Expert: Brian Benosky - 1/18/2011

Question
QUESTION: Have just run rkill, anti-malwarebytes,and EST (I think tha's the correct letters?) online scanner (your previous instructions back around October 2010, when asked you a question via allexperts.com.

EST found 21 infections. antimal~ found 3 infections. rkill: none. Ran HijackThis, Fixed a couple of searchass't entries, restarted and searchass't entries reappear. Still have hijacking.  Have to enter the URL in the address bar, then it works. You previously told me part of my HijackThis log was missing. Is this one below complete?

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:23:03 PM, on 1/17/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msnbc.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 2496 bytes

ANSWER: Hello

I would like for you to run a ComboFix scan as follows:
Please download ComboFix by sUBs from this link:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
*Important*-Save it to your desktop.
Double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall.  If asked to install the Windows Recovery Console, please allow the program to do so.  ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.  If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. ComboFix may also restart your computer.  Do not intervene.  Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.  It will then display the log file automatically for you.  Post me that log in a follow-up.

Brian

---------- FOLLOW-UP ----------

QUESTION: After running ComboFix, the hijacking has disappeared so far. I also ran SuperAntiSpyware after ComboFix and it found one trojan and hundreds of cookies.

Not sure if you got my posting of the ComboFix log, so I'm posting it again now, per your initial request.

ComboFix 11-01-17.01 - 8200 01/17/2011  19:23:04.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1023.786 [GMT -5:00]
Running from: c:\documents and settings\8200\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\8200\Application Data\completescan
c:\documents and settings\8200\Application Data\install
c:\documents and settings\8200\Application Data\Microsoft\stor.cfg
c:\documents and settings\8200\Application Data\PriceGong
c:\documents and settings\8200\Application Data\PriceGong\Data\1.xml
c:\documents and settings\8200\Application Data\PriceGong\Data\a.xml
c:\documents and settings\8200\Application Data\PriceGong\Data\b.xml
c:\documents and settings\8200\Application Data\PriceGong\Data\c.xml
c:\documents and settings\8200\Application Data\PriceGong\Data\d.xml
c:\documents and settings\8200\Application Data\PriceGong\Data\e.xml
c:\documents and settings\8200\Application Data\PriceGong\Data\f.xml
c:\documents and settings\8200\Application Data\PriceGong\Data\g.xml
c:\documents and settings\8200\Application Data\PriceGong\Data\h.xml
c:\documents and settings\8200\Application Data\PriceGong\Data\i.xml
c:\documents and settings\8200\Application Data\PriceGong\Data\J.xml
c:\documents and settings\8200\Application Data\PriceGong\Data\k.xml
c:\documents and settings\8200\Application Data\PriceGong\Data\l.xml
c:\documents and settings\8200\Application Data\PriceGong\Data\m.xml
c:\documents and settings\8200\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\8200\Application Data\PriceGong\Data\n.xml
c:\documents and settings\8200\Application Data\PriceGong\Data\o.xml
c:\documents and settings\8200\Application Data\PriceGong\Data\p.xml
c:\documents and settings\8200\Application Data\PriceGong\Data\q.xml
c:\documents and settings\8200\Application Data\PriceGong\Data\r.xml
c:\documents and settings\8200\Application Data\PriceGong\Data\s.xml
c:\documents and settings\8200\Application Data\PriceGong\Data\t.xml
c:\documents and settings\8200\Application Data\PriceGong\Data\u.xml
c:\documents and settings\8200\Application Data\PriceGong\Data\v.xml
c:\documents and settings\8200\Application Data\PriceGong\Data\w.xml
c:\documents and settings\8200\Application Data\PriceGong\Data\x.xml
c:\documents and settings\8200\Application Data\PriceGong\Data\y.xml
c:\documents and settings\8200\Application Data\PriceGong\Data\z.xml
c:\program files\WeatherBlinkEI
c:\program files\WeatherBlinkEI\Installr\1.bin\gcEZSETP.dll
c:\program files\WeatherBlinkEI\Installr\1.bin\NPgcEISb.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
(((((((((((((((((((((((((   Files Created from 2010-12-18 to 2011-01-18  )))))))))))))))))))))))))))))))
.

2011-01-14 03:18 . 2011-01-14 03:18   --------   d-sh--w-   c:\documents and settings\8200\IECompatCache
2011-01-08 15:07 . 2011-01-08 15:07   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\Sunbelt Software
2011-01-08 04:35 . 2011-01-08 04:35   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2011-01-08 02:12 . 2011-01-08 02:12   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-01-08 01:49 . 2011-01-08 01:49   --------   d-sh--w-   c:\documents and settings\Administrator\IETldCache
2011-01-07 19:15 . 2011-01-07 19:15   --------   d-sh--w-   c:\documents and settings\8200\PrivacIE
2011-01-07 19:13 . 2011-01-07 19:13   --------   d-sh--w-   c:\documents and settings\8200\IETldCache
2011-01-07 19:10 . 2011-01-07 19:10   --------   d-sh--w-   c:\documents and settings\NetworkService\IETldCache
2011-01-07 18:55 . 2011-01-07 18:55   --------   d-sh--w-   c:\documents and settings\LocalService\IETldCache
2011-01-07 18:49 . 2011-01-07 18:52   --------   dc-h--w-   c:\windows\ie8
2011-01-03 17:24 . 2011-01-03 17:26   --------   d--h--w-   c:\windows\msdownld.tmp
2011-01-03 17:24 . 2011-01-03 17:26   --------   d-----w-   c:\windows\Windows Update Setup Files
2010-12-19 19:07 . 2010-12-19 19:13   --------   d-----w-   c:\windows\system32\NtmsData

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-14 21:02 . 2010-11-14 21:02   218   ----a-w-   c:\documents and settings\8200\Application Data\sdghzxfg.bat
2010-11-09 15:39 . 2010-04-02 12:18   98392   ----a-w-   c:\windows\system32\drivers\SBREDrv.sys
2010-10-20 22:35 . 2010-10-20 22:35   388096   ----a-r-   c:\documents and settings\8200\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
R3 TD3004F60v;TD3004F60v;c:\windows\system32\drivers\TD3004F60v.sys [12/23/2009 3:09 PM 16320]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/23/2009 4:26 PM 135664]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper   REG_MULTI_SZ      getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2011-01-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2011-01-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 21:26]

2011-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 21:26]

2011-01-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2011-01-17 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]

2011-01-10 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]

2011-01-18 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-12-24 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://msnbc.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
AddRemove-HijackThis - c:\documents and settings\8200\Desktop\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-17 19:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-01-17  19:34:11
ComboFix-quarantined-files.txt  2011-01-18 00:34

Pre-Run: 106,006,126,592 bytes free
Post-Run: 106,202,910,720 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 77DEA4D8849E49A162B144AA80C4A8B6

Answer
Hello

I don't know what happened to my answer yesterday, but I will repost it:

"The trojan infection, Trojan.Win32.FakeAV.rww, was found and removed by ComboFix.  Can you confirm that the search redirects have stopped?  If so, you should next update and run a full system scan with your AVG software.  Let me know the results and give me an update on how the computer is working now.  Hopefully we have sorted it all out."

You have answered the question however, so if everything seems to be working good now, we can mark this problem as solved.  If there are further problems, just let me know.  Cheers!


Brian