0

So frustrating. I've used every tool that I know of in SafeMode. Updated definitions.
Malewarebytes, Spybot, AdAware, AVG, ComboFix, HijackThis, VunduFix, SmitfraudFix, RootkitRevealer, CounterSpy.

IE and Firefox, Yahoo and Google - When I search for an item, it will sometimes give me the real site, and sometimes send me to some random ad clicknow.com kind of crap.

How is it that no tool is able to find my redirect-bug?
Please help. I want to fix it myself... but i'm out of tools/ideas.

4
Contributors
12
Replies
13
Views
7 Years
Discussion Span
Last Post by crunchie
0

First of all we don't know anything about your computer. We have seen no logs.
2nd, Combofix is NEVER to be run without a user first being told to run it. It can severely damage a computer if it is run incorrectly or without supervision or if it was an old version.
Third, Malwarebytes' is not meant to be run in Safe Mode. It will not scan all files in Safe Mode. It is meant to be run in Normal mode.

VunduFix, (I assume you mean Vundofix) SmitfraudFix shouldn't be run either unless you are certain you have these infections on the machine. Plus MBA-M would remove them if you had them.

Please post back here with a HJT log, the Malwarebytes log and the Combofix log...which also shouldn't be run in Safe Mode.

Edited by jholland1964: n/a

0

Ok, thanks. I guess i just assumed there'd be a tool to fix all spyware programs. I appreciate your help.

Here's my logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:08:49, on 2/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trojan Remover\Trjscan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\david\Desktop\HijackThis.exe

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: CounterSpy Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe

--
End of file - 4904 bytes

Malwarebytes' Anti-Malware 1.44
Database version: 3691
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

2/7/2010 12:22:14 AM
mbam-log-2010-02-07 (00-22-14).txt

Scan type: Full Scan (C:\|)
Objects scanned: 190084
Time elapsed: 1 hour(s), 9 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ComboFix 10-02-04.04 - david 02/07/2010 8:23.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.421 [GMT -5:00]
Running from: c:\documents and settings\david\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2010-01-07 to 2010-02-07 )))))))))))))))))))))))))))))))
.

2010-02-07 04:11 . 2009-12-11 23:05 3613560 ----a-w- c:\documents and settings\david\Application Data\Simply Super Software\Trojan Remover\xie3.exe
2010-02-07 01:54 . 2009-12-11 23:05 3613560 ----a-w- c:\documents and settings\david\Application Data\Simply Super Software\Trojan Remover\lsv5.exe
2010-02-06 23:39 . 2010-02-06 23:39 107 ----a-w- c:\documents and settings\david\Application Data\netstat.bat
2010-02-06 22:16 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-02-06 22:16 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-02-06 22:16 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-02-06 22:16 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-02-06 22:16 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-02-06 22:16 . 2010-02-06 22:17 -------- d-----w- c:\program files\Trojan Remover
2010-02-06 22:16 . 2010-02-06 22:16 -------- d-----w- c:\documents and settings\david\Application Data\Simply Super Software
2010-02-06 22:16 . 2010-02-06 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2010-02-06 22:13 . 2009-11-25 18:01 1230080 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2010-02-06 21:27 . 2010-02-06 21:27 -------- d-----w- c:\documents and settings\david\Application Data\Sunbelt
2010-02-06 21:26 . 2010-02-06 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2010-02-06 21:26 . 2010-02-06 21:26 -------- d-----w- c:\program files\Sunbelt Software
2010-02-06 20:41 . 2010-02-06 20:41 -------- d-----w- C:\VundoFix Backups
2010-02-06 19:34 . 2010-02-06 19:34 -------- d-----w- c:\documents and settings\david\Local Settings\Application Data\AVG Security Toolbar
2010-02-06 18:35 . 2010-02-06 18:01 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-02-06 18:35 . 2010-02-06 18:01 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-02-06 18:03 . 2010-02-06 18:03 -------- d-----w- C:\$AVG
2010-02-06 18:02 . 2010-02-06 18:02 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-06 18:02 . 2010-02-06 18:02 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-06 18:02 . 2010-02-06 18:02 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-06 18:02 . 2010-02-06 18:02 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-06 18:02 . 2010-02-06 22:19 -------- d-----w- c:\windows\system32\drivers\Avg
2010-02-06 18:02 . 2010-02-06 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-02-06 18:01 . 2010-02-06 18:01 -------- d-----w- c:\program files\AVG
2010-02-06 18:01 . 2010-02-06 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-06 01:08 . 2010-02-05 20:31 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-05 20:31 . 2010-02-05 20:31 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-02-05 20:31 . 2010-02-05 20:31 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-02-05 20:31 . 2010-02-05 20:31 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-02-05 20:31 . 2010-02-05 20:31 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-02-05 20:31 . 2010-02-05 20:31 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-02-05 20:31 . 2010-02-05 20:31 389784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-02-05 20:31 . 2010-02-05 20:31 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-02-05 20:30 . 2010-02-05 20:30 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-02-05 20:30 . 2010-02-05 20:30 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-02-05 20:30 . 2010-02-05 20:30 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-02-05 20:30 . 2010-02-05 20:30 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-02-05 20:30 . 2010-02-05 20:30 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-02-05 20:30 . 2010-02-05 20:30 816784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-02-05 20:30 . 2010-02-05 20:30 823928 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-02-05 20:30 . 2010-02-05 20:30 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-02-05 20:30 . 2010-02-05 20:30 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-02-05 20:30 . 2010-02-05 20:30 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-02-05 20:10 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-05 20:09 . 2010-02-05 20:09 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-05 20:09 . 2009-12-07 14:10 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2010-02-05 20:09 . 2010-02-05 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-05 20:09 . 2010-02-05 20:09 -------- d-----w- c:\program files\Lavasoft
2010-02-04 22:27 . 2010-02-04 22:28 -------- d-----w- c:\program files\MAM2
2010-02-04 22:25 . 2010-02-04 22:26 -------- d-----w- c:\program files\MAM
2010-01-29 19:28 . 2010-01-29 19:28 -------- d-----w- c:\documents and settings\david\Local Settings\Application Data\Panda Security
2010-01-29 19:21 . 2003-10-22 23:23 446464 ----a-w- c:\windows\system32\HHActiveX.dll
2010-01-29 19:21 . 2010-02-06 17:49 -------- d-----w- c:\documents and settings\david\Application Data\Panda Security
2010-01-29 19:21 . 2010-01-29 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
2010-01-27 23:02 . 2010-01-27 23:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-22 14:39 . 2010-01-22 14:39 -------- d-----w- c:\documents and settings\david\Application Data\Uniblue
2010-01-21 21:01 . 2010-02-04 22:17 -------- d-----w- c:\program files\Ancient Hearts And Spades
2010-01-21 21:00 . 2010-01-21 21:00 -------- d-----w- c:\program files\ReflexiveArcade
2010-01-12 18:32 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-07 04:11 . 2008-08-15 23:44 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-06 20:22 . 2007-10-18 02:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-04 22:18 . 2007-11-10 02:03 -------- d-----w- c:\program files\Windows Media Connect 2
2010-02-04 22:17 . 2007-10-25 15:06 -------- d-----w- c:\program files\Easy DVD Player
2010-01-29 19:13 . 2008-11-18 22:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-29 19:12 . 2009-03-12 02:08 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-25 18:03 . 2007-10-18 02:04 -------- d-----w- c:\program files\Juno
2010-01-20 14:32 . 2009-11-28 02:00 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 16:59 . 2009-04-24 02:57 256 ----a-w- c:\windows\system32\pool.bin
2010-01-07 21:07 . 2008-11-18 22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2008-11-18 22:42 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2010-01-04 22:02 . 2010-01-04 22:02 27984 ----a-w- c:\windows\system32\sbbd.exe
2009-12-29 20:09 . 2009-12-29 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2009-12-25 00:24 . 2009-12-25 00:24 -------- d-----w- c:\program files\Trend Micro
2009-12-24 16:13 . 2009-12-24 16:13 -------- d-----w- c:\program files\Common Files\Scanner
2009-12-22 18:29 . 2009-12-21 02:41 79488 ----a-w- c:\documents and settings\david\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-21 02:35 . 2008-01-08 20:45 -------- d-----w- c:\program files\Java
2009-12-12 22:29 . 2008-11-08 23:39 -------- d-----w- c:\documents and settings\david\Application Data\U3
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 18:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBAMTray"="c:\program files\Sunbelt Software\CounterSpy\SBAMTray.exe" [2010-01-04 685392]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-10-18 1070984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-06 18:02 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/5/2010 3:10 PM 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/6/2010 1:02 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/6/2010 1:02 PM 360584]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/13/2009 8:22 AM 95024]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2/6/2010 1:01 PM 285392]
R2 SBAMSvc;CounterSpy Antispyware;c:\program files\Sunbelt Software\CounterSpy\SBAMSvc.exe [1/4/2010 5:02 PM 1012080]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 8:19 AM 1181328]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [10/18/2007 3:59 PM 16194]
S3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;c:\windows\system32\drivers\WG511ICB.sys [10/18/2007 3:59 PM 393472]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\SynasUSB.sys --> c:\windows\system32\drivers\SynasUSB.sys [?]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [10/1/2007 2:49 PM 392864]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [10/1/2007 2:49 PM 10688]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\system32\drivers\tscusb2a.sys [10/1/2007 2:49 PM 18112]
.
Contents of the 'Scheduled Tasks' folder

2010-02-07 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 20:30]

2010-02-07 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 20:30]

2010-02-07 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 20:30]

2010-02-07 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 20:30]

2010-02-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 20:30]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\david\Application Data\Mozilla\Firefox\Profiles\2w1lav6j.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxps://www.paypal.com/|https://www.bankofamerica.com/index.jsp|http://mail.live.com/default.aspx?wa=wsignin1.0
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-PskSvcRetail

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-07 08:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x86F8A8C6]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7513f28
\Driver\ACPI -> ACPI.sys @ 0xf7466cb8
\Driver\atapi -> atapi.sys @ 0xf7403b3a
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compa -> SendCompleteHandler -> NDIS.sys @ 0xf730eb0a
PacketIndicateHandler -> NDIS.sys @ 0xf7319a21
SendHandler -> NDIS.sys @ 0xf730e949
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1275210071-813497703-1202660629-1003\Software\Sony Creative Software\M*e*d*i*a* *M*a*n*a*g*e*r* *f*o*r* *P*S*P*"!\2.5]
"Percents"="0 0.1134 0.3242 0.5891 0.6891 0.8426 0.8465 "
"Increment"=".001808"
"FRT"="VeOzltJ925VDUAer5/0++LgOG+/8v1wu+dzBLEtwvlGhJAiGq9fJZg=="
"PLCK"="lUf9+kmO3guTYhW6WeXKKO9ZEwB5HS4T"
"PHSH"=""
.
Completion time: 2010-02-07 08:40:01
ComboFix-quarantined-files.txt 2010-02-07 13:39
ComboFix2.txt 2010-02-05 01:40

Pre-Run: 48,509,620,224 bytes free
Post-Run: 48,482,246,656 bytes free

- - End Of File - - C0F754FD4A75921F944B27B2C0C36898

0

I guess i just assumed there'd be a tool to fix all spyware programs.

There is no such "one tool fixes all" program.
You ran combofix incorrectly. Your anti-virus program was turned ON during the run. If you had been told by somebody to run Combofix then the instructions would have been clearly given to you:

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.
Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

Turn off the Lavasoft Adaware Service, Turn off the Trojan scanner program, Turn off that CounterSpy Antispyware program. All of those programs can work against each other and there is no reason they should be running all the time in the back ground either, and they are.

The files or most of those removed by Combofix were just remnants of the Smitfraudfix program that you say you ran, they aren't infections however just files from the program itself.

Edited by jholland1964: n/a

0

This is my first time asking for help with spyware. Usually I can get a tool to fix my issues. I realize that I don't know what i'm doing. That's why I'm asking for help. What should I do after I turn off those programs?

Thanks.

0

The problem is, by running all of those tools without supervision and some of them incorrectly we may not be able to get a correct read on what your problem actually is as there is nothing showing in the logs you have posted indicating infection.

Usually I can get a tool to fix my issues

I will say again, there is no ONE tool which can do all fixes.
But if there are constantly problems then your security settings must not be 100% correct either.

You need to clear all your cookies, your browser cache for sure.
What search tool do you use?

How are your cookies set in your browser? It should be set to accept 1st party cookies and BLOCK 3rd party cookies.
This holds true for both IE and Firefox.

You need to Uninstall Combofix.
Do this by doing the following:
Click START then RUN
Now type ComboFix /Uninstall in the runbox and click OK. The space between the combofix and the /uninstall, it must be there.
When shown the disclaimer, Select "2"

You also need to remove all those other extra tools you used, like Smitfraudfix and Vundofix because they obviously found nothing, because there was neither of those to find and these are one time only tools, as is combofix. But none of them should be used unless there is clear indications that those infections exist, just advertising pop ups or redirects alone are not indications of either Smitfraud or Vundo. Pop ups related to either of those generally refer to infections found...etc. What were the indications you found that you did have these infections? Maybe that would give us a place to look.

0

I search with yahoo and google.
Cache and cookies are cleared

Cookies were set to accept 1st and block 3rd for firefox
i just fixed cookies the same way for IE

Uninstalled Combofix

I used smitfraud and vundo just to try and fix the issue. I had no indication of their infection. Sorry.

My issue on the PC is that I get website re-directs. IE: google search for something, and clicking the link may send me to the right page, but might send me to an ad-page. Seems to be a little random. Very irritating, and i'm trying to fix this issue for somebody.

How should I proceed?
Thanks.

0

What a miserable experience. Really.
Spyware that I couldn't get fixed.
Being fussed at by jholland1964.
Still don't have any idea how to remove spyware when the spy-removal-apps don't complete the job.

I just went ahead and reinstalled the OS last night. Painful. :(

0

What a miserable experience. Really.
Spyware that I couldn't get fixed.
Being fussed at by jholland1964.
Still don't have any idea how to remove spyware when the spy-removal-apps don't complete the job.

I just went ahead and reinstalled the OS last night. Painful. :(

Sorry you had to install the os. It was a good idea actually because the steps you took without proper supervision likely could have caused damage to key system files.

The only reason you were "fussed at" as you called it, was because you took major steps without checking with anyone first. By doing so the logs you posted really were not able to give an accurate picture of what may have been the cause of the problems you were having with the computer.

The steps to follow when facing a problem such as this one are all given it the Read me before posting a request for assistance sticky at the very top of this page. Very simple steps and programs to run in order to at least begin cleaning the system. If you will read that sticky you will see NO mention anywhere of using Smitfraudfix or Combofix as a usual course of action. Combofix is only mentioned when giving instructions on the top three items to familiarize yourself with, no where does it say to USE Combofix.

There are three basic tools noted (not ONE, three), ATF-Cleaner, MBA-M and ESET Scanner OR one or two of the other listed online scanners to begin cleaning. The final tool noted is DDS by sUBs which is "similar" to Combofix in the fact that it can give a helper the information needed as to whether Combofix "may" be needed. It does no removals, it produces a log which contains similar information and log type as HiJackThis and Combofix. After seeing a DDS log the helper may then either recommend using Combofix OR some other tool, OR just doing fixes manually or with a run of HiJackThis.

If you experience problems again then those are the ONLY steps to follow, in that sticky at the top of this forum:
Read me before posting a request for assistance

Edited by jholland1964: n/a

-1

First of all we don't know anything about your computer. We have seen no logs.
2nd, Combofix is NEVER to be run without a user first being told to run it. It can severely damage a computer if it is run incorrectly or without supervision or if it was an old version.
Third, Malwarebytes' is not meant to be run in Safe Mode. It will not scan all files in Safe Mode. It is meant to be run in Normal mode.

VunduFix, (I assume you mean Vundofix) SmitfraudFix shouldn't be run either unless you are certain you have these infections on the machine. Plus MBA-M would remove them if you had them.

Please post back here with a HJT log, the Malwarebytes log and the Combofix log...which also shouldn't be run in Safe Mode.

I don't know where you got your information, but Malwarebytes' Antimalware is perfectly fine to be run in Safe Mode. Actually in some instances the only way to clean an infection is by executing Malwarebytes' Antimalware in Safe Mode, so you should not be informing people that it does not work in Safe Mode - this is totally incorrect. Updating the definitions in normal mode is preferred, but if necessary, booting into Safe Mode with Networking for the updates is perfectly acceptable as well.

Don't give out information to people that you are trying to help that is wholly inaccurate - that only causes confusion. Be certain of your "advice" or just don't give it. Too much false information on the internet already!

-1

Sorry you had to install the os. It was a good idea actually because the steps you took without proper supervision likely could have caused damage to key system files.

The only reason you were "fussed at" as you called it, was because you took major steps without checking with anyone first. By doing so the logs you posted really were not able to give an accurate picture of what may have been the cause of the problems you were having with the computer.

The steps to follow when facing a problem such as this one are all given it the Read me before posting a request for assistance sticky at the very top of this page. Very simple steps and programs to run in order to at least begin cleaning the system. If you will read that sticky you will see NO mention anywhere of using Smitfraudfix or Combofix as a usual course of action. Combofix is only mentioned when giving instructions on the top three items to familiarize yourself with, no where does it say to USE Combofix.

There are three basic tools noted (not ONE, three), ATF-Cleaner, MBA-M and ESET Scanner OR one or two of the other listed online scanners to begin cleaning. The final tool noted is DDS by sUBs which is "similar" to Combofix in the fact that it can give a helper the information needed as to whether Combofix "may" be needed. It does no removals, it produces a log which contains similar information and log type as HiJackThis and Combofix. After seeing a DDS log the helper may then either recommend using Combofix OR some other tool, OR just doing fixes manually or with a run of HiJackThis.

If you experience problems again then those are the ONLY steps to follow, in that sticky at the top of this forum:
Read me before posting a request for assistance

Try not to be a condescending prick your entire life. No one owes you shit buddy!

With your attitude, I'm surprised anyone works with you.

Votes + Comments
No need to take that attitude, especially when you have no idea what you are talking about.
0

I don't know where you got your information, but Malwarebytes' Antimalware is perfectly fine to be run in Safe Mode. Actually in some instances the only way to clean an infection is by executing Malwarebytes' Antimalware in Safe Mode, so you should not be informing people that it does not work in Safe Mode - this is totally incorrect. Updating the definitions in normal mode is preferred, but if necessary, booting into Safe Mode with Networking for the updates is perfectly acceptable as well.

Don't give out information to people that you are trying to help that is wholly inaccurate - that only causes confusion. Be certain of your "advice" or just don't give it. Too much false information on the internet already!

You should learn to read. I did not say it would not run in safe mode. What I said was it will not scan all files in Safe Mode. It is meant to be run in Normal mode.
When you claim that information is "wholly inaccurate" then YOU should be wholly accurate and you are NOT.
The MBA-M website, which is where I get my information concerning this program, gives the same information,

scan in normal mode, that is the best for detection rates.
The best and most effective way to scan with MBAM is in normal mode. In situations where you can't scan with MBAM in normal mode, you can try safe mode, but I would definitely recommend scanning in normal mode once you are able to. The reasons are not all of the drivers that MBAM needs are loaded in safe mode, preventing it from being as effective as it should be

Edited by jholland1964: n/a

0

I don't know where you got your information, but Malwarebytes' Antimalware is perfectly fine to be run in Safe Mode. Actually in some instances the only way to clean an infection is by executing Malwarebytes' Antimalware in Safe Mode, so you should not be informing people that it does not work in Safe Mode - this is totally incorrect. Updating the definitions in normal mode is preferred, but if necessary, booting into Safe Mode with Networking for the updates is perfectly acceptable as well.

Don't give out information to people that you are trying to help that is wholly inaccurate - that only causes confusion. Be certain of your "advice" or just don't give it. Too much false information on the internet already!

When the creator of the tool says that it is designed to run in normal mode, it is safe to say that that is the best way to run it.
Check your facts.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.