Sons and Nephews,should listen to their elders,and not venture into dangerous waters,but they do not listen.this PC has been infected,and hijacked with some malware that redirects the web searches to their own sites.
I have tried the regular disinfection technique,but I gotten nowhere.
1)it disabled my installed MalwareBytes software,and it will not allow me to reintall it.
2) I ran SuperantiSpyware,and foun a couple of trojans,and supposedely removed them, I will post an scan later.
3) AVG Free edition,found a couple of trojans and supposedely removed them.
4) Ran SmithFraudFix,and I am posting the Log
5) Ran gMer,and did not finish,I will post that Log
6) I tried to install ComboFix,and it would not let me install it!
7) I ran HijackThis,and I am posting the Log after all the other scans.
Your assistance with this sick “puppy” will be greatly appreciated. ???
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:27:13, on 12/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.21115)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\vista aero\TrueTransparency.exe
C:\SmithFraudFix\SmitfraudFix\Policies.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM..\Run: [Lexmark 4200 Series] “C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [relasupar] Rundll32.exe “c:\windows\system32\kavunize.dll”,a
O4 - HKCU..\Run: [RocketDock] “C:\Program Files\RocketDock\RocketDock.exe”
O4 - HKCU..\Run: [swg] “C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe”
O4 - HKCU..\Run: [Google Update] “C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe” /c
O4 - HKCU..\Run: [upsqCMP] rundll32.exe “C:\Documents and Settings\Administrator\Local Settings\Application Data\upsqCMP\upsqCMP.dll”, DllInit
O4 - HKUS\S-1-5-19..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\Run: [RocketDock] “C:\Program Files\RocketDock\RocketDock.exe” (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\Run: [Yahoo! Pager] “C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” -quiet (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [RocketDock] “C:\Program Files\RocketDock\RocketDock.exe” (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-20..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [RocketDock] “C:\Program Files\RocketDock\RocketDock.exe” (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\RunOnce: [VistaDrives®] %Windir%\ABioDESK\Vistadrive\vsdrv.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [RocketDock] “C:\Program Files\RocketDock\RocketDock.exe” (User ‘Default user’)
O4 - HKUS.DEFAULT..\RunOnce: [VistaDrives®] %Windir%\ABioDESK\Vistadrive\vsdrv.exe (User ‘Default user’)
O4 - Global Startup: TrueTransparency.lnk = C:\Program Files\vista aero\TrueTransparency.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki… - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: c:\windows\system32\kavunize.dll,fuyizeve.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: wohivepew - {ea2ffb6e-0b6c-4cdb-9837-4d40990d73ae} - c:\windows\system32\kavunize.dll
O22 - SharedTaskScheduler: jugezatag - {ea2ffb6e-0b6c-4cdb-9837-4d40990d73ae} - c:\windows\system32\kavunize.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
–
End of file - 7528 bytes
SmitFraudFix v2.424
Scan done at 18:15:23.57, Fri 12/11/2009
Run from C:\SmithFraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\vista aero\TrueTransparency.exe
C:\SmithFraudFix\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-11 12:20:13
Windows 5.1.2600 Service Pack 3
Running: 8khynuy6.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdipow.sys
---- System - GMER 1.0.15 ----
SSDT sptd.sys ZwCreateKey [0xF73A40D0]
SSDT sptd.sys ZwEnumerateKey [0xF73A9FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xF73AA340]
SSDT sptd.sys ZwOpenKey [0xF73A40B0]
SSDT sptd.sys ZwQueryKey [0xF73AA418]
SSDT sptd.sys ZwQueryValueKey [0xF73AA298]
SSDT sptd.sys ZwSetValueKey [0xF73AA4AA]
---- Kernel code sections - GMER 1.0.15 ----
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF679E380, 0x5414D5, 0xE8000020]
.text USBPORT.SYS!DllUnload F66E18AC 5 Bytes JMP 86EA21C8
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [F73BB06C] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F73BB018] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F73DD9AE] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F73BB06C] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F73A4AD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F73A4C1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73A4B9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73A5748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73A561E] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F73BA29A] sptd.sys
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 86FD11E8
Device \FileSystem\Fastfat \FatCdrom 86944790
Device \Driver\NetBT \Device\NetBT_Tcpip_{5FFB9F28-4014-4F75-ADFB-CBCA53D23482} 869591E8
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbuhci \Device\USBPDO-0 86EA11E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 86F671E8
Device \Driver\dmio \Device\DmControl\DmConfig 86F671E8
Device \Driver\dmio \Device\DmControl\DmPnP 86F671E8
Device \Driver\dmio \Device\DmControl\DmInfo 86F671E8
Device \Driver\usbuhci \Device\USBPDO-1 86EA11E8
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Ftdisk \Device\HarddiskVolume1 86FD31E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 86FD31E8
Device \Driver\Cdrom \Device\CdRom0 86F35790
Device \Driver\Cdrom \Device\CdRom1 86F35790
Device \Driver\atapi \Device\Ide\IdePort0 [F72F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [F72F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F72F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F72F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 [F72F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 [F72F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\NetBT \Device\NetBt_Wins_Export 869591E8
Device \Driver\NetBT \Device\NetbiosSmb 869591E8
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\NetBT \Device\NetBT_Tcpip_{06211B70-46EB-43EE-BE04-92D6D314E899} 869591E8
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbuhci \Device\USBFDO-0 86EA11E8
Device \Driver\usbuhci \Device\USBFDO-1 86EA11E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8694B1E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8694B1E8
Device \Driver\Ftdisk \Device\FtControl 86FD31E8
Device \FileSystem\Fastfat \Fat 86944790
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \FileSystem\Cdfs \Cdfs 86927790
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x5E 0x36 0x0A 0xA1 …
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x5E 0x36 0x0A 0xA1 …
---- EOF - GMER 1.0.15 ----
SUPERAntiSpyware Scan Log
Generated 12/10/2009 at 04:33 PM
Application Version : 4.31.1000
Core Rules Database Version : 3469
Trace Rules Database Version: 1803
Scan type : Complete Scan
Total Scan Time : 03:32:26
Memory items scanned : 222
Memory threats detected : 0
Registry items scanned : 6652
Registry threats detected : 6
File items scanned : 118509
File threats detected : 0
Trojan.Unclassified/C00-WL
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY__C0072400
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY__C0072400#Asynchronous
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY__C0072400#DllName
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY__C0072400#Impersonate
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY__C0072400#Startup
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY__C0072400#Logon