Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search redirects


  • This topic is locked This topic is locked
7 replies to this topic

#1 mmahamm

mmahamm

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 29 July 2009 - 10:09 AM

...but second and subsequent clicks are redirected. I searched for solutions on this forum, but the responses appear to be very individualized, and the instructions appear to point toward individual posting, so here goes.

Clicking on the links resulting from a Google search result in redirects to various other related or unrelated pages.

Here is the dds.txt:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 10:57:50.50 on Wed 07/29/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.591 [GMT -4:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: CA Personal Firewall *enabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Light\CAGlobalLight.exe
C:\Program Files\Rhapsody\rhaphlpr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\calc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\Roxio Central\Main\Roxio_Central.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.yahoo.com/
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: CA Toolbar Helper: {fbf2401b-7447-4727-be5d-c19b2075ca84} - c:\program files\ca\ca internet security suite\ca website inspector\toolbar\CallingIDIE.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: CA Toolbar: {10134636-e7af-4ac5-a1dc-c7c44bb97d81} - c:\program files\ca\ca internet security suite\ca website inspector\toolbar\CallingIDIE.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PowerPanel Personal Edition User Interaction] "c:\program files\cyberpower powerpanel personal edition\pppeuser.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [<NO NAME>]
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [CHotkey] zHotkey.exe
mRun: [ShowWnd] ShowWnd.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AlcFDMonitor] c:\windows\ALCFDRTM.EXE
mRun: [Pure Networks Port Magic] "c:\progra~1\purene~1\portma~1\PortAOL.exe" -Run
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [QOELOADER] "c:\program files\ca\ca internet security suite\ca anti-spam\qsp-6.0.1.33\QOELoader.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\sharedcom8\RoxWatchTray.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [cafw] c:\program files\ca\ca internet security suite\ca personal firewall\cafw.exe -cl
mRun: [capfasem] c:\program files\ca\ca internet security suite\ca personal firewall\capfasem.exe
mRun: [capfupgrade] c:\program files\ca\ca internet security suite\ca personal firewall\capfupgrade.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\datavi~1.lnk - c:\program files\common files\dataviz\DvzIncMsgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sonicc~1.lnk - c:\program files\common files\sonic shared\CineTray.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\windows\system32\VetRedir.dll
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.4/GarminAxControl.CAB
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8BE5651C-D60B-4B59-B5B2-F0EB93733D17} - hxxps://www36.verizon.com/voip/downloads/IOBIVMUtil.CAB
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxsrvc.dll
Notify: PFW - UmxWnp.Dll
SEH: ShellHook Class: {1869181a-9f50-4fcf-8bff-1b8588ecb85c} - c:\program files\ca\ca internet security suite\ca website inspector\linkadvisor\CIDLinkAdvisor.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\gvx4wf7b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - component: c:\program files\ca\ca internet security suite\ca website inspector\linkadvisor\firefox\components\CallingIDLinkAdvisorGecko.dll
FF - component: c:\program files\ca\ca internet security suite\ca website inspector\toolbar\firefox\components\CIDDomFx3.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4E7FF8BB-0A5A-4AA3-B764-B39BA9A13E38", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CIDB24F189F-FB14-4EFD-8B9D-217EC6C84EA1", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID86ED3659-02F6-465D-8F19-A9334614CCC3", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID5D7F48C0-CB49-4ea6-97D4-04F4EACC2F3B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CIDA43C6FC7-09F6-4E04-B8E3-683F3BDFEF7C", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4C8D6404-A9F6-4236-8488-6C5732CB3BFA", "AllAccess");
============= SERVICES / DRIVERS ===============

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2008-3-19 93712]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2008-3-21 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2008-3-21 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2008-3-19 115216]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2009-2-2 26352]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2009-2-2 21104]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2009-2-2 880560]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2009-2-2 21488]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2009-2-2 161008]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2009-2-2 144696]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2008-6-4 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2008-3-21 66576]
R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2007-10-18 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2007-10-18 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2008-4-15 281104]
R2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2009-2-2 255216]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-1-4 24652]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2008-5-30 88816]
R3 PPCtlPriv;PPCtlPriv;c:\program files\ca\ca internet security suite\ca anti-spyware\PPCtlPriv.exe [2009-2-2 185584]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2009-2-2 108368]
S3 ICDUSB3;ICDUSB3;c:\windows\system32\drivers\ICDUSB3.sys [2009-5-12 11264]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2008-12-6 11520]

=============== Created Last 30 ================

2009-07-27 08:02 61,440 a------- c:\windows\system32\drivers\tsznzwb.sys
2009-07-27 07:18 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-07-27 07:13 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-27 07:13 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-27 07:13 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-27 07:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-26 19:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CanonCP
2009-07-24 16:32 <DIR> --d----- c:\program files\hfiwvj
2009-07-24 13:43 3,245 a------- c:\windows\system32\wbem\Outlook_01ca0c864089d52a.mof
2009-07-18 21:45 91,916 a------- c:\windows\system32\drivers\kmxcfg.u2k0
2009-07-18 21:45 64 a------- c:\windows\system32\drivers\kmxcfg.u2k7
2009-07-18 21:45 64 a------- c:\windows\system32\drivers\kmxcfg.u2k6
2009-07-18 21:45 64 a------- c:\windows\system32\drivers\kmxcfg.u2k5
2009-07-18 21:45 64 a------- c:\windows\system32\drivers\kmxcfg.u2k4
2009-07-18 21:45 64 a------- c:\windows\system32\drivers\kmxcfg.u2k3
2009-07-18 21:45 64 a------- c:\windows\system32\drivers\kmxcfg.u2k2
2009-07-18 21:45 64 a------- c:\windows\system32\drivers\kmxcfg.u2k1
2009-07-16 07:57 <DIR> --d----- c:\docume~1\owner\applic~1\GetRightToGo
2009-07-16 01:05 1,110,399 a------- c:\windows\system32\UACdpwfiinykkrpjgglt.db
2009-07-16 01:05 310 a------- c:\windows\system32\UACedkyhsarnumptiqau.dat
2009-07-15 08:55 206 a------- c:\windows\system32\MRT.INI
2009-07-03 08:08 142,592 a------- c:\windows\system32\drivers\aec.sys
2009-07-02 18:59 <DIR> --d----- c:\docume~1\owner\applic~1\Backup MyPC
2009-07-02 16:24 <DIR> --dsh--- c:\windows\System Volume Information
2009-07-02 16:24 2 a------- C:\-196560866

==================== Find3M ====================

2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll

============= FINISH: 10:59:58.18 ===============
-Michael

Centreville, VA

BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:03 PM

Posted 29 July 2009 - 05:27 PM

Hello, mmahamm.
Welcome to Bleeping Computer. My name is etavares and I will be helping you with your log.

Please give me a little time to go through your log. I'd also like to let you know that I am in training here at BC. At each stage of the process, my work will be checked by an expert coach. That means there may be a slight delay between my responses as they check it. Don't worry, we won't leave you.

Please note that I may have taken this log out of order. As a HJT trainee, I occasionally take logs out of order to further develop my skills. I have a balance of older logs (e.g. first come, first served) and fresh logs. If you are reading this and are still waiting, please be patient. Our volunteers are working as hard we as we can to help everyone.

Here's a few things to get started:
  • Please subscribe to this topic, if you haven't already, and wait for me to get back to you.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean.
  • If at any point, you are not sure what I am asking for, please ask me and I can better communicate what I mean.
  • Please reply within 5 days of my last post or the thread will be closed. If you will be away or unable to reply, please let me know in advance so the thread is not closed. We have many folks waiting for help and it is not fair to keep an unresponsive thread open.
  • Please reply to this post so I know you are there.

Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:03 PM

Posted 30 July 2009 - 06:01 AM

Hello, mmahamm.


Step 1

I see Viewpoint is installed on your machine. Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to the Control Panel, then Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Step 2

Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

Step 3

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit. If it is not there, let me know as ComboFix may have removed it.

c:\windows\system32\drivers\tsznzwb.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Step 4

In your reply, please post:
  • The Combofix log.
  • the results from the online virus scan for the one file
  • an updated DDS log (both info.txt and attach.txt)
  • a description of any remaining issues...can you access Google ok now?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#4 mmahamm

mmahamm
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 31 July 2009 - 10:22 PM

Here is the combofix.txt file:

ComboFix 09-07-31.02 - Owner 07/31/2009 22:44.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.1087 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: CA Personal Firewall *enabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1690175968-0234485417-985240095-9380
c:\recycler\S-1-5-21-1693142573-2701678193-3712899132-500
c:\windows\Installer\1455e96.msp
c:\windows\Installer\1455ea6.msp
c:\windows\Installer\1455f24.msp
c:\windows\Installer\1455fc6.msp
c:\windows\Installer\1456102.msp
c:\windows\Installer\cf24de.msi
c:\windows\run.log
c:\windows\system32\drivers\SKYNETgxwurini.sys
c:\windows\system32\drivers\UAClhylqgkwvr.sys
c:\windows\system32\SKYNETfqpxmktp.dat
c:\windows\system32\SKYNETkndsetvj.dat
c:\windows\system32\SKYNETnsvsmuvx.dll
c:\windows\system32\SKYNETrfvkonbg.dll
c:\windows\system32\UACdpwfiinykkrpjgglt.db
c:\windows\system32\UACedkyhsarnumptiqau.dat
c:\windows\system32\UACwjykhbowki.dll
E:\Autorun.inf

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETqlrvrwbw
-------\Service_UACd.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-07-01 to 2009-08-01 )))))))))))))))))))))))))))))))
.

2009-07-27 12:02 . 2009-07-27 12:02 61440 ----a-w- c:\windows\system32\drivers\tsznzwb.sys
2009-07-27 11:18 . 2009-07-27 11:18 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-07-27 11:13 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-27 11:13 . 2009-07-27 11:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-27 11:13 . 2009-07-27 11:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-27 11:13 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-26 23:08 . 2009-07-26 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonCP
2009-07-26 23:08 . 2007-02-21 14:20 108736 ------w- c:\documents and settings\All Users\Application Data\CanonCP\CNYSELPHYCP\CNYWINDOWS\CNYCanon SELPHY CP740\CNYCPUIN.EXE
2009-07-26 23:08 . 2007-01-12 12:07 102400 ------w- c:\documents and settings\All Users\Application Data\CanonCP\CNYSELPHYCP\CNYWINDOWS\CNYCanon SELPHY CP740\CNY04091.DLL
2009-07-24 20:32 . 2009-07-28 01:35 -------- d-----w- c:\program files\hfiwvj
2009-07-16 11:57 . 2009-07-16 11:58 -------- d-----w- c:\documents and settings\Owner\Application Data\GetRightToGo
2009-07-03 12:08 . 2008-04-13 16:39 142592 ----a-w- c:\windows\system32\drivers\aec.sys
2009-07-02 22:59 . 2009-07-02 22:59 -------- d-----w- c:\documents and settings\Owner\Application Data\Backup MyPC
2009-07-02 20:24 . 2009-07-02 20:24 -------- d-sh--w- c:\windows\System Volume Information

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-01 02:56 . 2008-10-25 22:03 -------- d-----w- c:\program files\CyberPower PowerPanel Personal Edition
2009-08-01 02:54 . 2009-07-19 01:45 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k7
2009-08-01 02:54 . 2009-07-19 01:45 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k6
2009-08-01 02:54 . 2009-07-19 01:45 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k5
2009-08-01 02:54 . 2009-07-19 01:45 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k4
2009-08-01 02:54 . 2009-07-19 01:45 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k3
2009-08-01 02:54 . 2009-07-19 01:45 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k2
2009-08-01 02:54 . 2009-07-19 01:45 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k1
2009-08-01 02:54 . 2009-07-19 01:45 213460 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k0
2009-08-01 00:45 . 2009-02-02 13:05 -------- d-----w- c:\documents and settings\Owner\Application Data\CallingID
2009-07-31 23:14 . 2008-08-05 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-31 23:14 . 2008-08-05 00:36 -------- d-----w- c:\program files\Viewpoint
2009-07-31 21:06 . 2008-08-07 00:45 -------- d-----w- c:\program files\Sound Forge XP
2009-07-31 12:29 . 2009-02-02 13:04 91376 ----a-w- c:\windows\system32\isafprod.dll
2009-07-31 00:45 . 2008-08-06 11:03 -------- d-----w- c:\program files\palmOne
2009-07-30 20:29 . 2009-02-02 13:04 26352 ----a-w- c:\windows\system32\drivers\vet-filt.sys
2009-07-30 20:29 . 2009-02-02 13:04 21488 ----a-w- c:\windows\system32\drivers\vetfddnt.sys
2009-07-30 20:29 . 2009-02-02 13:04 21104 ----a-w- c:\windows\system32\drivers\vet-rec.sys
2009-07-30 20:29 . 2009-02-02 13:04 161008 ----a-w- c:\windows\system32\drivers\vetmonnt.sys
2009-07-29 14:12 . 2008-08-06 04:40 89064 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-16 02:12 . 2008-08-05 00:35 -------- d-----w- c:\program files\Common Files\Nullsoft
2009-07-16 02:09 . 2009-07-16 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-07-03 17:09 . 2004-10-28 00:52 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-02 22:59 . 2009-06-23 16:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Roxio
2009-07-01 22:40 . 2009-07-01 22:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Sonic
2009-06-23 16:16 . 2009-06-23 16:16 -------- d-----w- c:\documents and settings\LocalService\Application Data\Roxio
2009-06-23 16:15 . 2009-06-23 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-06-23 16:08 . 2009-06-23 16:08 -------- d-----w- c:\program files\Common Files\LightScribe
2009-06-23 16:08 . 2009-06-23 16:03 -------- d-----w- c:\program files\Roxio
2009-06-23 16:07 . 2009-06-23 16:07 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-06-23 16:07 . 2009-06-23 16:07 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-06-23 16:07 . 2009-06-23 16:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-06-23 16:07 . 2009-06-23 16:03 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-06-23 16:06 . 2008-08-05 00:32 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-22 10:43 . 2009-06-22 10:42 -------- d-----w- c:\program files\IrfanView
2009-06-16 14:36 . 2004-10-28 00:52 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-10-28 00:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 11:13 . 2008-08-05 00:32 -------- d-----w- c:\program files\Java
2009-06-12 11:10 . 2009-06-12 11:10 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-08 01:33 . 2008-08-05 11:50 -------- d-----w- c:\program files\Quicken
2009-06-08 01:32 . 2009-06-08 01:32 2904064 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\18154-181625.dll
2009-06-08 01:31 . 2009-04-07 18:39 242976 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2009-06-03 19:09 . 2004-10-28 00:52 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 03:06 . 2008-08-05 00:37 -------- d-----w- c:\program files\BigFix
2009-05-21 15:33 . 2009-01-01 02:44 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-19 05:36 . 2009-07-16 02:09 97072 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\bsetutil.exe
2009-05-19 05:36 . 2009-07-16 02:09 2884832 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\vwpt.exe
2009-05-19 05:36 . 2009-07-16 02:09 28 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\unregister.bat
2009-05-19 05:36 . 2009-07-16 02:09 25 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\register.bat
2009-05-19 05:36 . 2009-07-16 02:09 1484856 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\toolbar.exe
2009-05-19 05:36 . 2009-07-16 02:09 142040 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\alsetup.exe
2009-05-19 05:36 . 2009-07-16 02:09 30512 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\Uninstaller.exe
2009-05-19 05:36 . 2009-07-16 02:09 111920 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\AOLSearch.dll
2009-05-07 15:32 . 2004-10-28 00:51 345600 ----a-w- c:\windows\system32\localspl.dll
2009-07-23 11:09 . 2008-12-17 03:35 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-03-30 12:00 . 2009-03-30 11:55 109 --sha-w- c:\windows\system32\4098406430.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"PowerPanel Personal Edition User Interaction"="c:\program files\CyberPower PowerPanel Personal Edition\pppeuser.exe" [2007-01-10 262144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-07-15 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-12-01 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-01 126976]
"AlcFDMonitor"="c:\windows\ALCFDRTM.EXE" [2008-09-25 81920]
"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-06-30 99480]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-08-05 98304]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-04-07 496752]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-05-23 181488]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2009-07-31 230640]
"QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe" [2009-02-02 14088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-23 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2006-10-02 167936]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-09-21 127036]
"cafw"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-08-28 771312]
"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-08-28 173296]
"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-08-28 259312]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-05-18 543232]
"ShowWnd"="ShowWnd.exe" - c:\windows\ShowWnd.exe [2003-09-19 36864]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-09-21 86016]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2005-09-21 2807808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2008-8-6 28672]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]
Sonic CinePlayer Quick Launch.lnk - c:\program files\Common Files\Sonic Shared\CineTray.exe [2006-8-25 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{1869181A-9F50-4FCF-8BFF-1B8588ECB85C}"= "c:\program files\CA\CA Internet Security Suite\CA Website Inspector\LinkAdvisor\CIDLinkAdvisor.dll" [2008-06-23 1373624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 18:30 79368 ----a-w- c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1217902055\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Roxio\\Digital Home 8\\RoxUpnpServer.exe"=

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [3/19/2008 11:56 AM 93712]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [3/21/2008 4:00 PM 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [3/21/2008 4:00 PM 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [3/19/2008 11:56 AM 115216]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [6/4/2008 12:27 PM 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [3/21/2008 4:00 PM 66576]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [10/18/2007 11:24 AM 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [10/18/2007 11:24 AM 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [4/15/2008 12:50 PM 281104]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [5/30/2008 4:56 PM 88816]
R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2/2/2009 9:04 AM 185584]
S3 ICDUSB3;ICDUSB3;c:\windows\system32\drivers\ICDUSB3.sys [5/12/2009 10:08 PM 11264]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [12/6/2008 4:03 PM 11520]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ATWPKT2
*Deregistered* - ATWPKT2

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-02 c:\windows\Tasks\CAAntiSpywareScan_Daily as Owner at 8 05 AM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2009-02-02 13:06]

2008-08-20 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-10-28 00:12]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
SafeBoot-WinDefend


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
LSP: c:\windows\system32\VetRedir.dll
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.4/GarminAxControl.CAB
DPF: {8BE5651C-D60B-4B59-B5B2-F0EB93733D17} - hxxps://www36.verizon.com/voip/downloads/IOBIVMUtil.CAB
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gvx4wf7b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - component: c:\program files\CA\CA Internet Security Suite\CA Website Inspector\LinkAdvisor\Firefox\components\CallingIDLinkAdvisorGecko.dll
FF - component: c:\program files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\Firefox\components\CIDDomFx3.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4E7FF8BB-0A5A-4AA3-B764-B39BA9A13E38", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CIDB24F189F-FB14-4EFD-8B9D-217EC6C84EA1", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID86ED3659-02F6-465D-8F19-A9334614CCC3", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID5D7F48C0-CB49-4ea6-97D4-04F4EACC2F3B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CIDA43C6FC7-09F6-4E04-B8E3-683F3BDFEF7C", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4C8D6404-A9F6-4236-8488-6C5732CB3BFA", "AllAccess");.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-31 22:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\ProgID]
@DACL=(02 0000)
@SACL=
@="AcroAccess.AcrobatAccess.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\Programmable]
@DACL=(02 0000)
@SACL=
@=""

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\TypeLib]
@DACL=(02 0000)
@SACL=
@="{C523F390-9C83-11D3-9094-00104BD0D535}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\VersionIndependentProgID]
@DACL=(02 0000)
@SACL=
@="AcroAccess.AcrobatAccess"

[HKEY_LOCAL_MACHINE\software\Classes\igfx.CUITestConfig.1\CLSID]
@DACL=(02 0000)
@SACL=
@="c"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CA8A9781-280D-11CF-A24D-444553540000}\ProxyStubClsid]
@DACL=(02 0000)
@SACL=
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CA8A9781-280D-11CF-A24D-444553540000}\ProxyStubClsid32]
@DACL=(02 0000)
@SACL=
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CA8A9781-280D-11CF-A24D-444553540000}\TypeLib]
@DACL=(02 0000)
@SACL=
@="{CA8A9783-280D-11CF-A24D-444553540000}"
"Version"="1.3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CA8A9782-280D-11CF-A24D-444553540000}\ProxyStubClsid]
@DACL=(02 0000)
@SACL=
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CA8A9782-280D-11CF-A24D-444553540000}\ProxyStubClsid32]
@DACL=(02 0000)
@SACL=
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CA8A9782-280D-11CF-A24D-444553540000}\TypeLib]
@DACL=(02 0000)
@SACL=
@="{CA8A9783-280D-11CF-A24D-444553540000}"
"Version"="1.3"

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{C523F390-9C83-11D3-9094-00104BD0D535}\2.0]
@DACL=(02 0000)
@SACL=
@="Acrobat Access 2.0 Type Library"

[HKEY_LOCAL_MACHINE\software\Microsoft\Advanced INF Setup\IEHomePageInfo\RegBackup]
@DACL=(02 0000)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(840)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(1480)
c:\windows\system32\WININET.dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\CyberPower PowerPanel Personal Edition\ppped.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\cappactiveprotection.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\CA\CA Internet Security Suite\ccprovsp.exe
c:\program files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-08-01 23:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-01 03:05

Pre-Run: 204,978,434,048 bytes free
Post-Run: 208,157,167,616 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /fastdetect /NoExecute=OptOut

345 --- E O F --- 2009-07-29 04:11

Here is the result, as reported by jotti:

This file has been scanned before. The results for this previous scan are listed below.


Filename: jvwm.sys
Status:
Scan finished. 3 out of 20 scanners reported malware.
Scan taken on: Thu 23 Jul 2009 17:08:11 (CET) Permalink

Additional info
File size: 61440 bytes
Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5: 589312a3b46721c5a751e4d5222a89be
SHA1: 3a497d3968a4f6e3c648d196da38e5f98e75ec30

You asked for info.txt. I do not see an info.txt. there is a log.txt file, and I am attaching that, perhaps that's what you meant.

Attached Files


-Michael

Centreville, VA

#5 mmahamm

mmahamm
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 01 August 2009 - 06:27 AM

hee hee...

forgot to mention.

Yes, the redirect appears to have been eliminated. Thank you.
-Michael

Centreville, VA

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:03 PM

Posted 01 August 2009 - 07:41 AM

Hello, mmahamm.

Sorry, I meant to ask you to post DDS.txt not INFO.txt, but we have enough to proceed further. We still have a lot to do, even though the redirects are gone. Thanks for letting me know that the redirects are gone.


Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\drivers\tsznzwb.sys

SRPeek::
c:\windows\system32\proquota.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000000


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 2

Please do an online scan with Kaspersky WebScanner

Please note, this scan may take a while to complete.

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Step 3
In your reply, please do the following:
  • post the combofix log
  • a new DDS log
  • Kapersky log
  • a description of any remaining issues


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:03 PM

Posted 04 August 2009 - 07:28 AM

Hi mmahamm-

have you had a chance to follow the instructions above? They are important...the malware did impact your sysstem and we need to finish cleaning it. Please respond in the next 2 days or this thread may be closed.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:03 PM

Posted 06 August 2009 - 07:07 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users