address, and this as the title: "JSntgRvr"
• Put a link to this thread in the description box.
• Then next to the file box, at the bottom, click the browse button, then navigate to this file:
  
  
  c:\windows\IsUn040a.exe
  
  
• Click Open.
• Click Post.

You wont be able to see if the file was uploaded, but following the instructions above will certainly do.


Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instructions below under Upgrading Java, to download and install the latest version.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure the following is checked.
   
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   Mail databases
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply.

Attention! Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.

Upgrading Java :

• Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 18.
• Click the "Download" button to the right.
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
• Click on Continue.
• Click on the link to download Windows Offline Installation (jre-6u18-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u18-windows-i586.exe and select "Run as an Administrator.")

[kwlafayette]

Hello again!

Thank you so much for the help and your reply.

I have upgraded my Java as well as posted the specific file you mentioned to the forum you requested.

Additionally, here is my Kaspersky scan log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, February 1, 2010
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, January 30, 2010 17:11:34
Records in database: 3387647
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Objects scanned: 47964
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 02:12:10


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\fyxo.bak.vir Infected: Trojan-PSW.Win32.Kates.ar 1

Selected area has been scanned.

Looks like it found one virus that I believe ComboFix detected and quarantined? Any other steps I must now take?

Thank you again!

[JSntgRvr]

That file is in quarantine. How is the computer doing?

[kwlafayette]

Hi!

Computer seems to be running fine. I have been able to update my antivirus - which was impossible before, MBAM now opens, and no Google redirects have occurred since the quarantine. I think everything is running smoothly. Can I go ahead and remove the objects found by MBAM?

Again, thank you so much! You guys are so very helpful.

[JSntgRvr]

Hi, kwlafayette.

Congratulations.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix.

• Click START then RUN
• Now copy and paste "c:\documents and settings\Andie\Desktop\Combo-Fix.exe" /Uninstall in the runbox (including the quotation marks) and click OK.

Create a Restore point:

1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
2. In the System Restore dialog box, click Create a restore point, and then click Next.
3. Type a description for your restore point, such as "After Cleanup", then click Create.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
   
2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
   
3. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
   
4. ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
   
5. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
   
6. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
   
7. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
   
8. ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes!

[kwlafayette]

Thank you so much for all of your help!

Once again, I would just like to reiterate that you guys do an amazing job and I will be sure to come back for all of my security needs!

[JSntgRvr]

Thank you!