IE hijack/win32 trouble

[wanderlust]

I've let this problem sit for a little too long. Back in July, I got hit with a virus that I thought I got rid of. About a week later, all yahoo searches (and some google searches) started getting redirected, followed by new IE screens popping up with random advertising websites. AVG kept picking up infected files, and only deleting some of them. Last week, I noticed that, half of the time, the new IE windows would try to open, but fail, and that this would be followed, at some point with a 'Generic Host Process for Win32 Services has encountered a problem' message.

I assume this either showed up through uTorrent (which I thought I had deleted, but is still apparently in the system), or BigFish games (please don't judge me).

DDS LOG:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 14:56:08.60 on Mon 10/04/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1396 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\WINDOWS\Imgtask.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll__BHODemonDisabled_YCQERMWRPPKJGTYHRKJGKLMNVMCZGSC
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.eadultgames.com/holdem/"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Nikon Transfer Monitor] c:\program files\common files\nikon\monitor\NkMonitor.exe
mRun: [ImgTask] c:\windows\Imgtask.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRunOnce: [RunNarrator] Narrator.exe
mExplorerRun: [msoffice] c:\docume~1\owner\locals~1\temp\scvhost.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\gamesp~1.lnk - c:\program files\gamespot\GameSpotDownloadManager_Win32.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://d1ylr6sba64qi3.cloudfront.net/global/bin/srldetect_cyri_4.1.71.0.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: cbXRJATK - cbXRJATK.dll
Notify: tuvWPFyv - tuvWPFyv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: {6afb6f98-289c-442e-b577-5e5125c742e2} - c:\windows\system32\tuvWPFyv.dll
SEH: {39e06d62-aa5e-4e40-8adc-e22ccb4bd55c} - c:\windows\system32\cbXRJATK.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\rqRKAPGx
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-5 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-10-5 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-5 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
R2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2009-9-22 91392]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-11-11 24652]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-30 136176]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [2008-8-4 96256]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-27 25832]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2009-12-2 23936]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2008-6-11 42512]

=============== Created Last 30 ================

2010-10-03 22:54:30 0 d-----w- c:\documents and settings\owner\Maximize Games
2010-10-01 21:55:56 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-10-01 20:06:36 0 d-----w- c:\docume~1\owner\applic~1\World-Loom
2010-09-30 17:59:30 0 d-----w- c:\program files\Cooking Dash 3 - Thrills and Spills Collector's Edition
2010-09-30 05:25:36 0 d-----w- c:\documents and settings\all users\TheFallTrilogyEp2-BF
2010-09-30 03:58:37 0 d-----w- c:\program files\James Patterson Women's Murder Club - A Darker Shade of Grey
2010-09-28 04:34:46 0 d-----w- c:\docume~1\owner\applic~1\Batovi
2010-09-28 03:34:45 0 d-----w- c:\docume~1\owner\applic~1\Realore_Whiterra Roads Of Rome
2010-09-28 03:29:39 0 d-----w- c:\program files\Roads of Rome
2010-09-27 17:59:18 0 d-----w- c:\docume~1\owner\applic~1\KingArthur
2010-09-24 18:51:38 0 d-----w- c:\program files\Wandering Willows
2010-09-23 17:55:40 0 d-----w- c:\program files\Twisted Lands - Shadow Town Collector's Edition
2010-09-23 03:40:05 0 d-----w- c:\program files\Valerie Porter and the Scarlet Scandal
2010-09-20 02:52:19 0 d-----w- c:\docume~1\owner\applic~1\Freeze Tag
2010-09-17 20:18:58 0 d-----w- c:\docume~1\owner\applic~1\MA
2010-09-17 19:58:04 0 d-----w- c:\docume~1\alluse~1\applic~1\SpinTop Games
2010-09-17 07:58:48 73216 ----a-w- c:\windows\temp.000
2010-09-16 07:50:57 0 d-----w- c:\docume~1\owner\applic~1\Whisper of a Rose Saves
2010-09-15 18:39:26 0 d-----w- c:\docume~1\owner\applic~1\Gamers Digital
2010-09-15 18:39:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Gamers Digital
2010-09-14 18:05:03 0 d-----w- c:\docume~1\owner\applic~1\BigFishGames
2010-09-14 06:07:57 0 d-----w- c:\program files\DragonStone
2010-09-13 22:21:54 0 d-----w- c:\docume~1\owner\applic~1\Artifact Quest
2010-09-13 06:04:34 0 d-----w- c:\docume~1\owner\applic~1\SunRay Games
2010-09-13 05:36:36 0 d-----w- c:\docume~1\owner\applic~1\Big Splash Games
2010-09-13 05:36:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Big Splash Games
2010-09-12 05:46:05 0 d-----w- c:\docume~1\owner\applic~1\Ten Heavens
2010-09-12 03:03:58 0 d-----w- c:\program files\Royal Trouble
2010-09-12 00:29:49 0 d-----w- c:\docume~1\owner\applic~1\TOMI2.THE GATES OF FATE
2010-09-09 17:55:31 0 d-----w- c:\docume~1\owner\applic~1\SecretIslandEng
2010-09-07 17:53:03 0 d-----w- c:\docume~1\owner\applic~1\Elephant Games
2010-09-07 06:54:18 0 d-----w- c:\docume~1\owner\applic~1\quickclick
2010-09-07 03:37:27 0 d-----w- c:\docume~1\owner\applic~1\Ghost Ship Studios

==================== Find3M ====================

2010-10-04 17:38:16 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2010-10-04 00:54:24 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLdw.DAT
2010-10-04 00:52:45 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2010-09-17 08:26:22 249856 ------w- c:\windows\Setup1.exe
2010-09-17 08:26:21 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-08-09 22:18:06 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-08-09 22:18:03 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-07-22 03:41:54 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2010-07-22 03:41:54 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2010-07-17 09:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-15 16:32:15 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-09 22:38:00 6343040 ----a-w- c:\windows\system32\nv4_disp.dll
2010-07-09 22:38:00 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-07-09 22:38:00 604776 ----a-w- c:\windows\system32\nvudisp.exe
2010-07-09 22:38:00 4595712 ----a-w- c:\windows\system32\nvcuda.dll
2010-07-09 22:38:00 2914408 ----a-w- c:\windows\system32\nvcuvid.dll
2010-07-09 22:38:00 2506344 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-07-09 22:38:00 236136 ----a-w- c:\windows\system32\nvcodins.dll
2010-07-09 22:38:00 236136 ----a-w- c:\windows\system32\nvcod.dll
2010-07-09 22:38:00 2195030 ----a-w- c:\windows\system32\nvdata.bin
2010-07-09 22:38:00 1388544 ----a-w- c:\windows\system32\nvapi.dll
2010-07-09 22:38:00 13549568 ----a-w- c:\windows\system32\nvoglnt.dll
2010-07-09 22:38:00 10260480 ----a-w- c:\windows\system32\nvcompiler.dll
2010-07-09 20:24:26 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-07-09 20:24:18 277608 ----a-w- c:\windows\system32\nvmccs.dll
2010-07-09 20:24:18 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-07-09 20:24:16 155752 ----a-w- c:\windows\system32\nvsvc32.exe
2010-07-09 20:24:16 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-07-09 20:24:16 13923432 ----a-w- c:\windows\system32\nvcpl.dll
2010-07-07 17:46:46 604776 ----a-w- c:\windows\system32\NVUNINST.EXE
2007-11-04 22:22:26 13445 ----a-w- c:\program files\install.log
2009-07-07 02:18:11 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-06-14 07:16:14 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008061420080615\index.dat
2009-11-26 21:26:56 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-11-26 21:26:56 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-11-26 21:26:56 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 14:57:29.26 ===============