Error Code 80072EFE & IE8 Redirection

Hello Duncan and welcome,

I'm kevinf80 and I will be helping with any malware issues you may have with your system.

• Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
• Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
• Either print or Save to Notepad all instructions and please follow them carefully, if there's something you don't understand or that will not work please let me know and we will go through it together.
• Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
• If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.
• If you have any P2P applications installed such as BitTorrent, uTorrent, Limewire etc etc, please uninstall them before we begin.
• If you are using Cracked or Illegal software your thread will be locked and all help will cease.

Please proceed as follows :-

Step 1

I need you to shut off Teatimer as it will interefere with our tools:

1) Open Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

Step 2

Please re-open HiJackThis and scan only.  Check the boxes (by placing tick) next to all the entries listed below.

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKCU\..\Run: [Vjivitobabuyu] rundll32.exe "C:\Users\Suzanne\AppData\Local\GExys0.dll",Startup
O4 - HKCU\..\Run: [{06AD82F4-FCD9-771E-651E-D055A05E07B5}] C:\Users\Suzanne\AppData\Roaming\Goxy\ogubv.exe

Now close all windows other than HiJackThis, then click Fix Checked.  Close HiJackThis.  Reboot

Step 3

Please download OTM by OldTimer.
Alternative Mirror
Save it to your desktop.
Double click OTM.exe to start the tool.

• Copy the text between the dotted lines below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  -------------------------------------------------------------------
  
  :Processes
  
  :Files
  ipconfig /flushdns /c
  C:\Users\Suzanne\AppData\Local\GExys0.dll
  C:\Users\Suzanne\AppData\Roaming\Goxy
  :Commands
  [CreateRestorePoint]
  [EmptyFlash]
  [EmptyTemp]
  [Purity]
  [ResetHosts]
  [Reboot]
  
  ---------------------------------------------------------------------
  
• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Step 4

Please download Malwarebytes Anti-Malware and save it to your desktop.
Alernative D/L mirror
Alternative D/L mirror

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Step 5

Download Security Check by screen317 from HERE or HERE.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

What i`d like to see in your reply :-

• Log from OTM
• Log from Malwarebytes
• Log from Security Checks
• Fresh HJT log
• System review. improvements? issues?

Kevin.

Step 1 - Carried out sucessfully

Step 2 - Carried out successfully - the GExys0.dll file was being flagged by Windows at startup as being an invalid application - I'd noticed the file was only 0k in size and would show nothing if opened in Notepad

Step 3 - Managed to paste the code into OTM - the results are as below:

--------------------------------------------------------------------------------------------------

All processes killed
========== PROCESSES ==========

========== FILES ==========

< ipconfig /flushdns /c >

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

----------------------------------------------------------------------------------------------------

The PC then hung. I had to hard reset the PC and went into Normal mode when asked if I wanted Safe mode or Normal.

I retried the above steps, copying and pasting your code into OTM.

After the first few lines appeared in OTM's Results window, I got a Windows popup stating:

"C:\Users|Suzanne\AppData\Local\GExys0.dll is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support."

I clicked "OK" and OTM continued to list more in the Results window - and then hung. I can see the hard drive light flashing continously.

I can not copy and paste from the Results window, but what I can see is (my comments are in [...] brackets:

---------------------------------------------------------------------------------------------------------------

C:\Users\Suzanne\Desktop\cmd.bat deleted successfully.
C:\Users\Suzanne\Desktop\cmd.txt deleted successfully.
LoadLibrary failed for C:\Users\Suzanne\AppData\Local\GEx[end of line missing]
C:\Users\Suzanne\AppData\Local\GExys0.dll moved succes[end of line missing]
C:\Users\Suzanne\AppData\Roaming\Goxy folder moved su[end of line missing]
========== COMMANDS ==========
Error creating restore point.

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: Suzanne
[Cursor is frozen here]
-----------------------------------------------------------------------------------------------------------

I've left it frozen for fear of doing anything else. Should I reboot and start OTM again?

Cheers,

Duncan

Hi Kevin,

This really is appreciated - I'll go through these steps over the course of the day and report back.

Cheers,

Duncan

Re-boot and leave OTM for now, continue with Malwarebytes. If you have any trouble downloading or running Malwarebytes, boot into Safemode with Networking, d/l install, update (very important) and run it, kill all that it finds.

Then continue with rest of instruction... I think you`ll have done enough to cripple the infection with the HJT fix and the partial run of OTM, Malwarebytes should put a big dent in whatever is left.

If you did have to run MB in Safe mode, try it in Normal mode after Safemode run, dont forget to check for updates before every run. also only a quick scan is required

Dont worry if you have problems, we`ll sort it out together. I`m in the UK and will not be back online until later this evening, maybe after 6pm, ITS 10:15 AM local time now.

Kevin

I had to pop out  and so left the PC incase it decided to continue and OMT actually resumed and finished, asking to reboot, so I'm continuing the entire process now. I'm in the UK as well - thanks again for the time you're spending on this!

Duncan

Step 3) Carried out successfully - OMT report as below:

------------------------------------------------------------------------------------------------

All processes killed
========== PROCESSES ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Suzanne\Desktop\cmd.bat deleted successfully.
C:\Users\Suzanne\Desktop\cmd.txt deleted successfully.
LoadLibrary failed for C:\Users\Suzanne\AppData\Local\GExys0.dll
C:\Users\Suzanne\AppData\Local\GExys0.dll moved successfully.
C:\Users\Suzanne\AppData\Roaming\Goxy folder moved successfully.
========== COMMANDS ==========
Error creating restore point.
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Public
 
User: Suzanne
->Temp folder emptied: 382443 bytes
->Temporary Internet Files folder emptied: 413283514 bytes
->Java cache emptied: 292666 bytes
->Flash cache emptied: 30722 bytes
 
User: suzannewatson
->Temp folder emptied: 32671 bytes
->Temporary Internet Files folder emptied: 74629 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 154360639 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 66016 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 179289 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 18909574 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 740 bytes
RecycleBin emptied: 2804325253 bytes
 
Total Files Cleaned = 3,235.00 mb
 
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
 
OTM by OldTimer - Version 3.1.16.1 log created on 10132010_093122

Files moved on Reboot...
File move failed. C:\Windows\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TZDZHT23\TOS[1].txt not found!
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FCU565LT\bestgolfingholiday_com[1].txt not found!
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FCU565LT\search[2].txt not found!

Registry entries deleted on Reboot...

---------------------------------------------------------------------------------------------

Step 4) Downloaded MBAM, on installation a pop-up stated MBAM wanted to change the startup registry - I gave it permission to do so and it then continued to download a database update. MBAM log report is below:

------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4810

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18813

13/10/2010 13:54:22
mbam-log-2010-10-13 (13-54-22).txt

Scan type: Quick scan
Objects scanned: 150215
Time elapsed: 7 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{06ad82f4-fcd9-771e-651e-d055a05e07b5} (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
-----------------------------------------------------------------------------------------------------------------

Step 5) Downloaded, installed and ran Security Check - log as below:

-----------------------------------------------------------------------------------------------------------------

 Results of screen317's Security Check version 0.99.5 
 Windows Vista Service Pack 1 (UAC is disabled!)
 Out of date service pack!!
 Internet Explorer 8 
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Enabled! 
 avast! Free Antivirus   
 Antivirus out of date! 
```````````````````````````````
Anti-malware/Other Utilities Check:
 Ad-Aware
 Malwarebytes' Anti-Malware   
 Java(TM) 6 Update 11 
 Out of date Java installed!
 Adobe Flash Player  
Adobe Reader 9.4.0
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 Windows Defender MSASCui.exe
 Ad-Aware AAWService.exe
 Ad-Aware AAWTray.exe
 Spybot Teatimer.exe is disabled!
 Windows Defender MSASCui.exe  
 Alwil Software Avast5 AvastSvc.exe 
 Alwil Software Avast5 AvastUI.exe 
````````````````````````````````
DNS Vulnerability Check:
 GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

----------------------------------------------------------------------------------------------------------------------

New HJT Log below:

----------------------------------------------------------------------------------------------------------------------Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:02:21, on 13/10/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\WLTRAY.EXE
C:\Windows\System32\FastUserSwitching.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\MediaButtons.exe
C:\Windows\System32\TestUnitReady.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\DELLODD.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\DELLOSD.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/USCON/2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/USCON/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ÿþ127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [DellOSD] C:\Windows\System32\FastUserSwitching.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
O4 - Startup: network_boot.bat
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A68422A-E5AA-448B-85C2-104FA522DFE0}: NameServer = 212.159.6.9,212.159.6.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{155243A4-8311-4D94-A3C1-982E2D4B240A}: NameServer = 212.159.6.9,212.159.6.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A68422A-E5AA-448B-85C2-104FA522DFE0}: NameServer = 212.159.6.9,212.159.6.10
O17 - HKLM\System\CS2\Services\Tcpip\..\{0A68422A-E5AA-448B-85C2-104FA522DFE0}: NameServer = 212.159.6.9,212.159.6.10
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 9163 bytes
-----------------------------------------------------------------------------------------------------

I meant to say that whilst the PC seems less sluggish in general, the hard drive light seems to be on awful lot, and when I go to IE8, windows still seem to take a while to open on occasion. It just doesn't seem 'snappy'.

Hi Kevin,

I'm just going through Step 1 - whilst I was trying to get to the eset.com website my Ad-Aware Ad-Watch Live popped up saying that explorer was trying to be redirected to a malicious IP address - unfortunately I didn't get a chance to grab the IP :(

Will keep you informed.

Duncan

Hi Kevin,

I left the PC running ESET and only just got your last post, so it had already completed. The report is as follows - I'll go on to Combofix now:

-------------------------------------------------------------------------------

C:\Users\Suzanne\AppData\Local\{FEAEFE26-7FAC-4655-89D7-147281C50736}\chrome\content\overlay.xul probably a variant of Win32/Agent.NVQFFQI trojan cleaned by deleting - quarantined
C:\_OTM\MovedFiles\10132010_093122\C_Users\Suzanne\AppData\Roaming\Goxy\ogubv.exe a variant of Win32/Kryptik.HHI trojan cleaned by deleting - quarantined

----------------------------------------------------------------------------------

OK, finally managed to get ComboFix working but needed to uninstall Avast as no matter what I tried it kept running in the background according to ComboFix. Report is below:

------------------------------------------------------------------------------------

ComboFix 10-10-12.03 - Suzanne 14/10/2010   0:09.1.2 - x86
MicrosoftÆ Windows Vistaô Home Premium   6.0.6001.1.1252.44.1033.18.2038.883 [GMT 1:00]
Running from: c:\users\Suzanne\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winservice.exe

Infected copy of c:\windows\system32\drivers\msahci.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
(((((((((((((((((((((((((   Files Created from 2010-09-13 to 2010-10-13  )))))))))))))))))))))))))))))))
.

2010-10-13 23:17 . 2010-10-13 23:18    --------    d-----w-    c:\users\Suzanne\AppData\Local\temp
2010-10-13 23:17 . 2010-10-13 23:17    --------    d-----w-    c:\users\suzannewatson\AppData\Local\temp
2010-10-13 23:17 . 2010-10-13 23:17    --------    d-----w-    c:\users\Default\AppData\Local\temp
2010-10-13 19:17 . 2010-10-13 19:17    --------    d-----w-    c:\program files\ESET
2010-10-13 12:40 . 2010-10-13 12:40    --------    d-----w-    c:\users\Suzanne\AppData\Roaming\Malwarebytes
2010-10-13 12:40 . 2010-04-29 14:39    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-13 12:40 . 2010-10-13 12:40    --------    d-----w-    c:\programdata\Malwarebytes
2010-10-13 12:38 . 2010-10-13 12:40    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-10-13 12:38 . 2010-04-29 14:39    20952    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-10-13 08:20 . 2010-10-13 08:20    --------    d-----w-    C:\_OTM
2010-10-13 00:28 . 2010-10-13 00:28    388096    ----a-r-    c:\users\Suzanne\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-13 00:28 . 2010-10-13 00:28    --------    d-----w-    c:\program files\Trend Micro
2010-10-12 23:13 . 2010-02-20 23:39    24064    ----a-w-    c:\windows\system32\nshhttp.dll
2010-10-12 23:13 . 2010-02-20 21:18    411136    ----a-w-    c:\windows\system32\drivers\http.sys
2010-10-12 23:13 . 2010-02-20 23:37    31232    ----a-w-    c:\windows\system32\httpapi.dll
2010-10-12 19:37 . 2010-10-13 22:54    --------    d-----w-    c:\programdata\Alwil Software
2010-10-12 18:40 . 2010-02-12 10:48    293376    ----a-w-    c:\windows\system32\browserchoice.exe
2010-10-12 18:39 . 2010-03-05 14:01    420352    ----a-w-    c:\windows\system32\vbscript.dll
2010-10-12 18:39 . 2009-08-24 12:16    378368    ----a-w-    c:\windows\system32\winhttp.dll
2010-10-12 18:22 . 2010-01-15 00:04    98304    ----a-w-    c:\windows\system32\cabview.dll
2010-10-12 18:18 . 2010-10-12 18:18    --------    d-----w-    c:\program files\Common Files\Adobe
2010-10-11 21:34 . 2010-10-11 21:34    --------    d-----w-    c:\users\Suzanne\AppData\Local\Microsoft Corporation
2010-10-11 21:33 . 2010-10-11 21:33    --------    d-----w-    c:\program files\Microsoft Windows 7 Upgrade Advisor
2010-10-11 20:57 . 2010-10-11 20:57    --------    d-----w-    c:\users\Suzanne\AppData\Local\Apps
2010-10-11 19:48 . 2010-10-11 19:48    --------    d-----w-    C:\Transit
2010-10-11 19:43 . 2010-10-11 19:43    --------    d-----w-    c:\users\Suzanne\AppData\Local\Help
2010-10-11 19:39 . 2007-02-18 21:11    194560    ----a-w-    c:\windows\system32\ftsrch.dll
2010-10-11 19:39 . 2007-02-18 21:11    9728    ----a-w-    c:\windows\system32\ftlx041e.dll
2010-10-11 19:39 . 2007-02-18 21:11    9216    ----a-w-    c:\windows\system32\ftlx0411.dll
2010-10-11 19:39 . 2007-02-18 21:11    296960    ----a-w-    c:\windows\winhlp32.exe
2010-10-11 11:46 . 2010-10-11 11:46    --------    d-----w-    c:\programdata\WindowsSearch
2010-09-19 23:02 . 2010-10-13 08:03    --------    d-----w-    c:\users\Suzanne\AppData\Roaming\Ovixs
2010-09-19 09:05 . 2010-09-16 09:24    6084944    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{8C7F992F-0118-4150-A5EB-B193BD16952E}\mpengine.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2008-08-26 6246400]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-26 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-26 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-26 154136]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-18 3810304]
"DellOSD"="c:\windows\System32\FastUserSwitching.exe" [2008-07-17 208896]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2008-01-14 132392]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

c:\users\suzannewatson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]

c:\users\Suzanne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
network_boot.bat [2009-11-8 609]

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-04-04 16:05    10536    ----a-w-    c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-309046856-507202056-2727457946-1000]
"EnableNotificationsRef"=dword:00000001

R3 HSFHWCD2;HSFHWCD2;c:\windows\system32\DRIVERS\HSFHWCD2.sys [2004-02-25 201728]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-10-07 1357464]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2010-08-13 15008]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-07-06 64288]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2008-08-26 73728]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-09-23 155648]
S2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\DRIVERS\RtNdPt60.sys [2008-05-08 27648]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 DLXPDisplayName;DLXPDisplayName;c:\windows\system32\DRIVERS\DLACPI.sys [2008-04-16 14392]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs    REG_MULTI_SZ       BthServ
WindowsMobile    REG_MULTI_SZ       wcescomm rapimgr
LocalServiceRestricted    REG_MULTI_SZ       WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2010-10-13 c:\windows\Tasks\SyncBack DELL hybrid backup.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2009-11-07 12:00]

2010-10-13 c:\windows\Tasks\User_Feed_Synchronization-{2C2A21EC-FA9C-4193-8DD1-CC1DA89096BC}.job
- c:\windows\system32\msfeedssync.exe [2009-09-06 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {0A68422A-E5AA-448B-85C2-104FA522DFE0} = 212.159.6.9,212.159.6.10
TCP: {155243A4-8311-4D94-A3C1-982E2D4B240A} = 212.159.6.9,212.159.6.10
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-10-14  00:19:51
ComboFix-quarantined-files.txt  2010-10-13 23:19

Pre-Run: 231,790,575,616 bytes free
Post-Run: 231,661,166,592 bytes free

- - End Of File - - 663C0C71095FD390FD551859C581AAD3
------------------------------------------------------------------------------------------------------

Following this I tried to access these forums from the infected PC and it won't let me. I can get to google, and Dell's home page, but if I try to get to the forums from my browsing history then IE8 says there's a connection problem with the internet. So I guess whatever was there is still there?

Cheers :)

Duncan

Hi Kevin,

Not sure what link you mean when you said:

"Try accessing the site from Link If it works OK, i`dsay all is well."

But I don't seem to be getting redirects now. I've installed the latest Java and the PC has downloaded some updates, which it hasn't done for a while now, so it seems as though we may be back on track. I'm going to install Firefox now as the default browser, and then get the rest of the PC updated. I'll hold off reinstalling Avast until we've cleaned everything out :)

Duncan