Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to remove Trojan.DNSChanger


  • This topic is locked This topic is locked
44 replies to this topic

#1 southsidesweetie

southsidesweetie

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 03 April 2010 - 03:19 PM

Hi, I have followed all instructions on Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help.

I was using CA Internet Security (AV, Firewall, Antispam, Antispware) and MWB before the infection. My first symptom was that my CA Antivirus would not update. It would say that my internet was not connected, which was not true. Upon trying to find the problem I found I was also blocked from almost all AV,anti-malware, anti-spyware sites. PS My browser of choice is Firefox and it says "unable to connect to server" only on those sites I am able to go anywhere else without problem. I scanned with malwarebytes by downloading a manual update from a clean computer and it found at first 5, then 2 apparently unremoveable (because MWB would say "quarantined and removed successfully" and ask for reboot, once rebooted it would say windows has blocked programs at startup and it was MWB, i tried to allow but that wouldnt wok) Trojan.DNSChangers located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer, and ""\Parameters\Interfaces\{random#andletters}\DhcpNameServer with the same fake IP address (93.188.161.105 93.188.166.105)in both. So since i was having trouble with CA, I stupidly uninstalled and reinstalled it whereupon i got error message stating "Warning W9011: You do not have sufficient priveleges to install or uninstall CA Personal Firewall. Unable to update registry key: HKEY_LOCAL_MACHINE\SOFTWARE\CA\CAPF Try logging on as Administrator." Guess what, I am. Ok then, I got error from AV saying it was not up to date and that it was unable to initialize scanning engine. So i downloaded avast! AV for now. Also SAS, adaware. I was able to clean it off by scanning with MWB then using RegAssasin (by MWB) and resetting the registry permissions (not deleting) and THEN clicking to remove with MWB. But as soon as I reconnect to the internet it is there again, and still having the problems with updates. Then I lost ability to update windows defender. This should be about it. Here is my DDS log.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Christina at 14:25:37.87 on Sat 04/03/2010
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_18
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1695 [GMT -5:00]

AV: CA Anti-Virus *On-access scanning disabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
FW: CA Personal Firewall *enabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Christina\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SMC\SMCWUSB-G 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\System32\mobsync.exe
C:\hp\kbd\kbd.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\TextPad 4\TextPad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Christina\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: MHTBPos00 Class: {0c37b053-fd68-456a-82e1-d788ee342e6f} - c:\program files\celebrity toolbar\tbcore3.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Big Fish Games Toolbar: {c7c9fc25-88b0-4682-9c9f-2608e9117647} - c:\program files\bfgbar\bfg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: Big Fish Games Toolbar: {c7c9fc25-88b0-4682-9c9f-2608e9117647} - c:\program files\bfgbar\bfg.dll
TB: Celebrity Toolbar: {fd2fd708-1f6f-4b68-b141-c5778f0c19bb} - c:\program files\celebrity toolbar\tbcore3.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Google Update] "c:\users\christina\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [<NO NAME>]
mRun: [cafwc] c:\program files\ca\ca internet security suite\ca personal firewall\cafw.exe -cl
mRun: [capfasem] c:\program files\ca\ca internet security suite\ca personal firewall\capfasem.exe
mRun: [ReminderApp] c:\program files\nova development\greeting card factory photo card maker\ReminderApp.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
StartupFolder: c:\users\christ~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\smcwus~1.lnk - c:\program files\smc\smcwusb-g 802.11g wireless usb 2.0 adapter\SMCWGUTI.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish picture mover\SnapfishMediaDetector.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: c:\windows\system32\VetRedir.dll
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-latest.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: PFW - UmxWnp.Dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\christ~1\appdata\roaming\mozilla\firefox\profiles\7hb38jkf.default\
FF - prefs.js: browser.search.selectedEngine - Search the Web
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=59099&p=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\users\christina\appdata\roaming\mozilla\firefox\profiles\7hb38jkf.default\extensions\{19627815-20a6-46e6-be34-a0b6967c022a}\components\Engine.dll
FF - component: c:\users\christina\appdata\roaming\mozilla\firefox\profiles\7hb38jkf.default\extensions\{6847dfae-037a-400c-a524-27f0a281b692}\components\dtTransparency.dll
FF - component: c:\users\christina\appdata\roaming\mozilla\firefox\profiles\7hb38jkf.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\users\christina\appdata\roaming\mozilla\firefox\profiles\7hb38jkf.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - component: c:\users\christina\appdata\roaming\mozilla\firefox\profiles\7hb38jkf.default\extensions\{aac4043a-8832-4abe-9963-35377f30b8e6}\components\FFExternalAlert.dll
FF - component: c:\users\christina\appdata\roaming\mozilla\firefox\profiles\7hb38jkf.default\extensions\{aac4043a-8832-4abe-9963-35377f30b8e6}\components\RadioWMPCore.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\users\christina\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\christina\appdata\roaming\mozilla\firefox\profiles\7hb38jkf.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\users\christina\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2008-6-24 103952]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-30 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-3-30 162640]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2008-6-24 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2008-6-24 45584]
R1 KmxFilter;HIPS Core Filter Driver;c:\windows\system32\drivers\KmxFilter.sys [2007-10-18 51728]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2010-4-3 26376]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2010-4-3 21128]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2010-4-3 32264]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-30 19024]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-3-30 51792]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-30 40384]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2010-4-3 144960]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2008-6-24 138744]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2008-6-24 66576]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1228208]
R2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2010-4-3 242952]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-30 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-30 40384]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2008-6-24 88816]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
R3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\drivers\SMCWGU.sys [2008-6-14 408064]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2010-4-3 108312]
S2 UmxAgent;HIPS Event Manager;"c:\program files\ca\sharedcomponents\hipsengine\umxagent.exe" --> c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [?]
S2 UmxCfg;HIPS Configuration Interpreter;"c:\program files\ca\sharedcomponents\hipsengine\umxcfg.exe" --> c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [?]
S2 UmxPol;HIPS Policy Manager;"c:\program files\ca\sharedcomponents\hipsengine\umxpol.exe" --> c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [?]
S3 athrusb6;Atheros Wireless LAN USB device driver 6 Series;c:\windows\system32\drivers\athru6.sys [2007-7-5 873472]
S3 DCamUSBVeo532;Veo Web Camera;c:\windows\system32\drivers\ubVeo532.sys [2008-7-31 95232]

=============== Created Last 30 ================

2010-04-03 19:24:45 0 ----a-w- c:\users\christina\defogger_reenable
2010-04-03 17:55:10 99592 ----a-w- c:\windows\system32\isafeif.dll
2010-04-03 17:55:10 879784 ----a-w- c:\windows\system32\drivers\vetefile.sys
2010-04-03 17:55:10 79424 ----a-w- c:\windows\system32\vetredir.dll
2010-04-03 17:55:10 75016 ----a-w- c:\windows\system32\isafprod.dll
2010-04-03 17:55:10 32264 ----a-w- c:\windows\system32\drivers\vetmonnt.sys
2010-04-03 17:55:10 26376 ----a-w- c:\windows\system32\drivers\vet-filt.sys
2010-04-03 17:55:10 21512 ----a-w- c:\windows\system32\drivers\vetfddnt.sys
2010-04-03 17:55:10 21128 ----a-w- c:\windows\system32\drivers\vet-rec.sys
2010-04-03 17:55:10 108312 ----a-w- c:\windows\system32\drivers\veteboot.sys
2010-04-02 19:54:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-02 19:54:28 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-02 19:54:28 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-01 20:33:05 0 d-----w- c:\program files\FileASSASSIN
2010-03-31 04:23:21 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-31 03:22:39 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-03-31 03:21:25 0 dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-31 03:21:15 0 d-----w- c:\programdata\Lavasoft
2010-03-31 03:21:15 0 d-----w- c:\program files\Lavasoft
2010-03-30 18:26:22 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-03-30 18:25:00 0 d-----w- c:\programdata\Alwil Software
2010-03-30 17:54:53 0 d-----w- c:\program files\CA
2010-03-30 00:56:15 75016 ----a-w- c:\windows\system32\isafprod(820).dll
2010-03-29 23:33:05 65536 --sha-w- c:\users\christina\ntuser.dat{257adbb3-3b82-11df-890c-001fc65e4762}.TM.blf
2010-03-29 23:33:05 524288 --sha-w- c:\users\christina\ntuser.dat{257adbb3-3b82-11df-890c-001fc65e4762}.TMContainer00000000000000000002.regtrans-ms
2010-03-29 23:33:05 524288 --sha-w- c:\users\christina\ntuser.dat{257adbb3-3b82-11df-890c-001fc65e4762}.TMContainer00000000000000000001.regtrans-ms
2010-03-29 22:24:38 78461 ----a-w- C:\inoc6.icf
2010-03-29 20:36:50 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-03-29 20:36:33 0 d-----w- c:\users\christ~1\appdata\roaming\SUPERAntiSpyware.com
2010-03-29 20:36:33 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-29 16:21:26 0 d-----w- c:\programdata\CA-SupportBridge
2010-03-10 04:23:42 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-10 04:23:41 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-10 04:23:41 30720 ----a-w- c:\windows\system32\httpapi.dll

==================== Find3M ====================

2010-04-03 18:09:39 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-03 18:09:39 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-04-03 18:05:03 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k7
2010-04-03 18:05:03 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k6
2010-04-03 18:05:03 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k5
2010-04-03 18:05:03 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k4
2010-04-03 18:05:03 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k3
2010-04-03 18:05:03 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k2
2010-04-03 18:05:03 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k1
2010-04-03 18:05:03 110584 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k0
2010-02-24 15:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-01-23 09:26:13 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-26 18:00:54 143360 ----a-w- c:\windows\inf\infstor.dat
2009-10-26 17:54:06 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-30 02:43:42 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-07-13 03:35:59 22 --sha-w- c:\windows\sminst\HPCD.sys

============= FINISH: 14:26:32.63 ===============

Attached are attach.txt and ark.txt

Thanks for any help.

I have to add after I did this I saw something about changing my DNS settings to OpenDNS at 208.67.222.222, just to be able to update your programs, and I have been able to update everything but MBAM and i think that is an issue with their new release. However I still want to fix the original problem.

Attached Files


Edited by southsidesweetie, 03 April 2010 - 10:59 PM.


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:01 AM

Posted 07 April 2010 - 09:09 PM

Hello, and welcome.gif to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

If you have since resolved the original problem you were having, we would appreciate you letting us know.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. smile.gif

***************************************************

Please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double click on renamed.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade

In your next reply, please include the following:
ComboFix Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 southsidesweetie

southsidesweetie
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 09 April 2010 - 07:31 PM

Just a note - I am still having the problem. Was just waiting for a reply. I am going to perform the first step and reply back. Thank you for your assistance.

#4 southsidesweetie

southsidesweetie
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 09 April 2010 - 08:10 PM

OK, I am having a problem. My security center is saying my CA Firewall is On, even though I uninstalled CA. I think the virus affected my CA Firewall. here is what has happened before I posted with my CA. I uninstalled it and tried to reinstall it and it told me "Warning W9011: You do not have sufficient privileges to install or uninstall CA Personal Firewall. Unable to update registry key: HKEY_LOCAL_MACHINE\SOFTWARE\CA\CAPF Try logging on as Administrator." If you read my first post I explained this, and I think it has hijacked it. I actually read up on that virus and found that my particular version (2007) had some kind of easy to break into problem with it. So my question is, Do I continue with step 4 without turning the CA Firewall off, because I don't want to mess anything up. If you can tell me how to get it off, I can always redownload it. I actually tried to kill that exact registry key with regassassin from mbam. It said it could not delete. I also believe it has done something to my administrative rights, because all the programs i download have the windows logo(shield) and request permission, and i dont remember it doing that before. What now?

Edited by southsidesweetie, 09 April 2010 - 08:39 PM.


#5 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:01 AM

Posted 10 April 2010 - 07:32 PM

Hi southsidesweetie.

Go ahead and continue with step 4.

Thanks for letting me know first though. smile.gif

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#6 southsidesweetie

southsidesweetie
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 11 April 2010 - 01:06 PM

ComboFix 10-04-10.02 - Christina 04/11/2010 12:44:23.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1474 [GMT -5:00]
Running from: c:\users\Christina\Desktop\rename.exe
FW: CA Personal Firewall *enabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1219926079-3706369525-729257973-1001
c:\$recycle.bin\S-1-5-21-1219926079-3706369525-729257973-500
c:\$recycle.bin\S-1-5-21-3053929616-2280673223-1444814311-500
c:\$recycle.bin\S-1-5-21-909821549-444324555-4134441507-1000
c:\users\Christina\AppData\Roaming\inst.exe

.
((((((((((((((((((((((((( Files Created from 2010-03-11 to 2010-04-11 )))))))))))))))))))))))))))))))
.

2010-04-11 04:59 . 2010-03-09 10:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-11 04:59 . 2010-03-09 10:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-11 04:59 . 2010-03-09 10:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-11 04:59 . 2010-03-09 10:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-11 04:59 . 2010-03-09 10:08 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-04-11 04:59 . 2010-03-09 10:24 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-11 04:59 . 2010-03-09 10:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-10 22:58 . 2010-04-10 22:58 -------- d-----w- c:\program files\Microsoft Application Compatibility Toolkit 5
2010-04-10 03:26 . 2010-04-10 03:25 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-10 01:36 . 2010-03-30 05:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-10 01:36 . 2010-04-10 23:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-10 01:36 . 2010-03-30 05:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-01 20:33 . 2010-04-01 20:33 -------- d-----w- c:\program files\FileASSASSIN
2010-03-31 04:23 . 2010-04-10 03:25 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-31 03:22 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-03-31 03:21 . 2010-03-31 03:21 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-31 03:21 . 2010-02-04 15:53 2954656 -c--a-w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-03-31 03:21 . 2010-03-31 03:22 -------- d-----w- c:\programdata\Lavasoft
2010-03-31 03:21 . 2010-03-31 03:21 -------- d-----w- c:\program files\Lavasoft
2010-03-30 18:25 . 2010-03-30 18:25 -------- d-----w- c:\programdata\Alwil Software
2010-03-30 18:25 . 2010-03-30 18:25 -------- d-----w- c:\program files\Alwil Software
2010-03-30 03:42 . 2010-04-02 19:55 117760 ----a-w- c:\users\Christina\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-30 03:42 . 2010-03-30 03:42 52224 ----a-w- c:\users\Christina\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-30 01:26 . 2010-03-30 01:26 -------- d-----w- c:\users\Misstina\AppData\Local\Apple
2010-03-30 01:01 . 2010-03-30 01:01 -------- d-----w- c:\users\Misstina\AppData\Local\Mozilla
2010-03-30 01:01 . 2010-03-30 01:01 -------- d-----w- c:\users\Misstina\AppData\Roaming\Malwarebytes
2010-03-30 01:00 . 2010-03-30 01:00 -------- d-----w- c:\users\Misstina\AppData\Roaming\Hewlett-Packard
2010-03-30 01:00 . 2010-03-30 01:00 -------- d-----w- c:\users\Misstina\AppData\Roaming\Snapfish
2010-03-30 00:56 . 2007-08-20 18:37 75016 ----a-w- c:\windows\system32\isafprod(820).dll
2010-03-29 20:36 . 2010-03-29 20:36 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-03-29 20:36 . 2010-04-10 01:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-29 20:36 . 2010-03-29 20:36 -------- d-----w- c:\users\Christina\AppData\Roaming\SUPERAntiSpyware.com
2010-03-29 16:21 . 2010-03-29 16:44 -------- d-----w- c:\programdata\CA-SupportBridge
2010-03-17 02:30 . 2010-03-16 20:18 52224 ----a-w- c:\users\Christina\AppData\Roaming\Mozilla\Firefox\Profiles\7hb38jkf.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
2010-03-17 02:30 . 2010-03-16 20:18 101376 ----a-w- c:\users\Christina\AppData\Roaming\Mozilla\Firefox\Profiles\7hb38jkf.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
2010-03-15 20:33 . 2010-03-15 20:33 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-11 04:55 . 2008-06-16 03:21 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k7
2010-04-11 04:55 . 2008-06-16 03:21 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k6
2010-04-11 04:55 . 2008-06-16 03:21 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k5
2010-04-11 04:55 . 2008-06-16 03:21 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k4
2010-04-11 04:55 . 2008-06-16 03:21 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k3
2010-04-11 04:55 . 2008-06-16 03:21 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k2
2010-04-11 04:55 . 2008-06-16 03:21 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k1
2010-04-11 04:55 . 2008-06-16 03:21 110584 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k0
2010-04-10 22:58 . 2010-04-10 22:58 7128 ----a-w- c:\windows\inf\ObjectFramework\0009\tmp2DB6.tmp
2010-04-10 22:58 . 2010-04-10 22:58 7128 ----a-w- c:\windows\inf\ObjectFramework\0000\tmp2DB6.tmp
2010-04-10 02:55 . 2009-01-30 00:22 1 ----a-w- c:\users\Christina\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-10 00:45 . 2008-06-16 00:29 -------- d-----w- c:\programdata\CA
2010-04-09 00:30 . 2008-06-19 02:09 -------- d-----w- c:\users\Christina\AppData\Roaming\LimeWire
2010-04-08 23:37 . 2008-06-15 22:38 -------- d-----w- c:\program files\LimeWire
2010-03-31 02:49 . 2008-06-15 00:26 1356 ----a-w- c:\users\Christina\AppData\Local\d3d9caps.dat
2010-03-31 00:16 . 2008-06-21 22:07 -------- d-----w- c:\program files\Maxis
2010-03-30 03:41 . 2008-12-21 01:10 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-30 02:09 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-03-30 02:08 . 2009-05-11 23:08 -------- d-----w- c:\program files\Dopewars
2010-03-30 00:59 . 2010-03-30 00:59 141640 ----a-w- c:\users\Misstina\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-15 20:39 . 2009-03-09 20:38 -------- d-----w- c:\program files\Safari
2010-03-07 20:14 . 2009-03-04 02:05 -------- d-----w- c:\users\Christina\AppData\Roaming\iPhoneRingToneMaker
2010-02-24 15:16 . 2009-10-02 18:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39 . 2010-04-03 23:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-04-03 23:20 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 06:33 . 2010-04-03 23:20 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 04:55 . 2010-04-03 23:20 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06 . 2010-03-10 04:23 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-10 04:23 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-10 04:23 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-19 11:39 . 2010-02-19 06:51 52224 ----a-w- c:\users\Christina\AppData\Roaming\Mozilla\Firefox\Profiles\7hb38jkf.default\extensions\{aac4043a-8832-4abe-9963-35377f30b8e6}\components\FFExternalAlert.dll
2010-02-19 11:39 . 2010-02-19 06:51 101376 ----a-w- c:\users\Christina\AppData\Roaming\Mozilla\Firefox\Profiles\7hb38jkf.default\extensions\{aac4043a-8832-4abe-9963-35377f30b8e6}\components\RadioWMPCore.dll
2010-02-15 22:05 . 2008-06-15 22:19 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-05 16:39 . 2010-02-05 16:39 251376 ----a-w- c:\users\Christina\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2010-02-02 00:12 . 2010-02-02 00:12 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-23 09:26 . 2010-02-23 21:34 2048 ----a-w- c:\windows\system32\tzres.dll
2008-07-13 03:35 . 2008-07-13 03:35 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-03-28 17:11 1196936 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-03-28 1196936]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Google Update"="c:\users\Christina\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-15 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-10 2010864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-03 6266880]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"ReminderApp"="c:\program files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe" [2006-11-02 156160]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2008-06-02 178712]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-27 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-27 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-27 150552]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

c:\users\Christina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-6-15 113664]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-6-15 113664]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-6-15 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
SMCWUSB-G 802.11g Wireless USB Utility.lnk - c:\program files\SMC\SMCWUSB-G 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe [2006-1-18 442368]
Snapfish Media Detector.lnk - c:\program files\Snapfish Picture Mover\SnapfishMediaDetector.exe [2007-5-7 1273856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 18:30 79368 ----a-w- c:\windows\System32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:e5,45,ea,7b,66,56,ca,01

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-04-10 1265264]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [x]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [x]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [x]
R3 athrusb6;Atheros Wireless LAN USB device driver 6 Series;c:\windows\system32\DRIVERS\athru6.sys [2007-07-05 873472]
R3 DCamUSBVeo532;Veo Web Camera;c:\windows\system32\Drivers\ubVeo532.sys [2002-07-01 95232]
R3 ZDPSp60;ZDPSp60 NDIS Protocol Driver;c:\windows\system32\Drivers\ZDPSp60.sys [x]
S0 KmxFw;KmxFw;c:\windows\System32\DRIVERS\kmxfw.sys [2008-06-25 103952]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-02-04 64288]
S1 aswSP;aswSP; [x]
S1 KmxAgent;KmxAgent;c:\windows\system32\DRIVERS\kmxagent.sys [2008-06-25 63504]
S1 KmxFile;KmxFile;c:\windows\system32\DRIVERS\KmxFile.sys [2008-06-25 45584]
S1 KmxFilter;HIPS Core Filter Driver;c:\windows\system32\DRIVERS\KmxFilter.sys [2007-10-18 51728]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-04-03 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-04-03 66632]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-03-09 51792]
S2 KmxCF;KmxCF;c:\windows\system32\DRIVERS\KmxCF.sys [2008-06-25 138744]
S2 KmxSbx;KmxSbx;c:\windows\system32\DRIVERS\KmxSbx.sys [2008-06-25 66576]
S3 KmxCfg;KmxCfg;c:\windows\system32\DRIVERS\kmxcfg.sys [2008-06-25 88816]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-04-03 12872]
S3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\DRIVERS\SMCWGU.sys [2005-12-16 408064]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-04-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 03:25]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
TCP: {1891B12C-714B-40F3-972A-139F04126D56} = 208.67.222.222,208.67.220.220
TCP: {BB7D7944-DEE7-48E1-B57B-5DAC1B0C1207} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\users\Christina\AppData\Roaming\Mozilla\Firefox\Profiles\7hb38jkf.default\
FF - prefs.js: browser.search.selectedEngine - Search the Web
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=59099&p=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\users\Christina\AppData\Roaming\Mozilla\Firefox\Profiles\7hb38jkf.default\extensions\{6847DFAE-037A-400c-A524-27F0A281B692}\components\dtTransparency.dll
FF - component: c:\users\Christina\AppData\Roaming\Mozilla\Firefox\Profiles\7hb38jkf.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\users\Christina\AppData\Roaming\Mozilla\Firefox\Profiles\7hb38jkf.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - component: c:\users\Christina\AppData\Roaming\Mozilla\Firefox\Profiles\7hb38jkf.default\extensions\{aac4043a-8832-4abe-9963-35377f30b8e6}\components\FFExternalAlert.dll
FF - component: c:\users\Christina\AppData\Roaming\Mozilla\Firefox\Profiles\7hb38jkf.default\extensions\{aac4043a-8832-4abe-9963-35377f30b8e6}\components\RadioWMPCore.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Christina\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\Christina\AppData\Roaming\Mozilla\Firefox\Profiles\7hb38jkf.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\users\Christina\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

BHO-{0C37B053-FD68-456a-82E1-D788EE342E6F} - c:\program files\Celebrity Toolbar\tbcore3.dll
Toolbar-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - c:\program files\Celebrity Toolbar\tbcore3.dll
HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
MSConfigStartUp-cafwc - c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe
MSConfigStartUp-capfasem - c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-11 12:54
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-04-11 12:58:16
ComboFix-quarantined-files.txt 2010-04-11 17:57

Pre-Run: 219,349,475,328 bytes free
Post-Run: 220,181,487,616 bytes free

- - End Of File - - DC087F641EF0E495EBBFC4D98CE8A022


#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:01 AM

Posted 12 April 2010 - 10:32 AM

Hello southsidesweetie.

Your log shows that you have an Ask toolbar installed. Please read this article. While not technically malware, Ask toolbars are often unwanted by users, and the company's business practices are questionable. If you decide you do not want to keep the toolbar, please use Add/Remove Programs to remove it.

***************************************************

1. Open notepad and copy/paste the text in the codebox below into it:

CODE
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-

SecCenter::
{14CB4B80-8E52-45EA-905E-67C1267B4160}


Save this as CFScript.txt, in the same location as ComboFix.exe

2. Close any open browsers.

3. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

~Blade

In your next reply, please include the following:
Combofix Log
How is the computer running now?

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 southsidesweetie

southsidesweetie
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 12 April 2010 - 06:25 PM

Before I do this, I wanted to know - do i really want to disable the security center monitoring? or is that a virus? I like when my sec center tells me i need to update something or check something. Let me know what this will do.
Also I know you havent asked, but MBAM is the only program so far that has been able to spot this virus. I just wanted to be sure you can see where it is. Here is my first bad log with 5, and then the 2 i cant get rid of. this is only showing the infections - everything else was clean.

Initial scan:

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.161.105 93.188.166.105 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1891b12c-714b-40f3-972a-139f04126d56}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.161.105 93.188.166.105 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{32a5739b-18e3-476d-8893-e39190634b10}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.161.105 93.188.166.105 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8aea5440-1496-42fa-96f1-7bb261cbedb1}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.161.105 93.188.166.105 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bb7d7944-dee7-48e1-b57b-5dac1b0c1207}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.161.105 93.188.166.105 -> Quarantined and deleted successfully.

after initial scan, the 2 that wont go away:
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.161.105 93.188.166.105 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bb7d7944-dee7-48e1-b57b-5dac1b0c1207}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.161.105 93.188.166.105 -> Quarantined and deleted successfully.

Like I said before it says they're removed and to reboot, once i reboot it says windows has blocked some programs on startup, so i downloaded Microsoft Compatibility Administrator to make sure MBAM is always runasinvoker, but its still there after reboot. Now that I have got that off my chest, would you still like me to go ahead with the prescribed actions?

PS the ask toolbar is actually a limewire toolbar. i hate ask.com, but i wanted to see if i liked this toolbar because i like limewire. and i never ran limewire during the time i got infected either it was after the virus that i d/l the toolbar and/or used the program. otherwise i always check to see if something is installing a toolbar, believe me! lol

Edited by southsidesweetie, 12 April 2010 - 06:28 PM.


#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:01 AM

Posted 12 April 2010 - 06:44 PM

Please do. The script is perfectly safe and is only reversing damage done by the malware. It's not disabling anything.

***************************************************

After you are done with the prescribed actions, please go ahead and run an MBAM scan. . . see if it still detects those two items.

Edited by Blade Zephon, 12 April 2010 - 06:46 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#10 southsidesweetie

southsidesweetie
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 12 April 2010 - 06:45 PM

Great! Doing now.

#11 southsidesweetie

southsidesweetie
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 12 April 2010 - 07:16 PM

Well. I am replying from my moms laptop that i confiscated. I'm running the mbam scan now but I had to jump computers because of this prompt I received when trying to open firefox after the log popped up.

C:\Program Files\Mozilla Firefox\firefox.exe

Illegal operation attempted on a registry key that has been marked for deletion.

Here is the log.

ComboFix 10-04-10.02 - Christina 04/12/2010 18:51:16.2.2 - x86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1988 [GMT -5:00]
Running from: c:\users\Christina\Desktop\rename.exe
Command switches used :: c:\users\Christina\Desktop\CFScript.txt
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-03-13 to 2010-04-13 )))))))))))))))))))))))))))))))
.

2010-04-13 00:00 . 2010-04-13 00:01 -------- d-----w- c:\users\Christina\AppData\Local\temp
2010-04-13 00:00 . 2010-04-13 00:00 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-13 00:00 . 2010-04-13 00:00 -------- d-----w- c:\users\Misstina\AppData\Local\temp
2010-04-13 00:00 . 2010-04-13 00:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-11 04:59 . 2010-03-09 10:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-11 04:59 . 2010-03-09 10:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-11 04:59 . 2010-03-09 10:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-11 04:59 . 2010-03-09 10:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-11 04:59 . 2010-03-09 10:08 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-04-11 04:59 . 2010-03-09 10:24 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-11 04:59 . 2010-03-09 10:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-10 22:58 . 2010-04-10 22:58 -------- d-----w- c:\program files\Microsoft Application Compatibility Toolkit 5
2010-04-10 03:26 . 2010-04-10 03:25 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-10 01:36 . 2010-03-30 05:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-10 01:36 . 2010-04-10 23:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-10 01:36 . 2010-03-30 05:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-01 20:33 . 2010-04-01 20:33 -------- d-----w- c:\program files\FileASSASSIN
2010-03-31 04:23 . 2010-04-10 03:25 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-31 03:22 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-03-31 03:21 . 2010-03-31 03:21 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-31 03:21 . 2010-02-04 15:53 2954656 -c--a-w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-03-31 03:21 . 2010-03-31 03:22 -------- d-----w- c:\programdata\Lavasoft
2010-03-31 03:21 . 2010-03-31 03:21 -------- d-----w- c:\program files\Lavasoft
2010-03-30 18:25 . 2010-03-30 18:25 -------- d-----w- c:\programdata\Alwil Software
2010-03-30 18:25 . 2010-03-30 18:25 -------- d-----w- c:\program files\Alwil Software
2010-03-30 03:42 . 2010-04-02 19:55 117760 ----a-w- c:\users\Christina\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-30 03:42 . 2010-03-30 03:42 52224 ----a-w- c:\users\Christina\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-30 01:26 . 2010-03-30 01:26 -------- d-----w- c:\users\Misstina\AppData\Local\Apple
2010-03-30 01:01 . 2010-03-30 01:01 -------- d-----w- c:\users\Misstina\AppData\Local\Mozilla
2010-03-30 01:01 . 2010-03-30 01:01 -------- d-----w- c:\users\Misstina\AppData\Roaming\Malwarebytes
2010-03-30 01:00 . 2010-03-30 01:00 -------- d-----w- c:\users\Misstina\AppData\Roaming\Hewlett-Packard
2010-03-30 01:00 . 2010-03-30 01:00 -------- d-----w- c:\users\Misstina\AppData\Roaming\Snapfish
2010-03-30 00:56 . 2007-08-20 18:37 75016 ----a-w- c:\windows\system32\isafprod(820).dll
2010-03-29 20:36 . 2010-03-29 20:36 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-03-29 20:36 . 2010-04-10 01:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-29 20:36 . 2010-03-29 20:36 -------- d-----w- c:\users\Christina\AppData\Roaming\SUPERAntiSpyware.com
2010-03-29 16:21 . 2010-03-29 16:44 -------- d-----w- c:\programdata\CA-SupportBridge
2010-03-17 02:30 . 2010-03-16 20:18 52224 ----a-w- c:\users\Christina\AppData\Roaming\Mozilla\Firefox\Profiles\7hb38jkf.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
2010-03-17 02:30 . 2010-03-16 20:18 101376 ----a-w- c:\users\Christina\AppData\Roaming\Mozilla\Firefox\Profiles\7hb38jkf.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
2010-03-15 20:33 . 2010-03-15 20:33 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-12 04:17 . 2008-06-16 03:21 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k7
2010-04-12 04:17 . 2008-06-16 03:21 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k6
2010-04-12 04:17 . 2008-06-16 03:21 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k5
2010-04-12 04:17 . 2008-06-16 03:21 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k4
2010-04-12 04:17 . 2008-06-16 03:21 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k3
2010-04-12 04:17 . 2008-06-16 03:21 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k2
2010-04-12 04:17 . 2008-06-16 03:21 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k1
2010-04-12 04:17 . 2008-06-16 03:21 110584 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k0
2010-04-10 22:58 . 2010-04-10 22:58 7128 ----a-w- c:\windows\inf\ObjectFramework\0009\tmp2DB6.tmp
2010-04-10 22:58 . 2010-04-10 22:58 7128 ----a-w- c:\windows\inf\ObjectFramework\0000\tmp2DB6.tmp
2010-04-10 02:55 . 2009-01-30 00:22 1 ----a-w- c:\users\Christina\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-10 00:45 . 2008-06-16 00:29 -------- d-----w- c:\programdata\CA
2010-04-09 00:30 . 2008-06-19 02:09 -------- d-----w- c:\users\Christina\AppData\Roaming\LimeWire
2010-04-08 23:37 . 2008-06-15 22:38 -------- d-----w- c:\program files\LimeWire
2010-03-31 02:49 . 2008-06-15 00:26 1356 ----a-w- c:\users\Christina\AppData\Local\d3d9caps.dat
2010-03-31 00:16 . 2008-06-21 22:07 -------- d-----w- c:\program files\Maxis
2010-03-30 03:41 . 2008-12-21 01:10 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-30 02:09 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-03-30 02:08 . 2009-05-11 23:08 -------- d-----w- c:\program files\Dopewars
2010-03-30 00:59 . 2010-03-30 00:59 141640 ----a-w- c:\users\Misstina\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-15 20:39 . 2009-03-09 20:38 -------- d-----w- c:\program files\Safari
2010-03-07 20:14 . 2009-03-04 02:05 -------- d-----w- c:\users\Christina\AppData\Roaming\iPhoneRingToneMaker
2010-02-24 15:16 . 2009-10-02 18:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39 . 2010-04-03 23:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-04-03 23:20 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 06:33 . 2010-04-03 23:20 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 04:55 . 2010-04-03 23:20 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06 . 2010-03-10 04:23 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-10 04:23 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-10 04:23 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-19 11:39 . 2010-02-19 06:51 52224 ----a-w- c:\users\Christina\AppData\Roaming\Mozilla\Firefox\Profiles\7hb38jkf.default\extensions\{aac4043a-8832-4abe-9963-35377f30b8e6}\components\FFExternalAlert.dll
2010-02-19 11:39 . 2010-02-19 06:51 101376 ----a-w- c:\users\Christina\AppData\Roaming\Mozilla\Firefox\Profiles\7hb38jkf.default\extensions\{aac4043a-8832-4abe-9963-35377f30b8e6}\components\RadioWMPCore.dll
2010-02-15 22:05 . 2008-06-15 22:19 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-05 16:39 . 2010-02-05 16:39 251376 ----a-w- c:\users\Christina\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2010-02-02 00:12 . 2010-02-02 00:12 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-23 09:26 . 2010-02-23 21:34 2048 ----a-w- c:\windows\system32\tzres.dll
2008-07-13 03:35 . 2008-07-13 03:35 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-03-28 17:11 1196936 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-03-28 1196936]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Google Update"="c:\users\Christina\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-15 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-10 2010864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-03 6266880]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"ReminderApp"="c:\program files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe" [2006-11-02 156160]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2008-06-02 178712]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-27 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-27 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-27 150552]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-30 1086856]

c:\users\Christina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-6-15 113664]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-6-15 113664]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-6-15 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
SMCWUSB-G 802.11g Wireless USB Utility.lnk - c:\program files\SMC\SMCWUSB-G 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe [2006-1-18 442368]
Snapfish Media Detector.lnk - c:\program files\Snapfish Picture Mover\SnapfishMediaDetector.exe [2007-5-7 1273856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 18:30 79368 ----a-w- c:\windows\System32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:e5,45,ea,7b,66,56,ca,01

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-04-10 1265264]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [x]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [x]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [x]
R3 athrusb6;Atheros Wireless LAN USB device driver 6 Series;c:\windows\system32\DRIVERS\athru6.sys [2007-07-05 873472]
R3 DCamUSBVeo532;Veo Web Camera;c:\windows\system32\Drivers\ubVeo532.sys [2002-07-01 95232]
R3 ZDPSp60;ZDPSp60 NDIS Protocol Driver;c:\windows\system32\Drivers\ZDPSp60.sys [x]
S0 KmxFw;KmxFw;c:\windows\System32\DRIVERS\kmxfw.sys [2008-06-25 103952]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-02-04 64288]
S1 aswSP;aswSP; [x]
S1 KmxAgent;KmxAgent;c:\windows\system32\DRIVERS\kmxagent.sys [2008-06-25 63504]
S1 KmxFile;KmxFile;c:\windows\system32\DRIVERS\KmxFile.sys [2008-06-25 45584]
S1 KmxFilter;HIPS Core Filter Driver;c:\windows\system32\DRIVERS\KmxFilter.sys [2007-10-18 51728]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-04-03 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-04-03 66632]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-03-09 51792]
S2 KmxCF;KmxCF;c:\windows\system32\DRIVERS\KmxCF.sys [2008-06-25 138744]
S2 KmxSbx;KmxSbx;c:\windows\system32\DRIVERS\KmxSbx.sys [2008-06-25 66576]
S3 KmxCfg;KmxCfg;c:\windows\system32\DRIVERS\kmxcfg.sys [2008-06-25 88816]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-04-03 12872]
S3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\DRIVERS\SMCWGU.sys [2005-12-16 408064]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-04-12 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 03:25]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
TCP: {1891B12C-714B-40F3-972A-139F04126D56} = 208.67.222.222,208.67.220.220
TCP: {BB7D7944-DEE7-48E1-B57B-5DAC1B0C1207} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\users\Christina\AppData\Roaming\Mozilla\Firefox\Profiles\7hb38jkf.default\
FF - prefs.js: browser.search.selectedEngine - Search the Web
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=59099&p=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\users\Christina\AppData\Roaming\Mozilla\Firefox\Profiles\7hb38jkf.default\extensions\{6847DFAE-037A-400c-A524-27F0A281B692}\components\dtTransparency.dll
FF - component: c:\users\Christina\AppData\Roaming\Mozilla\Firefox\Profiles\7hb38jkf.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\users\Christina\AppData\Roaming\Mozilla\Firefox\Profiles\7hb38jkf.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - component: c:\users\Christina\AppData\Roaming\Mozilla\Firefox\Profiles\7hb38jkf.default\extensions\{aac4043a-8832-4abe-9963-35377f30b8e6}\components\FFExternalAlert.dll
FF - component: c:\users\Christina\AppData\Roaming\Mozilla\Firefox\Profiles\7hb38jkf.default\extensions\{aac4043a-8832-4abe-9963-35377f30b8e6}\components\RadioWMPCore.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Christina\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\Christina\AppData\Roaming\Mozilla\Firefox\Profiles\7hb38jkf.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\users\Christina\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-12 19:01
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

[0] 0x02023243

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-04-12 19:03:56
ComboFix-quarantined-files.txt 2010-04-13 00:03
ComboFix2.txt 2010-04-11 17:58

Pre-Run: 216,458,080,256 bytes free
Post-Run: 216,427,048,960 bytes free

- - End Of File - - 1679791FE7C5D3767BC1779BEBFF4E68

Edited by southsidesweetie, 12 April 2010 - 07:17 PM.


#12 southsidesweetie

southsidesweetie
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 12 April 2010 - 07:21 PM

PS While looking at this log i noticed this -

------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
TCP: {1891B12C-714B-40F3-972A-139F04126D56} = 208.67.222.222,208.67.220.220
TCP: {BB7D7944-DEE7-48E1-B57B-5DAC1B0C1207} = 208.67.222.222,208.67.220.220

etc...

Please be aware that this is what i did to reroute around the virus, so that i was able to update some of my programs, go to mbam.org etc. It is routed to OpenDNS. (Just FYI)

#13 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:01 AM

Posted 12 April 2010 - 11:03 PM

Hi southsidesweetie.

Alright. . . things are looking better here.

Did Malwarebytes find anything when you ran it?

Let's do a comprehensive scan to check for remaining malware on the machine. Please be aware that this scan will take some time to run.

Please go to the Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply .

~Blade


In your next reply, please include the following:
Kaspersky Online Scan.
How is the computer running now?

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#14 southsidesweetie

southsidesweetie
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 13 April 2010 - 05:12 PM

Ok When I said that a prompt popped up when i tried to open firefox, it did the same thing when i tried to open mbam, so i had to reboot. I scanned and the 2 were still there. I am going to the kaspersky scanner now. I also found something very odd happening. I found a second icon for internet explorer (which i have used a total of 2 times since i even got this comp) there is no WAY i put it there and its freaking me out. Also everytime i open firefox it keeps prompting that firefox is not my default browser, but i set that ages ago. and it keeps asking everytime i open it now, even though i have selected yes to make it default. i think this malware is progressing to try to takeover ie (since most people use it) as a browser hijack. gah i really hope this scan works. will be back with results, also rescan mbam after.

#15 southsidesweetie

southsidesweetie
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 13 April 2010 - 09:39 PM

Wow that scan just finished. Nothing except this stupid OLD game i have that always flags as adware i think because its updater is called unwise. ive never had problems with it. its just really old.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, April 13, 2010
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, April 13, 2010 19:47:08
Records in database: 3939804
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Objects scanned: 234995
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 03:39:36


File name / Threat / Threats count
C:\Users\Christina\Documents\Southern Creative Designs\NealReeh\images-homes\Dope Wars.exe Infected: not-a-virus:AdWare.Win32.Gator.3013 1

Selected area has been scanned.

Well. I'm pretty sure its still there, but this mbam scan will take a while and i have to go to work in the morning. I will post as soon as i can with the mbam again.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users