Logs for Analysis- Thanks!

[Daltex]

I had IE7 hijacked. Searches would lead to proper looking results but wrong URL's. URL's were mostly shopping and antivirus sites. Windows update would fail due to it reading IE7 as IE5 and I upgraded to IE8 Beta to try to resolve this. I have followed the whole "Spyware Removal Guide". Had to uninstall Ad-aware to load AVG. The following are after running all recomended programs per the guide. Let me know what you think.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:13:34, on 2/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = Dell Start Page
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1229828095515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1229828084625
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = grigsbydds.local
O17 - HKLM\Software\..\Telephony: DomainName = grigsbydds.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = grigsbydds.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = grigsbydds.local
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4878 bytes

_________________________________________________


ComboFix 09-02-19.01 - hy1 2009-02-21 17:40:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.617 [GMT -6:00]
Running from: c:\documents and settings\hy1\My Documents\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\wdmaud.sys
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-21 to 2009-02-21 )))))))))))))))))))))))))))))))
.

2009-02-21 14:33 . 2009-02-21 14:33 <DIR> d-------- C:\VundoFix Backups
2009-02-21 14:17 . 2009-02-21 14:17 <DIR> d-------- c:\program files\Trend Micro
2009-02-21 14:09 . 2009-02-21 14:09 <DIR> d-------- c:\program files\CCleaner
2009-02-21 14:03 . 2009-02-21 14:03 <DIR> d-------- c:\program files\CleanUp!
2009-02-21 13:24 . 2009-02-21 13:24 <DIR> d-------- c:\program files\MSConfig CleanUp
2009-02-21 12:56 . 2009-02-21 12:56 <DIR> d-------- c:\program files\7-Zip
2009-02-21 10:41 . 2009-02-21 10:41 <DIR> d-------- c:\documents and settings\hy1\Application Data\Malwarebytes
2009-02-21 10:41 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-21 10:40 . 2009-02-21 10:41 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-21 10:40 . 2009-02-21 10:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-21 10:40 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-15 16:00 . 2009-02-15 16:00 <DIR> d--hs---- c:\documents and settings\hy1\PrivacIE
2009-02-15 16:00 . 2009-02-15 16:00 <DIR> d--hs---- c:\documents and settings\hy1\IETldCache
2009-02-15 15:53 . 2009-02-15 15:53 <DIR> d--h-c--- c:\windows\ie8
2009-02-15 13:13 . 2009-02-15 13:13 <DIR> d-------- c:\program files\Panda Security
2009-02-13 19:56 . 2009-02-13 19:56 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-13 19:56 . 2009-02-21 14:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-13 18:55 . 2009-02-13 18:13 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-13 18:13 . 2009-02-13 18:13 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-02-13 18:13 . 2009-02-13 18:13 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-13 18:11 . 2009-02-13 18:11 <DIR> d-------- c:\program files\Lavasoft
2009-02-13 18:11 . 2009-02-13 18:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-13 18:11 . 2009-02-13 18:11 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 23:37 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-21 20:27 --------- d-----w c:\program files\Google
2009-02-14 02:37 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-15 08:17 636,264 ----a-w c:\windows\system32\dllcache\iexplore.exe
2009-01-15 08:17 392,040 ----a-w c:\windows\system32\dllcache\iedkcs32.dll
2009-01-15 08:13 5,888,512 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-01-15 08:12 10,963,968 ----a-w c:\windows\system32\dllcache\ieframe.dll
2009-01-15 08:06 236,544 ----a-w c:\windows\system32\dllcache\webcheck.dll
2009-01-15 08:06 105,984 ----a-w c:\windows\system32\dllcache\url.dll
2009-01-15 08:06 1,182,720 ----a-w c:\windows\system32\dllcache\urlmon.dll
2009-01-15 08:05 911,872 ----a-w c:\windows\system32\wininet.dll
2009-01-15 08:05 911,872 ----a-w c:\windows\system32\dllcache\wininet.dll
2009-01-15 08:05 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-01-15 08:05 43,008 ----a-w c:\windows\system32\dllcache\licmgr10.dll
2009-01-15 08:05 193,536 ----a-w c:\windows\system32\dllcache\msrating.dll
2009-01-15 08:05 109,056 ----a-w c:\windows\system32\dllcache\occache.dll
2009-01-15 08:04 755,200 ----a-w c:\windows\system32\dllcache\VGX.dll
2009-01-15 08:04 25,600 ----a-w c:\windows\system32\dllcache\jsproxy.dll
2009-01-15 08:04 18,944 ----a-w c:\windows\system32\dllcache\corpol.dll
2009-01-15 08:04 18,944 ----a-w c:\windows\system32\corpol.dll
2009-01-15 08:02 611,840 ----a-w c:\windows\system32\dllcache\mstime.dll
2009-01-15 08:02 593,920 ----a-w c:\windows\system32\dllcache\msfeeds.dll
2009-01-15 08:02 1,975,296 ----a-w c:\windows\system32\dllcache\iertutil.dll
2009-01-15 08:01 66,560 ----a-w c:\windows\system32\dllcache\mshtmled.dll
2009-01-15 08:01 59,904 ----a-w c:\windows\system32\dllcache\icardie.dll
2009-01-15 08:01 54,272 ----a-w c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-15 08:01 46,592 ----a-w c:\windows\system32\dllcache\pngfilt.dll
2009-01-15 08:01 348,160 ----a-w c:\windows\system32\dllcache\dxtmsft.dll
2009-01-15 08:01 34,304 ----a-w c:\windows\system32\imgutil.dll
2009-01-15 08:01 34,304 ----a-w c:\windows\system32\dllcache\imgutil.dll
2009-01-15 08:01 216,064 ----a-w c:\windows\system32\dllcache\dxtrans.dll
2009-01-15 08:01 183,808 ----a-w c:\windows\system32\dllcache\iepeers.dll
2009-01-15 08:00 48,128 ----a-w c:\windows\system32\mshtmler.dll
2009-01-15 08:00 48,128 ----a-w c:\windows\system32\dllcache\mshtmler.dll
2009-01-15 08:00 45,568 ----a-w c:\windows\system32\mshta.exe
2009-01-15 08:00 45,568 ----a-w c:\windows\system32\dllcache\mshta.exe
2009-01-15 07:53 68,608 ----a-w c:\windows\system32\dllcache\hmmapi.dll
2009-01-15 07:50 156,160 ----a-w c:\windows\system32\msls31.dll
2009-01-15 07:50 156,160 ----a-w c:\windows\system32\dllcache\msls31.dll
2009-01-15 07:35 445,440 ----a-w c:\windows\system32\dllcache\ieapfltr.dll
2008-12-21 02:54 --------- d-----w c:\program files\Java
2008-06-01 00:58 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008053120080601\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 583048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-06-25 771440]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-06-04 116328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.PIXL"= pclepixl.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.NTN1"= NUVision.ax
"aux"= wdmaud.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-13 64160]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-01-19 109616]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
S3 NUVision;Pinnacle DVC 80 Video;c:\windows\system32\drivers\nuvvid2.sys [2008-01-22 155264]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-02-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-13 18:13]

2009-01-31 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - hy1.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-06-26 02:27]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)


.
------- Supplementary Scan -------
.
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-21 17:42:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-21 17:43:43
ComboFix-quarantined-files.txt 2009-02-21 23:43:40

Pre-Run: 67,695,071,232 bytes free
Post-Run: 67,677,732,864 bytes free

169

 

[KSoD]

The logs look clean to me. I dont see anything in them that screams out something is wrong. Are you still experiencing this problem?

 

[Daltex]

Only problem now is the IE8 doesn't delete the cookies and temp files under browser history/settings. All else seems ok.

 

[KSoD]

You can try using CCLeaner for this. IE8 is still a Beta and that could be a known issue with the Beta itself and not due to the issue you just had.

 

[Daltex]

I've run CCLeaner earlier per the instructions in the spyware removal guide. Should I run it again?

I did have this problem with IE7 prior to the upgrade. One of the reasons I suspected a bug. Any way to revert back to IE7 until IE8 is past beta?

I also wanted to ask if I should be using windows firewall with AVG or does AVG cover this? What about the other software I installed. Should I leave them running (Trojan Remover)?

Thanks again!

 

[KSoD]

You should be able to revert by going into the Add/Remove Programs area and checking the box for show updates. From there you should see IE8 listed for removal.

You can leave Windows Firewall on with AVG. AVG is only a anti-virus solution not a firewall unless you get the full Internet Security Suite. The Free Version is only a Anti-Virus.

You shouldnt need them anymore. I would wait and see what Osiris says. He is the local expert. I just try to help out when he isnt around.

 

[Daltex]

All working great. Thanks again for your assistance!!!

 

[Osiris]

You going to post a log?

 

[Daltex]

You going to post a log?

The first post has the logs that were made after running your "Spyware Removal Guide".

I thought they were clean so I didn't post another one. Your guide is phenomenal for a newb like me. Thanks.

 

[Osiris]

Sounds good.