redirects web pages, errors, slow and locks up.

[kaustin]

Help I have not ran any fixes except for AVG, getting worse by the day, had it for about three days. Thanks KA

DDS (Ver_10-10-10.03) - NTFSx86
Run by K A at 22:13:19.14 on Tue 10/12/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.507 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
svchost.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Kevin Austin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: PDF-XChange Viewer IE-Plugin: {c5d07eb6-bbce-4dae-acbb-d13a8d28cb1f} - c:\program files\tracker software\pdf viewer\PDFXCviewIEPlugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [EPSON Stylus CX6600 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Norton Ghost 10.0] "c:\program files\norton ghost\agent\GhostTray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
StartupFolder: c:\docume~1\kevina~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\HOTSYNC.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-11 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-10-11 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-11 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-10-11 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-10-11 297752]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-12-13 198256]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-12-13 165488]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2009-10-26 822424]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-12-13 79472]

=============== Created Last 30 ================

2010-10-12 21:39:17 -------- d-sh--w- c:\documents and settings\kevin austin\PrivacIE
2010-10-12 10:55:11 482408 ----a-w- c:\windows\ssndii.exe
2010-10-12 10:55:06 -------- d-----w- c:\program files\SamsungPrinterLiveUpdate
2010-10-12 10:55:00 -------- d-----w- c:\windows\Samsung
2010-10-12 10:54:19 26624 ----a-w- c:\windows\system32\ssp6ml3.dll
2010-10-12 10:54:14 19968 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\ssp6mpc.dll
2010-10-12 10:54:08 65536 ----a-w- c:\windows\system32\ssp6mci.dll
2010-10-12 10:54:08 151552 ----a-w- c:\windows\system32\ssp6mci.exe
2010-10-12 10:54:02 81920 ----a-w- c:\windows\system32\ssdevm.dll
2010-10-12 10:54:02 49152 ----a-w- c:\windows\system32\ssusbpn.dll
2010-10-12 10:54:01 44544 ----a-w- c:\windows\system32\msxml4a.dll
2010-10-12 10:53:59 21776 ----a-w- c:\windows\system32\msxml2a.dll
2010-10-12 10:52:21 -------- d-----w- c:\program files\Samsung
2010-10-11 22:21:52 -------- d-sh--w- c:\documents and settings\kevin austin\IETldCache
2010-10-11 22:18:28 -------- dc-h--w- c:\windows\ie8
2010-10-11 21:33:32 -------- d-----w- c:\windows\system32\scripting
2010-10-11 21:33:32 -------- d-----w- c:\windows\system32\en
2010-10-11 21:33:32 -------- d-----w- c:\windows\l2schemas
2010-10-11 21:33:31 -------- d-----w- c:\windows\system32\bits
2010-10-11 21:28:24 -------- d-----w- c:\windows\network diagnostic
2010-10-11 21:24:27 -------- d-----w- c:\windows\EHome
2010-10-11 03:11:48 423656 ----a-w- c:\windows\system32\deployJava1.dll

==================== Find3M ====================

2010-07-17 07:42:29 73728 ----a-w- c:\windows\system32\javacpl.cpl

============= FINISH: 22:14:46.10 ===============

[ken545]

Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware execpt for the programs we may run.


Nothing bad jumping out at me but this stuff hides, lets do this, run these in order please

Download TFC to your desktop

• Close any open windows.
• Double click the TFC icon to run the program
• TFC will close all open programs itself in order to run,
• Click the Start button to begin the process.
• Allow TFC to run uninterrupted.
• The program should not take long to finish it's job
• Once its finished it should automatically reboot your machine,
• if it doesn't, manually reboot to ensure a complete clean

Please download Malwarebytes from Here or Here

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected .
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
• Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the report please





Download OTS.exe by OldTimer to your Desktop.

1. Close any open browsers.
2. Double-click on OTS.exe to start the program.
3. Leave all settings as they appear as default, except for the following:
   • Under Drivers, select "All".
   • Under Additional Scans, click on the "Extra" button.
4. Now click the Run Scan button on the toolbar.
5. The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
6. When the scan is complete Notepad will open with the report file loaded in it.
7. Save that notepad file

Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, just attach it).

[kaustin]

I can zip the OTS file or anyother way you like to get it?
OTS.Txt:
Your file of 152.8 KB bytes exceeds the forum's limit of 48.8 KB for this filetype.

Malwarebytes did not find anything.
also I do think you for your help.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4850

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/16/2010 10:19:41 AM
mbam-log-2010-10-16 (10-19-41).txt

Scan type: Quick scan
Objects scanned: 134834
Time elapsed: 6 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

[ken545]

Hi,

Go ahead and zip and attach it

[kaustin]

OTS file zipped and attached.

[ken545]

Good Morning,

Still nothing jumping out at me, you do have two Antivirus programs running and that can be causing some problems, more than one can degrade system performance and cause other issues, you have Symantec and AVG, you need to go to your control panel > Add Remove Programs and uninstall one.


If your getting redirects there could be a possible rootkit type of infection that most times dont show up on the logs, so lets check for one.

• Please download GMER from one of the following locations, and save it to your desktop:
  
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zip Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Extract the contents of the zipped file to desktop (applicable only to Zip mirror) .
• Double click or on your desktop.
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  
  Click the image to enlarge it
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and attach it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

[kaustin]

I tried 4 times yesterday and twice today to run the GMER, computer lockup, blue screen, etc... to day I think did the full scan, clicked on save and the hour glass stays up, never brough up the save menu.
little bit of the history if this helps, was on the web and pop up liked like AVG show I have threats do you want to remove, I clicked yes and thats when it loaded the virus I think.
with norton ghost I recoved a copy from the first of the year, it looked clean at first but with in few days I had all the problems, problems booting, shuting down, blue screen, lockup, redirect web pages, errors.
I will try to run GMER a few more time and see if I can get you any thing.
Thanks

[ken545]

Hi,

Dont know why but GMER give some systems fits and some it goes smooth as glass.

Try it this way and if still a no go then try it again but in Safemode

Check only both "Sections" and "C:\" ; leaving all others unchecked.


To Enter Safemode

• Go to Start> Shut off your Computer> Restart
• As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
  this will bring up a menu.
• Use the Up and Down Arrow Keys to scroll up to Safemode
• Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode

[kaustin]

file 1 is in normal windows but did not finish.
file 2 is in safe mode and did finish.
see if this will tell you anything.

[ken545]

Both GMER logs look ok.

Try this other one , its more system friendly.

Please download Rooter Rootkit Detector to your Desktop

• Doubleclick it to start the tool.
• A Notepad file containing the report will open, also found at %systemdrive% (usually C:\Rooter.txt.
• Post the report for me to see.

Please run this free online virus scanner from ESET

• Note: You will need to use Internet explorer for this scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic