Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown hijacks redirect search engines & browser, disabled virus & malware protection


  • This topic is locked This topic is locked
27 replies to this topic

#1 machias

machias

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin
  • Local time:03:18 AM

Posted 16 September 2009 - 12:39 PM

First off, I'd like to thank all volunteers VERY MUCH for helping me out. It is truly appreciated!

Secondly, apologies for not being able to provide any infection details. I've run CA anti-virus and Ad-Aware multiple times, including in Safe Mode, and nothing is being detected. Additionally, both programs are unable to update, either via the program or manually. The hijacks must be blocking these, because when I go to the web address for Ad-Aware manual updates the zip file does not appear, and the webpage is completely blank.

I also downloaded Malwarebytes and while it did install, it will not launch from the icon or by going directly to the .exe, even in Safe Mode. Kaspersky will not install in Safe Mode. It now looks like CA anti-virus and Ad-Aware are also being blocked from running. I am still able to run Hijack This!, but have not done anything more than simply scan & create a report with it.

The specific symptoms of the hijack, listed in order of annoyance, are:
  • Win XP completely locks-up after I've browsed with IE7 and closed it down, to the point that I cannot Ctrl-Alt-Del or Start>Shut Down. My only choice has been to power down. I'm now beginning to see Win XP locking up in this way after a hard reboot and Fire Fox, to the point that I've had to use another PC to enter this post. Because of this I'm no longer using IE.
  • All search engines results are redirected no matter which search engine I've used. When I click on a result, I am redirected to an an advertising site. However, the results listed by the search engine are legitimate, i.e. I can copy & paste web addresses from a Google results to get to the website I need.
  • A hijack causes IE7 to open pop-ups, including one that tries to appear as tho it's a virus scanner that's detected an infection (see attachment, hijack001.jpg). I'm using Firefox when this happens and FF is not effected, but IE7 must be completely closed for it to occur.
    I then kill the IE pop-up using Ctrl-Alt-Del and going to the Applications tab in the Task Manager. I've also tried killing the hijacker directly by using the Processes tab in the Control Mgr, but I've got multiple infections and I'm sure they're buried in the Reg, so it doesn't work. The pop-ups seem to occur about every 5-10 minutes, regardless of how many times I've killed IE, and even when I'm not on the net.
  • While browsing in IE7, a pop-up appears for "Online Protect Tool" asking permission to install (see attachment, hijack002.jpg). I've dealt with it by clicking the X-Close button in the pop-up.
  • While browsing in IE7 or FF, ads are being replaced by a male enhancement product called Vimax (see attachment, hijack003.jpg). Previously this was just a minor annoyance, but I am now having a problem accessing some websites, i.e. LinkedIn.

The log of the DDS scan is as follows:



==========================================
DDS (Ver_09-07-30.01) - NTFSx86
Run by Main at 18:33:43.23 on Tue 09/15/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.103 [GMT -5:00]

AV: CA Anti-Virus *On-access scanning enabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\vVX1000.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\WDC\SetIcon.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\kmw_run.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\windows\pp12.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\webserver\webserver.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Main\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.nytimes.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: IEHlprObjClass: {ce7c3cf0-4b15-11d1-abed-709549c10000} - c:\program files\kensington\mouseworks\IE_KMW.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [Dell Photo AIO Printer 942] "c:\program files\dell photo aio printer 942\dlbubmgr.exe"
mRun: [DellMCM]
mRun: [DLBUCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBUtime.dll,_RunDLLEntry@16
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Rosary Reminder] c:\program files\virtual rosary\reminder.exe
mRun: [VX1000] c:\windows\vVX1000.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [SetIcon] \Program Files\WDC\SetIcon.exe
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [kmw_run.exe] kmw_run.exe
mRun: [MSWheel]
mRun: [sysldtray] c:\windows\ld14.exe
mRun: [pp] c:\windows\pp12.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\main\startm~1\programs\startup\deskto~1.lnk - c:\program files\desktop alert\desktopalert_2391939.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\windows\system32\VetRedir.dll
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://activity.msoe.edu:4343/officescan/console/ClientInstall/WinNTChk.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} - hxxps://activity.msoe.edu:4343/officescan/console/ClientInstall/setupini.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://activity.msoe.edu:4343/officescan/console/ClientInstall/setup.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxps://activity.msoe.edu:4343/officescan/console/ClientInstall/RemoveCtrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1119244554500
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222564906484
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www3.ca.com/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - hxxp://www.cooliris.com/shared/plinstll.cab
TCP: NameServer = 85.255.112.9,85.255.112.24
TCP: {3215A9E4-D3F8-4722-BEED-C7FA05572373} = 85.255.112.9,85.255.112.24
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\main\applic~1\mozilla\firefox\profiles\q8fafaai.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-8-13 64160]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2007-7-8 26640]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2007-7-8 21392]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2008-6-4 880560]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2007-7-8 21648]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2007-7-8 32528]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2007-7-8 144960]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-5-27 55152]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-6-22 1251720]
R2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2007-7-8 242952]
R2 webserver;webserver;c:\program files\webserver\webserver.exe [2009-9-13 13824]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2008-6-4 108368]
S2 ddnsfilter;ddnsfilter;c:\windows\system32\SvchOst.eXE -k ddnsfilter [2004-8-11 14336]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 inibtmgr;WD Bridge Controller Driver;c:\windows\system32\drivers\inibtmgr.sys [2006-12-8 9728]
S3 USTORAGE;UMass Storage Device;c:\windows\system32\drivers\UStorage.sys [2009-4-14 31104]

=============== Created Last 30 ================

2009-09-15 06:39 77,824 a------- c:\windows\vkl_1253014765.exe
2009-09-14 17:53 77,824 a------- c:\windows\vkl_1252968740.exe.exe
2009-09-14 17:52 77,824 a------- c:\windows\vkl_1252968740.exe
2009-09-14 05:18 77,824 a------- c:\windows\vkl_1252923436.exe.exe
2009-09-14 05:17 77,824 a------- c:\windows\vkl_1252923436.exe
2009-09-13 10:13 77,824 a------- c:\windows\vkl_1252854800.exe
2009-09-13 09:23 77,824 a------- c:\windows\vkl_1252851767.exe.exe
2009-09-13 09:23 77,824 a------- c:\windows\vkl_1252851767.exe
2009-09-13 09:22 13,824 a------- c:\windows\vkl_1252851738.exe
2009-09-13 08:53 37,504 a------- c:\windows\system32\drivers\FILTER.sys
2009-09-13 08:53 <DIR> --d----- c:\program files\ddnsFilter
2009-09-13 08:53 77,824 a------- c:\windows\vkl_1252850031.exe
2009-09-13 08:53 1 a------- c:\windows\fdgg34353edfgdfdf
2009-09-13 08:53 49,152 ----h--- c:\windows\pp12.exe
2009-09-13 08:53 13,824 a------- c:\windows\vkl_1252850014.exe
2009-09-13 08:53 <DIR> --d----- c:\program files\webserver
2009-09-13 08:53 13,824 a------- c:\windows\vkl_1252849994.exe
2009-09-13 08:53 2 a------- c:\windows\0535251103110107106.yux
2009-09-13 08:53 18,432 a------- c:\windows\srpira1252849992.eXE
2009-09-13 08:53 53,248 -------- c:\windows\ld14.exe
2009-09-12 00:07 <DIR> --d----- C:\Atari Breakout
2009-09-05 01:54 94,208 a------- c:\windows\system32\QuickTimeVR.qtx
2009-09-05 01:54 69,632 a------- c:\windows\system32\QuickTime.qts
2009-09-02 14:22 91,648 a------- c:\windows\system32\drivers\kmw_sys.sys
2009-09-02 14:22 10,112 a------- c:\windows\system32\drivers\kmw_usb.sys
2009-09-02 14:22 5,376 a------- c:\windows\system32\drivers\kmw_kbd.sys
2009-09-02 14:22 4,736 a------- c:\windows\system32\drivers\kmw_lib.sys
2009-09-02 14:22 176,128 a------- c:\windows\system32\kmw_show.exe
2009-09-02 14:22 110,592 a------- c:\windows\system32\kmw_dll.dll
2009-09-02 14:22 106,496 a------- c:\windows\system32\kmw_run.exe

==================== Find3M ====================

2009-09-15 06:37 7,304 a------- c:\windows\TMP0001.TMP
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 04:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-19 08:33 3,597,824 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-19 08:32 6,067,200 a------- c:\windows\system32\dllcache\ieframe.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 14:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-10 08:27 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-07-03 09:49 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-29 06:07 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-06-29 06:07 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-29 03:35 634,632 a------- c:\windows\system32\dllcache\iexplore.exe
2009-06-29 03:33 2,452,872 a------- c:\windows\system32\dllcache\ieapfltr.dat
2009-06-29 03:33 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-05-21 21:35 250 a------- c:\documents and settings\main\jobq.dat
2009-03-02 21:05 96,080 a------- c:\docume~1\main\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 18:34:47.21 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 machias

machias
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin
  • Local time:03:18 AM

Posted 16 September 2009 - 02:27 PM

I've just completed another scan using CA anti-virus in Safe Mode, and detected 3 instances of HTML/FakeAV.A and 1 instance of Win32/LdPinch.XI, all of which CA says were deleted.

XP Restore was not enabled.

Hello machias,

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Regards,

The weatherman
(Moderator)

Edited by The weatherman, 16 September 2009 - 05:45 PM.


#3 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:18 AM

Posted 18 September 2009 - 09:16 AM

Hi,

Sorry for the delay in responding. Let's see if we can get you cleaned up.

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox and Internet Explorer windows are closed.
  • To run the tool, double-click it.
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
Let me know if either the redirects, or the Vimax adds are gone after this. Don't worry if they haven't (see below).


There may well be something else hiding in your logs, so let's run a deep scan for Rootkits. We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from one of the following locations and save it to your desktop.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • In the Select Scan dialog, check
    Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Please post this log in your next reply.
Please also run DDS again and post the first log it gives (DDS.txt).
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#4 machias

machias
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin
  • Local time:03:18 AM

Posted 18 September 2009 - 10:20 AM

  • GooredFix by jpshortstuff (18.09.09)
    Log created at 10:04 on 18/09/2009 (Main)
    Firefox version 3.5.3 (en-US)

    ========== GooredScan ==========

    Removing HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3215A9E4-D3F8-4722-BEED-C7FA05572373}\\NameServer -> Success!
    Removing HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\\\NameServer -> Success!

    C:\Program Files\Mozilla Firefox\extensions\
    {972ce4c6-7e08-4474-a285-3208198ce6fd} [20:54 26/08/2006]
    {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [01:25 30/06/2007]
    {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [02:43 02/08/2007]
    {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [00:26 11/01/2008]
    {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [23:49 02/04/2008]
    {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [11:57 01/10/2008]
    {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} [11:49 10/12/2008]
    {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} [11:03 11/03/2009]
    {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [13:50 18/04/2009]
    {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [17:42 13/06/2009]
    {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [00:58 05/08/2009]

    [HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
    "{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [23:30 23/04/2009]
    "{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="C:\Program Files\Real\RealPlayer\browserrecord" [06:07 06/05/2009]
    "jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [11:03 11/03/2009]

    -=E.O.F=-

  • ROOTREPEAL © AD, 2007-2009
    ==================================================
    Scan Start Time: 2009/09/18 10:06
    Program Version: Version 1.3.5.0
    Windows Version: Windows XP SP3
    ==================================================

    Drivers
    -------------------
    Name: dump_atapi.sys
    Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
    Address: 0xF812A000 Size: 98304 File Visible: No Signed: -
    Status: -

    Name: dump_WMILIB.SYS
    Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
    Address: 0xF8A79000 Size: 8192 File Visible: No Signed: -
    Status: -

    Name: rootrepeal.sys
    Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
    Address: 0xF7BDC000 Size: 49152 File Visible: No Signed: -
    Status: -

    SSDT
    -------------------
    #: 041 Function Name: NtCreateKey
    Status: Hooked by "Lbd.sys" at address 0xf858787e

    #: 247 Function Name: NtSetValueKey
    Status: Hooked by "Lbd.sys" at address 0xf8587bfe

    Hidden Services
    -------------------
    Service Name: ESQULserv.sys
    Image Path: C:\WINDOWS\system32\drivers\ESQULvhgrhkqnquisbmvvfypiwvtumsvgwdrw.sys

    ==EOF==

  • DDS (Ver_09-07-30.01) - NTFSx86 MINIMAL
    Run by Main at 10:09:09.07 on Fri 09/18/2009
    Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_15
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.261 [GMT -5:00]

    AV: CA Anti-Virus *On-access scanning enabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Main\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.nytimes.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: IEHlprObjClass: {ce7c3cf0-4b15-11d1-abed-709549c10000} - c:\program files\kensington\mouseworks\IE_KMW.DLL
    BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
    uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
    mRun: [P17Helper] Rundll32 P17.dll,P17Helper
    mRun: [UpdReg] c:\windows\UpdReg.EXE
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
    mRun: [Dell Photo AIO Printer 942] "c:\program files\dell photo aio printer 942\dlbubmgr.exe"
    mRun: [DellMCM]
    mRun: [DLBUCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBUtime.dll,_RunDLLEntry@16
    mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
    mRun: [Rosary Reminder] c:\program files\virtual rosary\reminder.exe
    mRun: [VX1000] c:\windows\vVX1000.exe
    mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
    mRun: [WD Button Manager] WDBtnMgr.exe
    mRun: [SetIcon] \Program Files\WDC\SetIcon.exe
    mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
    mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
    mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
    mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [kmw_run.exe] kmw_run.exe
    mRun: [MSWheel]
    mRun: [sysldtray] c:\windows\ld14.exe
    mRun: [pp] c:\windows\pp12.exe
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    StartupFolder: c:\docume~1\main\startm~1\programs\startup\deskto~1.lnk - c:\program files\desktop alert\desktopalert_2391939.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    LSP: c:\windows\system32\VetRedir.dll
    DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://activity.msoe.edu:4343/officescan/console/ClientInstall/WinNTChk.cab
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
    DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} - hxxps://activity.msoe.edu:4343/officescan/console/ClientInstall/setupini.cab
    DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://activity.msoe.edu:4343/officescan/console/ClientInstall/setup.cab
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
    DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
    DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
    DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
    DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
    DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
    DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxps://activity.msoe.edu:4343/officescan/console/ClientInstall/RemoveCtrl.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1119244554500
    DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222564906484
    DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
    DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
    DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - hxxp://www.cooliris.com/shared/plinstll.cab
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\main\applic~1\mozilla\firefox\profiles\q8fafaai.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - plugin: c:\program files\microsoft\office live\npOLW.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
    c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
    c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
    c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

    ============= SERVICES / DRIVERS ===============

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-8-13 64160]
    R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2007-7-8 21648]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
    S1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2007-7-8 26640]
    S1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2007-7-8 21392]
    S1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2008-6-4 880560]
    S1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2007-7-8 32528]
    S2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2007-7-8 144960]
    S2 ddnsfilter;ddnsfilter;c:\windows\system32\SvchOst.eXE -k ddnsfilter [2004-8-11 14336]
    S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-5-27 55152]
    S2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
    S2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-6-22 1251720]
    S2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2007-7-8 242952]
    S2 webserver;webserver;c:\program files\webserver\webserver.exe [2009-9-13 13824]
    S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
    S3 inibtmgr;WD Bridge Controller Driver;c:\windows\system32\drivers\inibtmgr.sys [2006-12-8 9728]
    S3 USTORAGE;UMass Storage Device;c:\windows\system32\drivers\UStorage.sys [2009-4-14 31104]
    S3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2008-6-4 108368]

    =============== Created Last 30 ================

    2009-09-17 20:46 1 ----h--- c:\windows\bk23567.dat
    2009-09-17 20:46 1 ----h--- c:\windows\mmsmark2.dat
    2009-09-17 20:46 96,768 a------- c:\windows\vkl_1253238373.exe
    2009-09-17 20:46 77,824 a------- c:\windows\mstre22.exe
    2009-09-17 20:46 2 a------- c:\windows\0101120101465050.xe
    2009-09-17 20:46 2 a------- c:\windows\0101120101465254.xe
    2009-09-17 20:44 2 a------- c:\windows\010112010146101105.rx
    2009-09-16 19:30 96,768 a------- c:\windows\vkl_1253147411.exe
    2009-09-16 19:29 13,824 a------- c:\windows\vkl_1253147372.exe
    2009-09-16 18:51 96,768 a------- c:\windows\vkl_1253145074.exe
    2009-09-16 18:50 13,824 a------- c:\windows\vkl_1253145046.exe
    2009-09-16 18:07 96,768 a------- c:\windows\vkl_1253142433.exe
    2009-09-16 18:06 13,824 a------- c:\windows\vkl_1253142413.exe
    2009-09-16 18:06 2 a------- c:\windows\010112010146116101.xe
    2009-09-16 14:17 664 a------- c:\windows\system32\d3d9caps.dat
    2009-09-16 13:55 <DIR> --d----- c:\program files\Lavalys
    2009-09-16 12:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
    2009-09-16 08:43 96,768 a------- c:\windows\vkl_1253108608.exe
    2009-09-16 08:43 13,824 a------- c:\windows\vkl_1253108565.exe
    2009-09-15 22:02 77,824 a------- c:\windows\vkl_1253070108.exe.exe
    2009-09-15 22:02 77,824 a------- c:\windows\vkl_1253070108.exe
    2009-09-15 21:39 77,824 a------- c:\windows\vkl_1253068727.exe.exe
    2009-09-15 21:38 77,824 a------- c:\windows\vkl_1253068727.exe
    2009-09-15 21:18 77,824 a------- c:\windows\vkl_1253067506.exe
    2009-09-15 20:56 77,824 a------- c:\windows\vkl_1253066187.exe
    2009-09-15 20:36 77,824 a------- c:\windows\vkl_1253064967.exe
    2009-09-15 20:17 77,824 a------- c:\windows\vkl_1253063845.exe
    2009-09-15 06:39 77,824 a------- c:\windows\vkl_1253014765.exe
    2009-09-14 17:53 77,824 a------- c:\windows\vkl_1252968740.exe.exe
    2009-09-14 17:52 77,824 a------- c:\windows\vkl_1252968740.exe
    2009-09-14 05:18 77,824 a------- c:\windows\vkl_1252923436.exe.exe
    2009-09-14 05:17 77,824 a------- c:\windows\vkl_1252923436.exe
    2009-09-13 10:13 77,824 a------- c:\windows\vkl_1252854800.exe
    2009-09-13 09:23 77,824 a------- c:\windows\vkl_1252851767.exe.exe
    2009-09-13 09:23 77,824 a------- c:\windows\vkl_1252851767.exe
    2009-09-13 09:22 13,824 a------- c:\windows\vkl_1252851738.exe
    2009-09-13 08:53 37,504 a------- c:\windows\system32\drivers\FILTER.sys
    2009-09-13 08:53 <DIR> --d----- c:\program files\ddnsFilter
    2009-09-13 08:53 77,824 a------- c:\windows\vkl_1252850031.exe
    2009-09-13 08:53 1 a------- c:\windows\fdgg34353edfgdfdf
    2009-09-13 08:53 49,152 ----h--- c:\windows\pp12.exe
    2009-09-13 08:53 13,824 a------- c:\windows\vkl_1252850014.exe
    2009-09-13 08:53 <DIR> --d----- c:\program files\webserver
    2009-09-13 08:53 13,824 a------- c:\windows\vkl_1252849994.exe
    2009-09-13 08:53 2 a------- c:\windows\0535251103110107106.yux
    2009-09-13 08:53 53,248 -------- c:\windows\ld14.exe
    2009-09-12 00:07 <DIR> --d----- C:\Atari Breakout
    2009-09-05 01:54 94,208 a------- c:\windows\system32\QuickTimeVR.qtx
    2009-09-05 01:54 69,632 a------- c:\windows\system32\QuickTime.qts
    2009-09-02 14:22 91,648 a------- c:\windows\system32\drivers\kmw_sys.sys
    2009-09-02 14:22 10,112 a------- c:\windows\system32\drivers\kmw_usb.sys
    2009-09-02 14:22 5,376 a------- c:\windows\system32\drivers\kmw_kbd.sys
    2009-09-02 14:22 4,736 a------- c:\windows\system32\drivers\kmw_lib.sys
    2009-09-02 14:22 176,128 a------- c:\windows\system32\kmw_show.exe
    2009-09-02 14:22 110,592 a------- c:\windows\system32\kmw_dll.dll
    2009-09-02 14:22 106,496 a------- c:\windows\system32\kmw_run.exe

    ==================== Find3M ====================

    2009-09-18 09:28 7,304 a------- c:\windows\TMP0001.TMP
    2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
    2009-08-05 04:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
    2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
    2009-07-19 08:33 3,597,824 a------- c:\windows\system32\dllcache\mshtml.dll
    2009-07-19 08:32 6,067,200 a------- c:\windows\system32\dllcache\ieframe.dll
    2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
    2009-07-17 14:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
    2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll
    2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
    2009-07-13 23:43 286,208 a------- c:\windows\system32\dllcache\wmpdxm.dll
    2009-07-10 08:27 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
    2009-07-03 09:49 15,688 a------- c:\windows\system32\lsdelete.exe
    2009-06-29 06:07 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
    2009-06-29 06:07 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
    2009-06-29 03:35 634,632 a------- c:\windows\system32\dllcache\iexplore.exe
    2009-06-29 03:33 2,452,872 a------- c:\windows\system32\dllcache\ieapfltr.dat
    2009-06-29 03:33 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
    2009-05-21 21:35 250 a------- c:\documents and settings\main\jobq.dat
    2009-03-02 21:05 96,080 a------- c:\docume~1\main\applic~1\GDIPFONTCACHEV1.DAT

    ============= FINISH: 10:09:59.53 ===============


#5 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:18 AM

Posted 18 September 2009 - 10:24 AM

Hi,

Looks like you do indeed have a nasty Rootkit onboard.

Please download ComboFix to your desktop from one of these locations. You must rename it before saving it. Save it to your desktop.
Link 1
Link 2
Link 3

Posted Image

Posted Image

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on Combo-Fix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Posted Image
  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please advise.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#6 machias

machias
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin
  • Local time:03:18 AM

Posted 18 September 2009 - 10:48 AM

Let me know if either the redirects, or the Vimax adds are gone after this. Don't worry if they haven't (see below).


took a little while to get out of Safe Mode and have IE and FireFox open up. Vimax ad & "virus scanner" pop-up both still there. also looks like i've got a FB virus for "my best video" with a link. i see IE auto-open & sending out FB mails. i've posted a status update alerting everybody, and deleted all posts on my wall for the link.

since i've first posted, ad-aware detected FreddyK and WIN32.TROJAN.DOWNLOADER. think i've got FreddyK knocked down. perm deleted the exe files, and checked the Reg and dll for any instances.

#7 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:18 AM

Posted 18 September 2009 - 10:51 AM

RootRepeal is showing a a Rootkit:

Hidden Services
-------------------
Service Name: ESQULserv.sys
Image Path: C:\WINDOWS\system32\drivers\ESQULvhgrhkqnquisbmvvfypiwvtumsvgwdrw.sys

ComboFix (my last post) should automatically get it, if not we can use it to manually remove it.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#8 machias

machias
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin
  • Local time:03:18 AM

Posted 18 September 2009 - 12:34 PM

ComboFix 09-09-17.04 - Main 09/18/2009 11:43.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.138 [GMT -5:00]
Running from: i:\2009.09.15\bleeping_003\Combo-Fix.exe
AV: CA Anti-Virus *On-access scanning disabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Main\Application Data\Microsoft\Installer\{3F70FB44-FD00-4ED2-9154-661AA9DB0B28}\IconCFA9C1EE.exe
c:\program files\DDnsFilter
c:\program files\DDnsFilter\DDnsFilter.dll
c:\windows\010112010146101105.rx
c:\windows\010112010146116101.xe
c:\windows\0101120101465050.xe
c:\windows\0101120101465254.xe
c:\windows\0101120101465354.xe
c:\windows\freddy65.exe
c:\windows\Installer\18e5036.msi
c:\windows\Installer\18e503a.msi
c:\windows\Installer\WinRMSrv.msi
c:\windows\ld14.exe
c:\windows\mstre22.exe
c:\windows\pp12.exe
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\Data
c:\windows\system32\drivers\ESQULvhgrhkqnquisbmvvfypiwvtumsvgwdrw.sys
c:\windows\system32\ESQULivwfivxgrnogigiqkixjmatvvanyxawl.dll
c:\windows\system32\ESQULlniwomyqaqemouajmmcgvayacogvrhhf.dll
c:\windows\system32\tmp.reg
c:\windows\vkl_1252849994.exe
c:\windows\vkl_1252850014.exe
c:\windows\vkl_1252850031.exe
c:\windows\vkl_1252851738.exe
c:\windows\vkl_1252851767.exe
c:\windows\vkl_1252851767.exe.exe
c:\windows\vkl_1252854800.exe
c:\windows\vkl_1252923436.exe
c:\windows\vkl_1252923436.exe.exe
c:\windows\vkl_1252968740.exe
c:\windows\vkl_1252968740.exe.exe
c:\windows\vkl_1253014765.exe
c:\windows\vkl_1253063845.exe
c:\windows\vkl_1253064967.exe
c:\windows\vkl_1253066187.exe
c:\windows\vkl_1253067506.exe
c:\windows\vkl_1253068727.exe
c:\windows\vkl_1253068727.exe.exe
c:\windows\vkl_1253070108.exe
c:\windows\vkl_1253070108.exe.exe
c:\windows\vkl_1253108565.exe
c:\windows\vkl_1253108608.exe
c:\windows\vkl_1253142413.exe
c:\windows\vkl_1253142433.exe
c:\windows\vkl_1253145046.exe
c:\windows\vkl_1253145074.exe
c:\windows\vkl_1253147372.exe
c:\windows\vkl_1253147411.exe
c:\windows\vkl_1253238373.exe
c:\windows\vkl_1253287718.exe
c:\windows\vkl_1253290518.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ESQULserv.sys
-------\Legacy_ESQULserv.sys
-------\Service_ESQULserv.sys


((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 )))))))))))))))))))))))))))))))
.

2009-09-18 15:34 . 2009-09-18 15:41 4414 ----a-w- c:\windows\fs1234.dat
2009-09-18 01:46 . 2009-09-18 01:46 1 ---h--w- c:\windows\bk23567.dat
2009-09-18 01:46 . 2009-09-18 01:46 1 ---h--w- c:\windows\mmsmark2.dat
2009-09-16 19:17 . 2009-09-16 19:17 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-16 18:55 . 2009-09-16 18:55 -------- d-----w- c:\program files\Lavalys
2009-09-16 17:01 . 2009-09-16 17:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-09-13 13:53 . 2009-09-18 16:15 37504 ----a-w- c:\windows\system32\drivers\FILTER.sys
2009-09-13 13:53 . 2009-09-13 13:53 -------- d-----w- c:\program files\webserver
2009-09-12 05:35 . 2009-09-12 05:37 -------- d-----w- c:\program files\QuickTime
2009-09-12 05:35 . 2009-09-12 05:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-12 05:34 . 2009-09-12 05:34 -------- d-----w- c:\program files\Common Files\Apple
2009-09-12 05:34 . 2009-09-12 05:34 -------- d-----w- c:\documents and settings\Main\Local Settings\Application Data\Apple
2009-09-12 05:33 . 2009-09-12 05:33 -------- d-----w- c:\program files\Apple Software Update
2009-09-12 05:33 . 2009-09-12 05:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-12 05:33 . 2009-09-12 05:33 -------- d-----w- c:\documents and settings\Main\Local Settings\Application Data\Apple Computer
2009-09-12 05:07 . 2009-09-12 05:08 -------- d-----w- C:\Atari Breakout
2009-09-02 19:22 . 2006-08-03 16:47 10112 ----a-w- c:\windows\system32\drivers\kmw_usb.sys
2009-09-02 19:22 . 2006-08-03 16:47 91648 ----a-w- c:\windows\system32\drivers\kmw_sys.sys
2009-09-02 19:22 . 2006-08-03 16:46 5376 ----a-w- c:\windows\system32\drivers\kmw_kbd.sys
2009-09-02 19:22 . 2006-08-03 16:46 4736 ----a-w- c:\windows\system32\drivers\kmw_lib.sys
2009-09-02 19:22 . 2006-08-03 16:47 106496 ----a-w- c:\windows\system32\kmw_run.exe
2009-09-02 19:22 . 2006-08-03 16:47 110592 ----a-w- c:\windows\system32\kmw_dll.dll
2009-09-02 19:22 . 2006-08-03 16:47 176128 ----a-w- c:\windows\system32\kmw_show.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-18 17:03 . 2006-07-23 23:19 7304 ----a-w- c:\windows\TMP0001.TMP
2009-09-17 16:54 . 2006-12-23 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-17 16:36 . 2006-12-23 01:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-17 15:36 . 2009-09-18 01:44 512000 ----a-w- c:\documents and settings\Main\ck.tmp
2009-08-28 11:17 . 2005-06-10 01:44 -------- d-----w- c:\program files\Dl_cats
2009-08-16 14:53 . 2005-06-21 03:55 -------- d-----w- c:\program files\Google
2009-08-16 10:12 . 2005-06-04 16:52 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-14 08:23 . 2007-07-09 03:58 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2009-08-14 01:09 . 2009-08-14 01:09 -------- d-----w- c:\program files\Trend Micro
2009-08-14 00:58 . 2009-08-14 00:58 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-14 00:58 . 2009-08-14 00:58 -------- d-----w- c:\program files\Lavasoft
2009-08-05 09:01 . 2004-08-11 22:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:58 . 2005-06-04 16:37 -------- d-----w- c:\program files\Java
2009-08-05 00:52 . 2009-08-05 00:52 152576 ----a-w- c:\documents and settings\Main\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-07-25 10:23 . 2008-12-10 11:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-11 22:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 14:49 . 2009-08-14 00:59 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-03 14:49 . 2009-08-14 09:21 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-29 16:12 . 2004-08-11 22:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2009-05-28 01:37 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-11 22:00 17408 ----a-w- c:\windows\system32\corpol.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"Dell Photo AIO Printer 942"="c:\program files\Dell Photo AIO Printer 942\dlbubmgr.exe" [2005-02-03 294912]
"DLBUCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll" [2007-02-12 73728]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"Rosary Reminder"="c:\program files\Virtual Rosary\reminder.exe" [2001-07-10 46080]
"VX1000"="c:\windows\vVX1000.exe" [2006-10-13 707376]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 277296]
"SetIcon"="\Program Files\WDC\SetIcon.exe" [2004-04-28 42496]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-07-31 177392]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2009-07-31 230664]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-06 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2005-05-03 64512]
"WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2006-12-09 335872]
"kmw_run.exe"="kmw_run.exe" - c:\windows\system32\kmw_run.exe [2006-08-03 106496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Main\Start Menu\Programs\Startup\
Desktop Alert.lnk - c:\program files\Desktop Alert\desktopalert_2391939.exe [2006-7-29 327680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2005-6-21 82026]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-6-4 24576]
Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2002-1-9 200704]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Documents and Settings\\Main\\My Documents\\My Downloads\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/13/2009 7:59 PM 64160]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [5/27/2009 8:15 PM 55152]
S2 ddnsfilter;ddnsfilter;c:\windows\sYSteM32\SvchOst.eXE -k ddnsfilter [8/11/2004 5:00 PM 14336]
S3 inibtmgr;WD Bridge Controller Driver;c:\windows\system32\drivers\inibtmgr.sys [12/8/2006 9:57 PM 9728]
S3 USTORAGE;UMass Storage Device;c:\windows\system32\drivers\UStorage.sys [4/14/2009 3:05 AM 31104]
.
Contents of the 'Scheduled Tasks' folder

2009-09-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-09-18 c:\windows\Tasks\User_Feed_Synchronization-{DA8F7D89-EFC9-4765-8B1C-29465B33583E}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 17:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nytimes.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
LSP: c:\windows\system32\VetRedir.dll
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - hxxp://www.cooliris.com/shared/plinstll.cab
FF - ProfilePath - c:\documents and settings\Main\Application Data\Mozilla\Firefox\Profiles\q8fafaai.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
HKLM-Run-DellMCM - (no file)
HKLM-Run-MSWheel - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-18 12:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBUCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(772)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(3728)
c:\windows\system32\WININET.dll
c:\windows\system32\kmw_dll.dll
c:\windows\system32\WOW32.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\Desktop Alert\BugEx.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\AAWService.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\rundll32.exe
c:\program files\Dell Photo AIO Printer 942\dlbubmon.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Dantz\Retrospect\retrorun.exe
c:\progra~1\Dantz\RETROS~1\wdsvc.exe
c:\program files\WDC\SetIcon.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\CA\CA Internet Security Suite\ccprovsp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2009-09-18 12:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-18 17:24

Pre-Run: 37,412,966,400 bytes free
Post-Run: 37,914,238,976 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

285 --- E O F --- 2009-08-12 23:53



#9 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:18 AM

Posted 18 September 2009 - 12:56 PM

Hi,

We need to run a batch file.
  • Copy the contents of the Code Box below to Notepad.
  • Name the file as fix.bat
  • Change the Save as Type to All Files
  • and Save it on your Desktop
@echo off
echo Deleting files...>log.txt
for %%g in (
c:\windows\fs1234.dat
c:\windows\bk23567.dat
c:\windows\mmsmark2.dat
) do (
if exist %%g (
del /Q %%g
if exist %%g (
echo Unable to delete %%g >>log.txt
)else echo %%g deleted successfully>>log.txt
) else echo %%g not found >>log.txt
)
start notepad log.txt
del /Q %0
Then double-click on the fix.bat file. A log will open, please post the contents of that log in your next reply.


Click Start >> Control Panel >> Add/Remove Programs. Find and Remove these old version of Java:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1

(Note: Leave Java™ 6 Update 15 as this is the latest version).

Next, try and run MalwareBytes Anti-Malware again. If it successfully runs, please run a "Full Scan" and post the log it gives. Let me know how the computer is running as well.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#10 machias

machias
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin
  • Local time:03:18 AM

Posted 18 September 2009 - 01:01 PM

Looks like you do indeed have a nasty Rootkit onboard.


Win XP, ad-aware and anit-virus all updated. pop-ups, vimax & search engine redirects all seem gone. wow. nice.

hope that's it. let me know what is, or is not, next.

#11 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:18 AM

Posted 18 September 2009 - 01:18 PM

Whoops, looks like I'm posting too fast for you :(

Just in case you've missed it, already posted some more instructions above.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#12 machias

machias
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin
  • Local time:03:18 AM

Posted 18 September 2009 - 03:50 PM

Just in case you've missed it, already posted some more instructions above.


thanks! you were quick :( but i still managed to catch it ...


  • Deleting files...
    c:\windows\fs1234.dat deleted successfully
    Unable to delete c:\windows\bk23567.dat
    Unable to delete c:\windows\mmsmark2.dat


  • Malwarebytes' Anti-Malware 1.41
    Database version: 2821
    Windows 5.1.2600 Service Pack 3

    9/18/2009 3:40:48 PM
    mbam-log-2009-09-18 (15-40-34).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 220461
    Time elapsed: 1 hour(s), 46 minute(s), 44 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 4
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 70

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\webserver (Worm.KoobFace) -> No action taken.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\webserver (Worm.KoobFace) -> No action taken.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\webserver (Worm.KoobFace) -> No action taken.
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ddnsfilter (Trojan.DNSChanger) -> No action taken.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Qoobox\Quarantine\C\Program Files\ddnsFilter\DDnsFilter.dll.vir (Trojan.DNSFilter) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\ld14.exe.vir (Worm.KoobFace) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\pp12.exe.vir (Worm.KoobFace) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\vkl_1252850031.exe.vir (Worm.Koobface) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\vkl_1252851767.exe.exe.vir (Worm.Koobface) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\vkl_1252851767.exe.vir (Worm.Koobface) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\vkl_1252854800.exe.vir (Worm.Koobface) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\vkl_1252923436.exe.exe.vir (Worm.Koobface) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\vkl_1252923436.exe.vir (Worm.Koobface) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\vkl_1252968740.exe.exe.vir (Worm.Koobface) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\vkl_1252968740.exe.vir (Worm.Koobface) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\vkl_1253014765.exe.vir (Worm.Koobface) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\vkl_1253063845.exe.vir (Worm.Koobface) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\vkl_1253064967.exe.vir (Worm.Koobface) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\vkl_1253066187.exe.vir (Worm.Koobface) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\vkl_1253067506.exe.vir (Worm.Koobface) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\vkl_1253068727.exe.exe.vir (Worm.Koobface) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\vkl_1253068727.exe.vir (Worm.Koobface) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\vkl_1253070108.exe.exe.vir (Worm.Koobface) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\vkl_1253070108.exe.vir (Worm.Koobface) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\vkl_1253108565.exe.vir (Worm.Koobface) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\vkl_1253108608.exe.vir (Trojan.Dropper) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\vkl_1253142413.exe.vir (Worm.Koobface) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\vkl_1253142433.exe.vir (Trojan.Dropper) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\vkl_1253145046.exe.vir (Worm.Koobface) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\vkl_1253145074.exe.vir (Trojan.Dropper) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\vkl_1253147372.exe.vir (Worm.Koobface) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\vkl_1253147411.exe.vir (Trojan.Dropper) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\vkl_1253238373.exe.vir (Trojan.Dropper) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\vkl_1253287718.exe.vir (Trojan.Dropper) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\vkl_1253290518.exe.vir (Trojan.Dropper) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\ESQULivwfivxgrnogigiqkixjmatvvanyxawl.dll.vir (Trojan.Alureon) -> No action taken.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ESQULvhgrhkqnquisbmvvfypiwvtumsvgwdrw.sys.vir (Rootkit.TDSS) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP0\A0000001.dll (Trojan.Alureon) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP0\A0000002.sys (Rootkit.TDSS) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000034.dll (Trojan.DNSFilter) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000039.exe (Worm.KoobFace) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000041.exe (Worm.KoobFace) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000046.exe (Worm.Koobface) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000048.exe (Worm.Koobface) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000049.exe (Worm.Koobface) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000050.exe (Worm.Koobface) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000051.exe (Worm.Koobface) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000052.exe (Worm.Koobface) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000053.exe (Worm.Koobface) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000054.exe (Worm.Koobface) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000055.exe (Worm.Koobface) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000056.exe (Worm.Koobface) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000057.exe (Worm.Koobface) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000059.exe (Worm.Koobface) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000060.exe (Worm.Koobface) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000061.exe (Worm.Koobface) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000062.exe (Worm.Koobface) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000063.exe (Worm.Koobface) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000064.exe (Worm.Koobface) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000065.exe (Trojan.Dropper) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000066.exe (Worm.Koobface) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000067.exe (Trojan.Dropper) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000068.exe (Worm.Koobface) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000069.exe (Trojan.Dropper) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000070.exe (Worm.Koobface) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000071.exe (Trojan.Dropper) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000072.exe (Trojan.Dropper) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000073.exe (Trojan.Dropper) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000074.exe (Trojan.Dropper) -> No action taken.
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000058.exe (Worm.Koobface) -> No action taken.
    C:\WINDOWS\system32\drivers\FILTER.sys (Trojan.DNSBlocker) -> No action taken.
    C:\Program Files\webserver\webserver.exe (Worm.KoobFace) -> No action taken.
    C:\WINDOWS\0535251103110107106.yux (KoobFace.Trace) -> No action taken.
    C:\WINDOWS\mmsmark2.dat (KoobFace.Trace) -> No action taken.


#13 machias

machias
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin
  • Local time:03:18 AM

Posted 18 September 2009 - 03:56 PM

Let me know how the computer is running as well.



same as before: able to get A/V updates, hijacks/pop-ups/Vimax ads and search engine redirect gone, and no longer locking up.

looks like i've got a couple of worms & trojans left to deal with. man, i got nailed hard. never used malware bytes before this. nice app.

#14 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:18 AM

Posted 19 September 2009 - 03:49 AM

Hi,

OK, let's clean that up. We just need to disable Spybot's TeaTimer so it doesn't interfere with fix.
  • Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
  • On the left hand side, click on Tools, then click on the Resident Icon in the list.
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • Click on the "System Startup" icon in the List
  • Uncheck the "TeaTimer" box and "OK" any prompts.
  • If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
  • Exit Spybot S&D when done.
  • (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]
1. Please open Notepad
  • Click Start , then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
http://www.bleepingcomputer.com/forums/t/258033/unknown-hijacks-redirect-search-engines-browser-disabled-virus-malware-protection/

Collect::
C:\WINDOWS\system32\drivers\FILTER.sys
C:\Program Files\webserver\webserver.exe
C:\WINDOWS\0535251103110107106.yux
c:\windows\bk23567.dat
C:\WINDOWS\mmsmark2.dat

Driver::
ddnsfilter
webserver
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt.
After that, please run RootRepeal again, as before, so we can check ensure everything is now gone. Please also run MalwareBytes' once more to check if it finds anything. Note that you don't have to worry about the items that MalwareBytes' finds in:
C:\Qoobox
C:\System Volume Information

Since they are just backups, and will be cleaned when we finish up.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#15 machias

machias
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin
  • Local time:03:18 AM

Posted 19 September 2009 - 04:56 AM

  • Click on the "System Startup" icon in the List
  • Uncheck the "TeaTimer" box and "OK" any prompts.


unable to find teatimer in the sys startup list of spybot s&d? odd, but i quadruple checked the list. nothing in the exe's or dll's.

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.


combofix is prompting me to update to the latest version. selected no & proceeded.

Edited by machias, 19 September 2009 - 05:08 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users