Solved: redirects across ie7, ff & gc. ran adaware, spybot, etc but still happens

jcfpny · 15-Nov-2009, 11:23 PM #1

redirects to sites such as toptvbytes.com in new tab/window from legit links in google, news sites etc.or when idle. i rely on CA's security suite from my ip (cablevision/optonline). i use CA,CC and OneCare to remove cookies, etc, fix registry etc.

Thanks for any help, HJT follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:19 PM, on 11/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tv.msn.com/tv/guide/#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O2 - BHO: CA Toolbar Helper - {FBF2401B-7447-4727-BE5D-C19B2075CA84} - (no file)
O3 - Toolbar: (no name) - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - (no file)
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [P17Helper] "Rundll32" P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] "C:\WINDOWS\UpdReg.EXE"
O4 - HKLM\..\Run: [DLA] "C:\WINDOWS\System32\DLA\DLACTRLW.EXE"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [IgfxTray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafw] "C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" -cl
O4 - HKLM\..\Run: [capfasem] "C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe"
O4 - HKLM\..\Run: [capfupgrade] "C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe"
O4 - HKLM\..\Run: [CaPPcl] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe" /scan /startup
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase8942.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1198793063703
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E6BB2089-163F-466B-812A-748096614DFD} (CAScanner Control) - http://cainternetsecurity.net/scanner/cascanner.cab
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 8682 bytes

jcfpny · 18-Nov-2009, 11:55 PM #2

bump

NeonFx · 19-Nov-2009, 03:06 AM #3

Hello there

Welcome to the TSG Forums.
My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.

Please note the following:

The fixes are specific to your problem and should only be used on this machine.
Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

Step 1

Download OTS to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Under Additional Scans check the following:
- Reg - Desktop Components
- Reg - Disabled MS Config Items
- Reg - NetSvcs
- Reg - Shell Spawning
- Reg - Uninstall List
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
Please copy the following into the Custom Scans box at the bottom

Code:

%SYSTEMDRIVE%\eventlog.dll /s /md5
%SYSTEMDRIVE%\scecli.dll /s /md5
%SYSTEMDRIVE%\netlogon.dll /s /md5
%SYSTEMDRIVE%\cngaudit.dll /s /md5
%SYSTEMDRIVE%\sceclt.dll /s /md5
%SYSTEMDRIVE%\ntelogon.dll /s /md5
%SYSTEMDRIVE%\logevent.dll /s /md5
%SYSTEMDRIVE%\iaStor.sys /s /md5
%SYSTEMDRIVE%\nvstor.sys /s /md5
%SYSTEMDRIVE%\atapi.sys /s /md5
%SYSTEMDRIVE%\si3112.sys /s /md5
%SYSTEMDRIVE%\viadsk.sys /s /md5
%SYSTEMDRIVE%\nvatabus.sys /s /md5
%SYSTEMDRIVE%\IdeChnDr.sys /s /md5
%SYSTEMDRIVE%\viasraid.sys  /s /md5
%SYSTEMDRIVE%\AGP440.sys /s /md5
%SYSTEMDRIVE%\vaxscsi.sys /s /md5

Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post. To do so click on the blue "Reply" button or "Go Advanced" and click on the "Manage Attachments" button

To ensure that I get all the information this log will need to be attached. If it is too large to attach then upload it to Dropio and post the sharing link/url (The Drop's URL will be similar to : http:://drop.io/daerk)

Step 2

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.

Click on the Log tab.
In the Write to log box select All items.
Place a checkmark next to Hidden Objects Only
Click on the Create Log button on the bottom right.
After a few seconds a new Window should appear.
Make sure Scan all drives is selected and click on the Start button.
(Unless you have a floppy drive. In this case, please use "Scan Root Drive Only" and press Start)
When it is complete a new Window will appear to indicate that the scan is finished.
The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.

jcfpny · 22-Nov-2009, 12:32 AM #4

NeonFx, Thanks for getting back to me.

OK, I think I got the OTS part right, however I downloaded SysProt.1.321C02.efw into a desktop folder but I don't know how to open it. I've double clicked it, but nothing happens.

Regards,

jcfpny

NeonFx · 22-Nov-2009, 02:27 AM #5

Good job. I think got the wrong copy of SysProt. Please click on THIS LINK and download SysProt.zip to your desktop. Then unzip it by double clicking on it and following the dialog.

Then double click on SysProt.exe which will be one of the files that were extracted from the archive and follow the instructions in Step 2 for me. Let me know if you still have trouble.

jcfpny · 22-Nov-2009, 10:58 PM #6

Hah, now I've got about three SysProt.exes!

As further info, the redirects I'm complaining about are not constant and I haven't seen one in a few days. They didn't seen overly malicious as they went to what seem to be inoffensvie sites (toptvbytes, serviceflags.com, etc.). It's almost as though someone was just trying to generate traffic. Sometimes there were some of those choice/option boxes that I was afraid to close.

Anyway, I hope I got it right this time, here goes (and thanks for your time):

SysProt AntiRootkit v1.0.1.0
by swatkat
*************************************************************************** ***************
*************************************************************************** ***************
No Hidden Processes found
*************************************************************************** ***************
*************************************************************************** ***************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: AAAAD000
Module End: AAAC5000
Hidden: Yes
Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F8C90000
Module End: F8C92000
Hidden: Yes
*************************************************************************** ***************
*************************************************************************** ***************
SSDT:
Function Name: ZwCreateKey
Address: AA9266EA
Driver Base: AA91C000
Driver End: AA92F000
Driver Name: \SystemRoot\System32\DRIVERS\KmxSbx.sys
Function Name: ZwCreateSection
Address: AAE89FD2
Driver Base: AAE80000
Driver End: AAE93000
Driver Name: \SystemRoot\System32\DRIVERS\kmxagent.sys
Function Name: ZwCreateSymbolicLinkObject
Address: AA92740B
Driver Base: AA91C000
Driver End: AA92F000
Driver Name: \SystemRoot\System32\DRIVERS\KmxSbx.sys
Function Name: ZwMakeTemporaryObject
Address: AA92775C
Driver Base: AA91C000
Driver End: AA92F000
Driver Name: \SystemRoot\System32\DRIVERS\KmxSbx.sys
Function Name: ZwOpenKey
Address: AA92664E
Driver Base: AA91C000
Driver End: AA92F000
Driver Name: \SystemRoot\System32\DRIVERS\KmxSbx.sys
Function Name: ZwOpenSection
Address: AA927130
Driver Base: AA91C000
Driver End: AA92F000
Driver Name: \SystemRoot\System32\DRIVERS\KmxSbx.sys
Function Name: ZwSetInformationProcess
Address: AAE89662
Driver Base: AAE80000
Driver End: AAE93000
Driver Name: \SystemRoot\System32\DRIVERS\kmxagent.sys
Function Name: ZwSetSystemInformation
Address: AA927538
Driver Base: AA91C000
Driver End: AA92F000
Driver Name: \SystemRoot\System32\DRIVERS\KmxSbx.sys
*************************************************************************** ***************
*************************************************************************** ***************
No Kernel Hooks found
*************************************************************************** ***************
*************************************************************************** ***************
IRP Hooks:
Hooked Module: C:\WINDOWS\System32\Drivers\Modem.SYS
Hooked IRP: IRP_MJ_WRITE
Jump To: AAE3B040
Hooking Module: C:\WINDOWS\System32\DRIVERS\kmxfw.sys
Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: AAE3B990
Hooking Module: C:\WINDOWS\System32\DRIVERS\kmxfw.sys
Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: AAE3BAF0
Hooking Module: C:\WINDOWS\System32\DRIVERS\kmxfw.sys
Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: AAE3C5B0
Hooking Module: C:\WINDOWS\System32\DRIVERS\kmxfw.sys
Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: AAE3C570
Hooking Module: C:\WINDOWS\System32\DRIVERS\kmxfw.sys
Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: AAE3BB50
Hooking Module: C:\WINDOWS\System32\DRIVERS\kmxfw.sys
Hooked Module: C:\WINDOWS\System32\drivers\afd.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: AA455480
Hooking Module: C:\WINDOWS\System32\DRIVERS\KmxCF.sys
Hooked Module: C:\WINDOWS\System32\drivers\afd.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: AA455EC0
Hooking Module: C:\WINDOWS\System32\DRIVERS\KmxCF.sys
Hooked Module: C:\WINDOWS\System32\drivers\afd.sys
Hooked IRP: IRP_MJ_READ
Jump To: AA456150
Hooking Module: C:\WINDOWS\System32\DRIVERS\KmxCF.sys
Hooked Module: C:\WINDOWS\System32\drivers\afd.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: AA455F20
Hooking Module: C:\WINDOWS\System32\DRIVERS\KmxCF.sys
Hooked Module: C:\WINDOWS\System32\drivers\afd.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: AA4561A0
Hooking Module: C:\WINDOWS\System32\DRIVERS\KmxCF.sys
Hooked Module: C:\WINDOWS\System32\drivers\afd.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: AA4554C0
Hooking Module: C:\WINDOWS\System32\DRIVERS\KmxCF.sys
Hooked Module: C:\WINDOWS\System32\drivers\afd.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: AA455EF0
Hooking Module: C:\WINDOWS\System32\DRIVERS\KmxCF.sys
*************************************************************************** ***************
*************************************************************************** ***************
Ports:
Local Address: CALLERY-DAD:3653
Remote Address: A72-247-146-63.DEPLOY.AKAMAITECHNOLOGIES.COM:1935
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: ESTABLISHED
Local Address: CALLERY-DAD:2869
Remote Address: 192.168.1.1:1031
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: CLOSE_WAIT
Local Address: CALLERY-DAD:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: CALLERY-DAD:5152
Remote Address: LOCALHOST:3800
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: CLOSE_WAIT
Local Address: CALLERY-DAD:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING
Local Address: CALLERY-DAD:1038
Remote Address: LOCALHOST:1025
Type: TCP
Process: C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
State: ESTABLISHED
Local Address: CALLERY-DAD:1036
Remote Address: LOCALHOST:1027
Type: TCP
Process: C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
State: ESTABLISHED
Local Address: CALLERY-DAD:1030
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING
Local Address: CALLERY-DAD:1029
Remote Address: LOCALHOST:1027
Type: TCP
Process: C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
State: ESTABLISHED
Local Address: CALLERY-DAD:1028
Remote Address: LOCALHOST:1025
Type: TCP
Process: C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
State: ESTABLISHED
Local Address: CALLERY-DAD:1027
Remote Address: LOCALHOST:1036
Type: TCP
Process: C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
State: ESTABLISHED
Local Address: CALLERY-DAD:1027
Remote Address: LOCALHOST:1029
Type: TCP
Process: C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
State: ESTABLISHED
Local Address: CALLERY-DAD:1027
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
State: LISTENING
Local Address: CALLERY-DAD:1026
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
State: LISTENING
Local Address: CALLERY-DAD:1025
Remote Address: LOCALHOST:1038
Type: TCP
Process: C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
State: ESTABLISHED
Local Address: CALLERY-DAD:1025
Remote Address: LOCALHOST:1028
Type: TCP
Process: C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
State: ESTABLISHED
Local Address: CALLERY-DAD:1025
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
State: LISTENING
Local Address: CALLERY-DAD:37935
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
State: LISTENING
Local Address: CALLERY-DAD:2869
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING
Local Address: CALLERY-DAD:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: CALLERY-DAD:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING
Local Address: CALLERY-DAD:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: CALLERY-DAD:138
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: CALLERY-DAD:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: CALLERY-DAD:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: CALLERY-DAD:44301
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\PnkBstrA.exe
State: NA
Local Address: CALLERY-DAD:3786
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: CALLERY-DAD:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: CALLERY-DAD:1272
Remote Address: NA
Type: UDP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: NA
Local Address: CALLERY-DAD:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: CALLERY-DAD:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA
Local Address: CALLERY-DAD:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA
Local Address: CALLERY-DAD:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA
*************************************************************************** ***************
*************************************************************************** ***************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied
Object: C:\System Volume Information\tracking.log
Status: Access denied
Object: C:\System Volume Information\_restore{04A76C69-0C39-4C44-8C56-F7B63F14E0A8}
Status: Access denied

NeonFx · 23-Nov-2009, 01:04 AM #7

Please do the following:

NOTE: ComboFix should NOT be used without supervision by someone trained in its use. It does a whole lot more to a system than just remove infected files.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Disabling Security Programs
Double click on ComboFix.exe & follow the prompts.

Note: Combofix will run without the Recovery Console installed.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you please let me know. A increasing number of infections are spreading using Autoplay and leaving it disabled is a good idea.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

jcfpny · 24-Nov-2009, 12:20 AM #8

Hello again,

When I tried to get and save combofix.exe to my desktop (from either of those links) my CA antivirus alerted to and deleted "Win32/SillyDl.PRR". What's up with that?

Thanks again,

NeonFx · 24-Nov-2009, 12:31 AM #9

Disable your antivirus before downloading it. As I said, Antivirus tools will interfere with my tools because it will detect what they are capable of doing.

That is a false positive and it is a clean download despite what your AV says.

jcfpny · 24-Nov-2009, 02:11 AM **#10**

OK, I could only "snooze" the anti-virus, but could disable the firewall. It ran as far as I can tell (as described/pictured in your instruction post).

Here goes the log:

ComboFix 09-11-23.02 - Dad 11/24/2009 0:51.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.212 [GMT -5:00]
Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe
AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: CA Personal Firewall *disabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Dad\My Documents\ZbThumbnail.info
c:\windows\system32\Data
.
((((((((((((((((((((((((( Files Created from 2009-10-24 to 2009-11-24 )))))))))))))))))))))))))))))))
.
2009-11-20 18:37 . 2009-11-20 18:37 138504 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-20 18:21 . 2009-11-20 18:45 363584 ----a-w- c:\documents and settings\Dad\Application Data\id Software\quakelive\home\baseq3\cgamex86.dll
2009-11-20 18:21 . 2009-11-20 18:26 461888 ----a-w- c:\documents and settings\Dad\Application Data\id Software\quakelive\home\baseq3\qagamex86.dll
2009-11-20 18:21 . 2009-11-20 18:21 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\PunkBuster
2009-11-20 18:21 . 2009-11-20 18:44 179264 ----a-w- c:\documents and settings\Dad\Application Data\id Software\quakelive\home\baseq3\uix86.dll
2009-11-20 18:20 . 2009-11-20 18:36 887856 ----a-w- c:\documents and settings\Dad\Application Data\id Software\quakelive\home\pb\pbcl.dll
2009-11-20 18:20 . 2009-11-20 18:36 57344 ----a-w- c:\documents and settings\Dad\Application Data\id Software\quakelive\home\pb\pbag.dll
2009-11-20 18:20 . 2009-11-20 18:36 2628672 ----a-w- c:\documents and settings\Dad\Application Data\id Software\quakelive\home\baseq3\quakelive.dll
2009-11-20 18:09 . 2009-11-20 18:09 -------- d-----w- c:\documents and settings\Dad\Application Data\id Software
2009-11-20 18:09 . 2009-11-20 18:36 214488 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-11-20 18:09 . 2009-11-20 18:09 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-11-20 18:09 . 2009-11-20 18:09 2373712 ----a-w- c:\windows\system32\pbsvc.exe
2009-11-20 18:09 . 2009-11-20 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\id Software
2009-11-18 14:23 . 2009-11-18 14:23 -------- d-----w- c:\windows\system32\XPSViewer
2009-11-18 14:23 . 2009-11-18 14:23 -------- d-----w- c:\program files\MSBuild
2009-11-18 14:23 . 2009-11-18 14:23 -------- d-----w- c:\program files\Reference Assemblies
2009-11-18 14:22 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-11-18 14:22 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-11-18 14:22 . 2009-11-18 14:23 -------- d-----w- C:\73227020b0c2ddeecf45216c
2009-11-18 14:22 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-11-18 14:22 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-11-18 14:22 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-11-18 14:22 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-11-18 14:22 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-11-18 00:08 . 2009-11-18 00:08 -------- d-----w- c:\windows\Performance
2009-11-18 00:07 . 2009-11-18 00:07 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\Microsoft Corporation
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-24 02:04 . 2008-01-04 21:26 -------- d-----w- c:\program files\Full Tilt Poker
2009-11-23 15:05 . 2008-09-13 22:06 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k7
2009-11-23 15:05 . 2008-09-13 22:06 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k6
2009-11-23 15:05 . 2008-09-13 22:06 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k5
2009-11-23 15:05 . 2008-09-13 22:06 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k4
2009-11-23 15:05 . 2008-09-13 22:06 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k3
2009-11-23 15:05 . 2008-09-13 22:06 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k2
2009-11-23 15:05 . 2008-09-13 22:06 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k1
2009-11-23 15:05 . 2008-09-13 22:06 363282 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k0
2009-11-22 20:32 . 2008-01-03 03:16 -------- d-----w- c:\program files\Windows Live Safety Center
2009-11-17 22:41 . 2009-04-20 18:21 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-17 22:41 . 2009-11-03 22:15 152576 ----a-w- c:\documents and settings\Dad\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-16 04:05 . 2009-11-16 04:05 -------- d-----w- c:\program files\AVG
2009-11-16 01:26 . 2009-11-11 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-16 01:02 . 2009-11-16 01:02 -------- d-----w- c:\program files\Trend Micro
2009-11-15 20:26 . 2008-01-24 03:19 -------- d-----w- c:\program files\Java
2009-11-14 21:57 . 2009-11-14 21:57 -------- d-----w- c:\program files\MSSOAP
2009-11-14 21:56 . 2009-11-14 21:56 -------- d-----w- c:\program files\Webroot
2009-11-14 21:56 . 2009-11-14 21:56 164 ----a-w- c:\windows\install.dat
2009-11-13 02:43 . 2009-11-13 02:43 -------- d-----w- c:\program files\Pawn 3
2009-11-11 02:53 . 2009-11-11 02:53 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-11 02:10 . 2009-07-28 03:37 -------- d-----r- c:\program files\Skype
2009-11-11 02:10 . 2009-06-18 01:02 -------- d-----w- c:\program files\Google
2009-11-11 02:10 . 2008-04-01 18:59 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-11 02:08 . 2007-12-27 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2009-11-09 12:48 . 2007-12-27 21:05 739696 ----a-w- c:\windows\system32\drivers\vetefile.sys
2009-11-09 12:48 . 2007-12-27 21:05 26352 ----a-w- c:\windows\system32\drivers\vet-filt.sys
2009-11-09 12:48 . 2007-12-27 21:05 21488 ----a-w- c:\windows\system32\drivers\vetfddnt.sys
2009-11-09 12:48 . 2007-12-27 21:05 21104 ----a-w- c:\windows\system32\drivers\vet-rec.sys
2009-11-09 12:48 . 2007-12-27 21:05 161008 ----a-w- c:\windows\system32\drivers\vetmonnt.sys
2009-11-09 12:48 . 2007-12-27 21:05 133520 ----a-w- c:\windows\system32\drivers\veteboot.sys
2009-10-14 13:06 . 2009-10-14 13:06 152576 ----a-w- c:\documents and settings\Dad\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-13 14:24 . 2008-08-21 01:27 1541416 ----a-w- c:\documents and settings\All Users\Application Data\CA\Consumer\AV\tmp\vete_tmp.dll
2009-10-02 02:22 . 2008-01-08 06:22 -------- d-----w- c:\program files\AIM6
2009-10-02 02:22 . 2008-01-08 06:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-02 02:22 . 2009-10-02 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-10-02 02:21 . 2009-10-02 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-09-26 17:05 . 2007-12-27 19:16 -------- d-----w- c:\program files\Dell
2009-09-11 14:18 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-04 10:00 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2004-08-04 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-03-20 05:16 . 2009-03-20 05:16 8 --sh--r- c:\windows\system32\D7AE89D910.sys
2009-05-30 20:34 . 2009-03-20 05:16 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-28 133104]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2009-04-17 95536]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-05-21 181488]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2009-07-31 230640]
"cafw"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-08-28 771312]
"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-08-28 173296]
"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-08-28 259312]
"CaPPcl"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe" [2008-09-09 472304]
"QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe" [2008-04-15 14088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2009-04-17 54576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-17 149280]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2004-06-10 60928]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 18:30 79368 ----a-w- c:\windows\system32\UmxWNP.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [6/24/2008 6:08 PM 93712]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [6/24/2008 6:08 PM 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [6/24/2008 6:08 PM 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [6/24/2008 6:08 PM 115216]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [6/24/2008 6:08 PM 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [6/24/2008 6:08 PM 66576]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [10/18/2007 10:24 AM 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [10/18/2007 10:24 AM 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [6/24/2008 6:10 PM 281104]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/8/2008 1:23 AM 24652]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [6/24/2008 6:08 PM 88816]
R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [12/27/2007 4:05 PM 185584]
.
Contents of the 'Scheduled Tasks' folder
2009-11-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2009-11-17 c:\windows\Tasks\CAAntiSpywareScan_Daily as Dad at 4 05 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-12-27 12:43]
2009-11-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-1078081533-725345543-1004Core.job
- c:\documents and settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-28 16:57]
2009-11-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-1078081533-725345543-1004UA.job
- c:\documents and settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-28 16:57]
.
.
------- Supplementary Scan -------
.
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: aa.com\www
Trusted Zone: accountonline.com\www
Trusted Zone: annualcreditreport.com\www
Trusted Zone: bankofamerica.com\www
Trusted Zone: citibank.com\online
Trusted Zone: citibank.com\web.da-us
Trusted Zone: citicards.com\www
Trusted Zone: fidelity.com\login
Trusted Zone: usps.gov\liteblue
Trusted Zone: wellsfargo.com\www
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\g0jnfisa.default\
FF - prefs.js: browser.startup.homepage - hxxp://tv.msn.com/tv/guide/
FF - plugin: c:\documents and settings\Dad\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npampx3.0.84.2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1172)
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
- - - - - - - > 'lsass.exe'(1396)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
.
Completion time: 2009-11-24 01:01
ComboFix-quarantined-files.txt 2009-11-24 06:00
Pre-Run: 62,354,391,040 bytes free
Post-Run: 62,338,519,040 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - 76B59131F20A6F32EF6CC0EBE8018882

NeonFx · 24-Nov-2009, 05:02 PM **#11**

I don't see anything in your logs that might be the cause of the problem. They look really clean to me. Let's see if we can find it with some other scans.

STEP 1

Run OTS

Under the Paste Fix Here box on the right, paste in the contents of following code box

Code:

[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-1220945662-1078081533-725345543-1004\] > -> HKEY_USERS\S-1-5-21-1220945662-1078081533-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> HKEY_USERS\S-1-5-21-1220945662-1078081533-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 9 domain(s) found.
[Empty Temp Folders]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
This will create a log in C:\_OTS\MovedFiles\<date>_<time>.log where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste or attach the contents of that file here.

Note: You may receive some errors while running the fix. Just press Ok and the fix should continue normally.
If it seems to get stuck, give it some time. It's probably still working.

STEP 2

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan. Scan all of your harddrives.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

STEP 3

Download the GMER Rootkit Scanner.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

STEP 4

Run OTS again and click on the Quick Scan button at the top. Attach the results of this scan in your next reply.

jcfpny · 24-Nov-2009, 08:17 PM **#12**

Thanks for sticking with me. I haven't had any redirects or pop-up dialog boxes in a while. Here's the new OTS log:

All Processes Killed
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ not found.
Registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ not found.
Unable to create registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ .
[Empty Temp Folders]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Dad
->Temp folder emptied: 999424 bytes
->Temporary Internet Files folder emptied: 548402 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 52531822 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 40339059 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2195181 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 92.20 mb

< End of fix log >
OTS by OldTimer - Version 3.1.6.1 fix logfile created on 11242009_190747
Files\Folders moved on Reboot...
Registry entries deleted on Reboot...

NeonFx · 24-Nov-2009, 08:30 PM **#13**

Haha, maybe it heard me coming.

jcfpny · 24-Nov-2009, 09:08 PM **#14**

Step 2 -- Apparently no problems:

Malwarebytes' Anti-Malware 1.41
Database version: 3225
Windows 5.1.2600 Service Pack 3
11/24/2009 8:06:26 PM
mbam-log-2009-11-24 (20-06-26).txt
Scan type: Full Scan (C:\|)
Objects scanned: 159298
Time elapsed: 30 minute(s), 39 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

NeonFx · 24-Nov-2009, 09:09 PM **#15**

I'll be back later tonight to review steps 3 and 4.

Tag Cloud
access acer asus bios bsod computer crash desktop dns driver drivers error ethernet excel freeze gaming graphics hard drive hardware hdmi internet laptop malware memory monitor motherboard network printer problem ram registry repair router slow software sound trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for:

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!