Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Search result links getting hijacked

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Search result links getting hijacked

Unread postby droidnoise » August 5th, 2009, 8:41 am

Search results are hijacked to other search/business listings. Thanks for your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:29:30 AM, on 8/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toast.net/start
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\casc.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CAPPActiveProtection] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se1140.cab
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - https://carelink.minimed.com/plugin/jin ... s-i586.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O24 - Desktop Component 0: (no name) - http://photos-e.ak.fbcdn.net/photos-ak- ... 0_2925.jpg

--
End of file - 7003 bytes
droidnoise
Regular Member
 
Posts: 20
Joined: August 5th, 2009, 8:34 am
Advertisement
Register to Remove

Re: Search result links getting hijacked

Unread postby MWR 3 day Mod » August 8th, 2009, 1:18 pm

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Search result links getting hijacked

Unread postby turtledove » August 9th, 2009, 2:12 am

Hello droidnoise and welcome to the forums :)

I am turtledove, and will be assisting you with your log.
If you still need assistance, please do the following:

*Print all instructions or Copy to Notepad for reference.
*Please note, unless I'm notified ahead of time, this topic will close if there is not a response in 3 Days.
*Place a link to this thread in your Favorites/Bookmarks for easily returning here.
*Please respond until I give the all clear, as absence of symptoms does NOT always mean Clean.
*Please do not run any other tools/scans unless requested*
**Please be sure you have read the Notice about Peer to Peer File Sharing Programs at the top of this forum**
Link: viewtopic.php?f=11&t=33112
*If you can do the above all should go well.

**As I am an Undergrad, my responses will be approved by an Expert/Teacher before I post to you; therefore it may take a tad bit more time to reply.
Thanks for your patience.


Since it has been some time since your above post, please post the following logs. I will go over the new logs and return as soon as possible.

Step 1
Please make an Uninstall list :
To access the Uninstall Manager, please do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad here on your next reply.

Step 2
Rerun HijackThis and Save the log.

Post the New HijackThis and the Uninstall list using the Reply button.

Thank you
turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Search result links getting hijacked

Unread postby droidnoise » August 9th, 2009, 8:04 am

Thank You Turtledove

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:59:28 AM, on 8/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toast.net/start
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\casc.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CAPPActiveProtection] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se1140.cab
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - https://carelink.minimed.com/plugin/jin ... s-i586.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O24 - Desktop Component 0: (no name) - http://photos-e.ak.fbcdn.net/photos-ak- ... 0_2925.jpg

--
End of file - 7010 bytes

ABBYY FineReader 5.0 Sprint
Adobe Flash Player 10 Plugin
Adobe Photoshop Elements 2.0
Adware Away v3.1.4.c
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoImpression 6
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Avery DesignPro
Bonjour
Broadcom Advanced Control Suite 2
Broadcom Gigabit Integrated Controller
CA Anti-Spyware
CA Anti-Spyware
CA Anti-Virus
CA Anti-Virus
CA Pest Patrol Realtime Protection
Critical Update for Windows Media Player 11 (KB959772)
Dell AIO Printer A920
Dell Media Experience
Dell ResourceCD
FaxTools
Google Earth
Google Updater
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Intel(R) 537EP V9x DF PCI Modem
iTunes
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 7
LightScribe System Software 1.12.29.2
MediaFACE II
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.13)
MSXML 4.0 SP2 (KB954430)
mTrax
Nero 7 Essentials
neroxml
PowerDVD 5.1
Quicken 2007
QuickTime
Rhapsody Player Engine
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
SoundMAX
Spybot - Search & Destroy
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Windows Defender
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
droidnoise
Regular Member
 
Posts: 20
Joined: August 5th, 2009, 8:34 am

Re: Search result links getting hijacked

Unread postby turtledove » August 10th, 2009, 4:13 pm

Hello droidnoise,

You are welcome.:)

*Please Copy/Print out these instructions for easy reference.
*Follow in the order given

*Question: Do you know this site or did you set it as your start page? hxxp://www.toast.net/start



Step 1

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
  • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt



Step 2

Download and Run RSIT
  • Please download Random's System Information Tool by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.
  • Please post the contents of both log.txt and info.txt.



Post
mbam-log-date (time).txt
RSIT log.txt and info.txt
Any Remaining problems

Thank you

TD
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Search result links getting hijacked

Unread postby droidnoise » August 10th, 2009, 7:15 pm

Turtledove,

Toast.net is my ISP home page. For the future, I presumably now have all these systems running, should I un-install any of them as redundant?

Windows Defender
CA Anti virus
CA Anti spyware
Spybot
Malwarebytes' Anti Malware
Hijack This
RSIT

Thanks Again!

Droidnoise




Malwarebytes' Anti-Malware 1.40
Database version: 2594
Windows 5.1.2600 Service Pack 3

8/10/2009 5:49:35 PM
mbam-log-2009-08-10 (17-49-35).txt

Scan type: Full Scan (C:\|)
Objects scanned: 145535
Time elapsed: 46 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 65

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adware away v3.1.4.c_is1 (Rogue.AdwareAway) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\CLSID\{7998DC37-D3FE-487C-A60A-7701FCC70CC6}\InprocServer32\(default) (Hijack.Repdrvfs) -> Bad: (\\?\globalroot\systemroot\installer\5d03211b.msi) Good: (repdrvfs.dll) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Adware Away (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away (Rogue.AdwareAway) -> Quarantined and deleted successfully.

Files Infected:
C:\System Volume Information\_restore{87566595-DAB9-40BC-BFE6-514A1C53DEBE}\RP576\A0030542.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{87566595-DAB9-40BC-BFE6-514A1C53DEBE}\RP575\A0029455.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{87566595-DAB9-40BC-BFE6-514A1C53DEBE}\RP575\A0029456.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{87566595-DAB9-40BC-BFE6-514A1C53DEBE}\RP575\A0029459.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{87566595-DAB9-40BC-BFE6-514A1C53DEBE}\RP575\A0029463.SCR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{87566595-DAB9-40BC-BFE6-514A1C53DEBE}\RP575\A0029464.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{87566595-DAB9-40BC-BFE6-514A1C53DEBE}\RP575\A0029466.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{87566595-DAB9-40BC-BFE6-514A1C53DEBE}\RP575\A0029471.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{87566595-DAB9-40BC-BFE6-514A1C53DEBE}\RP575\A0029472.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{87566595-DAB9-40BC-BFE6-514A1C53DEBE}\RP575\A0029473.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{87566595-DAB9-40BC-BFE6-514A1C53DEBE}\RP575\A0029474.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{87566595-DAB9-40BC-BFE6-514A1C53DEBE}\RP575\A0029475.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{87566595-DAB9-40BC-BFE6-514A1C53DEBE}\RP575\A0029476.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{87566595-DAB9-40BC-BFE6-514A1C53DEBE}\RP575\A0029478.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{87566595-DAB9-40BC-BFE6-514A1C53DEBE}\RP575\A0029479.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{87566595-DAB9-40BC-BFE6-514A1C53DEBE}\RP575\A0029480.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{87566595-DAB9-40BC-BFE6-514A1C53DEBE}\RP575\A0029481.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{87566595-DAB9-40BC-BFE6-514A1C53DEBE}\RP575\A0029482.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{87566595-DAB9-40BC-BFE6-514A1C53DEBE}\RP575\A0029483.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{87566595-DAB9-40BC-BFE6-514A1C53DEBE}\RP575\A0029484.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{87566595-DAB9-40BC-BFE6-514A1C53DEBE}\RP575\A0029485.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{87566595-DAB9-40BC-BFE6-514A1C53DEBE}\RP575\A0029486.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{87566595-DAB9-40BC-BFE6-514A1C53DEBE}\RP575\A0029495.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{87566595-DAB9-40BC-BFE6-514A1C53DEBE}\RP575\A0029496.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{87566595-DAB9-40BC-BFE6-514A1C53DEBE}\RP575\A0029497.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{87566595-DAB9-40BC-BFE6-514A1C53DEBE}\RP575\A0029498.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{87566595-DAB9-40BC-BFE6-514A1C53DEBE}\RP575\A0029506.dll (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\5d03211b.msi (Rootkit.Agent) -> Delete on reboot.
C:\Program Files\Adware Away\AdAway.dll (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\AdAway.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\AdwareAway.chm (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\autorun.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\DiagnosticScan.SYS (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\EnumAutoRun.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\EnumDlls.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\EProcess.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\FixDesktopBackground.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\global.dll (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\iebhotoolbar.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\iepage.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\ieurlprefix.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\ieurlsearchhook.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\lsp.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\notifydll.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\overall.log (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\process.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\protocolfilter.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\ScanAtStartup.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\screenshot.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\service.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\shellextension.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\Start1Driver.SYS (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\svchostdll.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\sysrestriction.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\unins000.dat (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\unins000.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\Update2.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away\Adware Away.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away\Uninstall.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away\Update.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away\User Manual.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\O'Kelley\Desktop\Adware Away.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\WINDOWS\010112010146118114.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\0101120101464849.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\adaway.lic (Rogue.AdwareAway) -> Quarantined and deleted successfully.


Logfile of random's system information tool 1.06 (written by random/random)
Run by O'Kelley at 2009-08-10 17:59:13
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 133 GB (87%) free of 153 GB
Total RAM: 510 MB (20% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:59:31 PM, on 8/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\O'Kelley\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\O'Kelley.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toast.net/start
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\casc.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CAPPActiveProtection] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se1140.cab
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - https://carelink.minimed.com/plugin/jin ... s-i586.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O24 - Desktop Component 0: (no name) - http://photos-e.ak.fbcdn.net/photos-ak- ... 0_2925.jpg

--
End of file - 7222 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{BA52B914-B692-46c4-B683-905236F6F655}

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Dell AIO Printer A920"=C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe [2004-04-15 270336]
"cctray"=C:\Program Files\CA\CA Internet Security Suite\casc.exe [2009-02-18 374000]
"CAVRID"=C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe [2009-08-03 230664]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-03-01 153136]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-01-05 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-03-12 342312]
"CAPPActiveProtection"=C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe [2009-02-15 324848]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-05-13 68856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2004-05-28 335872]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2007-06-27 152872]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [2004-04-11 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hsf7husjnfg98gi498aejhiugjkdg4]
C:\DOCUME~1\O'Kelley\LOCALS~1\Temp\bwmipeo.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [2008-01-24 2289664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LowRiskFileTypes]
C:\WINDOWS\sysguard.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
C:\Program Files\Dell\Media Experience\PCMService.exe [2004-04-11 290816]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-05-13 68856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysldtray]
C:\windows\ld12.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [2002-08-06 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3
"WinDefend"=2
"spkrmon"=2
"ose"=3
"NMIndexingService"=3
"NBService"=3
"MyWebSearchService"=2
"idsvc"=3
"gusvc"=2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PFW]
C:\WINDOWS\system32\UmxWnp.Dll [2007-06-06 79368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableProfileQuota"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"D:\NeroExpress\Installation\Setupx.exe"="D:\NeroExpress\Installation\Setupx.exe:*:Enabled:Nero ProductSetup"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-08-10 17:59:13 ----D---- C:\rsit
2009-08-10 16:59:52 ----D---- C:\Documents and Settings\O'Kelley\Application Data\Malwarebytes
2009-08-10 16:59:42 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-10 16:59:42 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-08-03 18:25:17 ----D---- C:\Program Files\Common Files\Scanner
2009-07-18 08:03:05 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-07-17 07:01:45 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-07-15 03:02:00 ----A---- C:\WINDOWS\system32\MRT.INI
2009-07-14 10:59:32 ----D---- C:\Program Files\Trend Micro

======List of files/folders modified in the last 1 months======

2009-08-10 17:53:46 ----D---- C:\Program Files\Mozilla Firefox
2009-08-10 17:53:05 ----D---- C:\WINDOWS\Temp
2009-08-10 17:52:51 ----SD---- C:\WINDOWS\Tasks
2009-08-10 17:52:43 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-10 17:52:13 ----SHD---- C:\WINDOWS\Installer
2009-08-10 17:52:13 ----D---- C:\WINDOWS\system32\drivers
2009-08-10 17:51:46 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-10 17:51:20 ----D---- C:\WINDOWS\Prefetch
2009-08-10 17:49:35 ----RD---- C:\Program Files
2009-08-10 17:49:35 ----D---- C:\WINDOWS
2009-08-10 16:56:30 ----A---- C:\WINDOWS\dellstat.ini
2009-08-09 20:58:16 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2009-08-05 07:28:24 ----D---- C:\Program Files\Common Files
2009-08-03 18:39:17 ----A---- C:\caisslog.txt
2009-08-03 18:26:20 ----D---- C:\WINDOWS\system32
2009-08-03 18:25:27 ----D---- C:\Program Files\CA
2009-08-03 18:25:22 ----D---- C:\WINDOWS\Downloaded Installations
2009-08-03 18:25:04 ----D---- C:\WINDOWS\system32\wbem
2009-08-02 17:22:03 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-08-02 13:51:13 ----D---- C:\WINDOWS\Minidump
2009-07-23 15:42:26 ----D---- C:\WINDOWS\CAVTemp
2009-07-18 22:40:55 ----D---- C:\WINDOWS\WinSxS
2009-07-18 22:40:44 ----D---- C:\Program Files\Adobe
2009-07-18 22:40:37 ----D---- C:\Program Files\Common Files\Adobe
2009-07-17 07:49:30 ----D---- C:\WINDOWS\Microsoft.NET
2009-07-17 07:40:43 ----A---- C:\WINDOWS\imsins.BAK
2009-07-17 07:22:15 ----D---- C:\Program Files\Google
2009-07-17 07:21:42 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-07-16 18:24:45 ----D---- C:\BACKUP
2009-07-15 03:03:52 ----HD---- C:\WINDOWS\inf
2009-07-15 03:03:52 ----HD---- C:\WINDOWS\$hf_mig$
2009-07-12 18:49:11 ----A---- C:\WINDOWS\system.ini
2009-07-11 21:31:23 ----D---- C:\Documents and Settings\O'Kelley\Application Data\AdobeUM

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 KmxAgent;KmxAgent; C:\WINDOWS\System32\DRIVERS\kmxagent.sys [2008-11-18 72696]
R1 OMCI;OMCI; C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632]
R1 Start1Driver;Start1Driver; C:\WINDOWS\system32\drivers\Start1Driver.sys [2009-03-14 5120]
R1 VETEFILE;VET File Scan Engine; C:\WINDOWS\system32\drivers\VETEFILE.sys [2008-06-04 880560]
R1 VETFDDNT;VET Floppy Boot Sector Monitor; C:\WINDOWS\system32\drivers\VETFDDNT.sys [2008-01-09 21648]
R1 VET-FILT;VET File System Filter; C:\WINDOWS\system32\drivers\VET-FILT.sys [2008-01-09 26640]
R1 VETMONNT;VET File Monitor; C:\WINDOWS\system32\drivers\VETMONNT.sys [2008-01-09 32528]
R1 VET-REC;VET File System Recognizer; C:\WINDOWS\system32\drivers\VET-REC.sys [2008-01-09 21392]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 Afc;PPdus ASPI Shell; C:\WINDOWS\system32\drivers\Afc.sys [2005-02-23 11776]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2004-05-28 730112]
R3 b57w2k;Broadcom NetXtreme 57xx Gigabit Controller; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2004-04-29 186112]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2009-01-15 23848]
R3 IntelC51;IntelC51; C:\WINDOWS\system32\DRIVERS\IntelC51.sys [2003-11-20 1232741]
R3 IntelC52;IntelC52; C:\WINDOWS\system32\DRIVERS\IntelC52.sys [2003-11-20 646825]
R3 IntelC53;IntelC53; C:\WINDOWS\system32\DRIVERS\IntelC53.sys [2003-11-20 59717]
R3 KmxCfg;KmxCfg; C:\WINDOWS\System32\DRIVERS\kmxcfg.sys [2008-12-12 205304]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mohfilt;mohfilt; C:\WINDOWS\system32\DRIVERS\mohfilt.sys [2003-11-20 37048]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2004-04-09 612352]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 VETEBOOT;VET Boot Scan Engine; C:\WINDOWS\system32\drivers\VETEBOOT.sys [2008-06-04 108368]
R3 WinDriver6;WinDriver6; C:\WINDOWS\system32\drivers\windrvr6.sys [2008-04-25 194362]
S1 hdfmopkg;hdfmopkg; \??\C:\WINDOWS\system32\drivers\hdfmopkg.sys []
S3 bvrp_pci;bvrp_pci; \??\C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 HidCom;USB-HID -> COM Driver Service; C:\WINDOWS\system32\DRIVERS\BdHidCom.sys [2008-01-12 17408]
S3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 nm;Network Monitor Driver; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2008-04-13 40320]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2009-03-05 36864]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-03-06 132424]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2004-05-28 397312]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 CAISafe;CAISafe; C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe [2008-01-09 144960]
R2 ccSchedulerSVC;CA Common Scheduler Service; C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe [2009-02-18 128240]
R2 ITMRTSVC;CA Pest Patrol Realtime Protection Service; C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe [2008-09-29 283888]
R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2004-04-15 303104]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2008-01-24 73728]
R2 UmxAgent;HIPS Event Manager; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [2008-12-12 1153528]
R2 UmxCfg;HIPS Configuration Interpreter; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [2008-12-10 797176]
R2 UmxPol;HIPS Policy Manager; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2008-12-19 297464]
R2 VETMSGNT;VET Message Service; C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe [2009-08-03 242952]
R3 CaCCProvSP;CaCCProvSP; C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe [2009-08-03 214256]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-03-12 656168]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2004-05-28 516096]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 183280]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 PPCtlPriv;PPCtlPriv; C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2009-02-15 222448]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S4 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-11-28 800040]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
S4 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-06-27 279848]
S4 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S4 spkrmon;spkrmon; C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe [2003-08-28 61440]
S4 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S4 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------
info.txt logfile of random's system information tool 1.06 2009-08-10 17:59:33

======Uninstall list======

-->C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
-->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
-->C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNRecode.exe /UNINSTALL
-->MsiExec.exe /X{166478EA-A017-43C0-BE42-7560BD5A646B}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 5.0 Sprint-->MsiExec.exe /X{D1696920-9794-4BBC-8A30-7A88763DE5A2}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop Elements 2.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop Elements 2\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop Elements 2\Uninst.dll"
Apple Mobile Device Support-->MsiExec.exe /I{162B71B8-8464-4680-A086-601D555B331D}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ArcSoft PhotoImpression 6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9092875A-D6E1-4B76-84F5-F9C0C6E14D10}\arcsoft_setup.exe" -l0x9
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Avery DesignPro-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2CC982C0-7EAE-11D4-ACC3-0050568AD318}\setup.exe" -l0x9 -uninst
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Broadcom Advanced Control Suite 2-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2E086814-7392-4E0F-ADB8-54A81E47406C} /l1033
Broadcom Gigabit Integrated Controller-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BE6890C7-31EF-478C-812E-1E2899ABFCA9} /l1033
CA Anti-Spyware-->"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\setup\ccinstaller.exe" /u /silent /module="pp"
CA Anti-Spyware-->"C:\Program Files\CA\CA Internet Security Suite\caunst.exe" /u /product=pp
CA Anti-Virus-->"C:\Program Files\CA\CA Internet Security Suite\caunst.exe" /u /product=av
CA Anti-Virus-->"C:\Program Files\CA\CA Internet Security Suite\caunst.exe" /u /product=av
CA Pest Patrol Realtime Protection-->MsiExec.exe /X{F05A5232-CE5E-4274-AB27-44EB8105898D}
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
Dell AIO Printer A920-->C:\WINDOWS\system32\spool\drivers\w32x86\3\DLBKUN5C.EXE -dDell AIO Printer A920
Dell Media Experience-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\setup.exe" -uninstall
Dell ResourceCD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
FaxTools-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F45298E5-0083-426F-A668-1A2C5F04B8A0}\setup.exe" -l0x9 ControlPanel
Google Earth-->MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Intel(R) 537EP V9x DF PCI Modem-->rundll32 IntelCci.dll,iSMUninstallation "Intel(R) 537EP V9x DF PCI Modem"
iTunes-->MsiExec.exe /I{C26B06A9-27BB-45B0-9873-9C623EC2BA38}
J2SE Runtime Environment 5.0 Update 11-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
LightScribe System Software 1.12.29.2-->MsiExec.exe /X{CF8C077A-B467-4C43-8DB5-3A9B94FF9681}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MediaFACE II-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DC1D7AD2-583A-4024-9041-387E8FFA5D8C}\setup.exe"
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Basic Edition 2003-->MsiExec.exe /I{91130409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (3.0.13)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
mTrax-->"C:\Program Files\TerraSofta\mTrax\unins000.exe"
Nero 7 Essentials-->MsiExec.exe /X{7BAA9BA8-0761-42EF-842A-23FAA5321033}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
PowerDVD 5.1-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
Quicken 2007-->MsiExec.exe /X{0D2E80C8-0875-43EB-9623-47118E2DFBCA}
QuickTime-->MsiExec.exe /I{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}
Rhapsody Player Engine-->MsiExec.exe /I{22DE1881-9D24-4981-B5CC-EC7E9F2F4D52}
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB963027)-->"C:\WINDOWS\$NtUninstallKB963027$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969897)-->"C:\WINDOWS\$NtUninstallKB969897$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Windows Defender-->MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Live OneCare safety scanner-->RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

=====HijackThis Backups=====

R3 - Default URLSearchHook is missing [2009-07-15]
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\ [2009-08-05]
O2 - BHO: (no name) - AutorunsDisabled - (no file) [2009-08-05]

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: CA Anti-Virus

======System event log======

Computer Name: HAL
Event Code: 3004
Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.

For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409

Scan ID: {9732F353-BDFE-4C82-96BA-BA884747CE15}

User: HAL\O'Kelley

Name: Unknown

ID:

Severity: Not Yet Classified

Category: Not Yet Classified

Path Found: bho:HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D76AB2A1-00F3-42BD-F434-00BBC39C8953}

Alert Type: Unclassified software

Detection Type:

Record Number: 20499
Source Name: WinDefend
Time Written: 20090706133812.000000-300
Event Type: warning
User:

Computer Name: HAL
Event Code: 3004
Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.

For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409

Scan ID: {8185ACCF-27B3-4012-8C56-8BADD8CBA871}

User: HAL\O'Kelley

Name: Unknown

ID:

Severity: Not Yet Classified

Category: Not Yet Classified

Path Found: bho:HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D76AB2A1-00F3-42BD-F434-00BBC39C8953}

Alert Type: Unclassified software

Detection Type:

Record Number: 20498
Source Name: WinDefend
Time Written: 20090706133812.000000-300
Event Type: warning
User:

Computer Name: HAL
Event Code: 3004
Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.

For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409

Scan ID: {9F76F7DB-ACB8-47A5-9BED-7792663CC4AC}

User: HAL\O'Kelley

Name: Unknown

ID:

Severity: Not Yet Classified

Category: Not Yet Classified

Path Found: clsid:HKLM\SOFTWARE\CLASSES\CLSID\{D76AB2A1-00F3-42BD-F434-00BBC39C8953};regkey:HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D76AB2A1-00F3-42BD-F434-00BBC39C8953};regkey:HKLM\SOFTWARE\CLASSES\CLSID\{D76AB2A1-00F3-42BD-F434-00BBC39C8953};bho:HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D76AB2A1-00F3-42BD-F434-00BBC39C8953};file:C:\WINDOWS\system32\gsf83iujid.dll

Alert Type: Unclassified software

Detection Type:

Record Number: 20496
Source Name: WinDefend
Time Written: 20090706133810.000000-300
Event Type: warning
User:

Computer Name: HAL
Event Code: 3004
Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.

For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409

Scan ID: {4B764798-85F2-4AE7-8F66-9C78FB43FDF5}

User: HAL\O'Kelley

Name: Unknown

ID:

Severity: Not Yet Classified

Category: Not Yet Classified

Path Found: bho:HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D76AB2A1-00F3-42BD-F434-00BBC39C8953}

Alert Type: Unclassified software

Detection Type:

Record Number: 20490
Source Name: WinDefend
Time Written: 20090706133810.000000-300
Event Type: warning
User:

Computer Name: HAL
Event Code: 3004
Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.

For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409

Scan ID: {39C3DFE6-A9A5-40E0-88CB-3769609209B2}

User: HAL\O'Kelley

Name: Unknown

ID:

Severity: Not Yet Classified

Category: Not Yet Classified

Path Found: clsid:HKLM\SOFTWARE\CLASSES\CLSID\{D76AB2A1-00F3-42BD-F434-00BBC39C8953};regkey:HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D76AB2A1-00F3-42BD-F434-00BBC39C8953};regkey:HKLM\SOFTWARE\CLASSES\CLSID\{D76AB2A1-00F3-42BD-F434-00BBC39C8953};bho:HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D76AB2A1-00F3-42BD-F434-00BBC39C8953};file:C:\WINDOWS\system32\gsf83iujid.dll

Alert Type: Unclassified software

Detection Type:

Record Number: 20489
Source Name: WinDefend
Time Written: 20090706133810.000000-300
Event Type: warning
User:

=====Application event log=====

Computer Name: HAL
Event Code: 1517
Message: Windows saved user HAL\O'Kelley registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 138
Source Name: Userenv
Time Written: 20090418141706.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: HAL
Event Code: 1524
Message: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



Record Number: 137
Source Name: Userenv
Time Written: 20090418141705.000000-300
Event Type: warning
User: HAL\O'Kelley

Computer Name: HAL
Event Code: 1517
Message: Windows saved user HAL\O'Kelley registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 76
Source Name: Userenv
Time Written: 20090415030829.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: HAL
Event Code: 1524
Message: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



Record Number: 75
Source Name: Userenv
Time Written: 20090415030828.000000-300
Event Type: warning
User: HAL\O'Kelley

Computer Name: HAL
Event Code: 1001
Message: Detection of product '{91130409-6000-11D3-8CFE-0150048383C9}', feature 'TCWorks7Files' failed during request for component '{35C45311-5DBD-4CA8-9872-6D94D6C75EC2}'

Record Number: 33
Source Name: MsiInstaller
Time Written: 20090410205137.000000-300
Event Type: warning
User: HAL\O'Kelley

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 3 Stepping 4, GenuineIntel
"PROCESSOR_REVISION"=0304
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip

-----------------EOF-----------------
droidnoise
Regular Member
 
Posts: 20
Joined: August 5th, 2009, 8:34 am

Re: Search result links getting hijacked

Unread postby turtledove » August 11th, 2009, 8:52 pm

Hello droidnoise,

Is your CA Internet security suite subscription up to date ? Regarding the other tools I will give you some recommendations once we are finished.The RSIT we will take care of along with any other tools when your system is clean.

Did you set a web page as your Desktop background? It is what shows as O24 in your log. If not, we will take care of that as well.
O24 - Desktop Component 0: (no name) - hxxp://photos-e.ak.fbcdn.net/photos-ak- ... 0_2925.jpg


**Please Copy/Print all instructions for reference, as there will be times you'll be off the internet**
**If ANY problems or questions, stop and ASK before continuing**


Step 1
Turn off excess scanners:

Disable Windows Defender


  1. Go to Start > All Programs > Windows Defender.
  2. Click on Tools at the top.
  3. Under Settings, click on Options.
  4. Under Automatic scanning, uncheck (untick) Automatically scan my computer (recommended) box.
  5. Under Real-time protection options, uncheck (untick) Use real-time protection (recommended) box.
  6. Click on the Save button at the bottom right hand corner.



Step 2
We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.





Post
C:\ComboFix.txt
Any problems remaining?

Thank you,
TD
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Search result links getting hijacked

Unread postby droidnoise » August 12th, 2009, 2:20 pm

The jpg on the desktop was a photo used on a Facebook page. I do have another photo as the desktop background but the details you gave refered to the former. Otherwise, I've encountered some problems. CA shows a warning that it hasn't been updated in 9 days (which it is supposed to do automatically every day!) Several attempt all ended with error messages.
Could these recent program additions be preventing the updates? Nor could I dis-able Windows Defender because I could not open it. (failed to initialize...) I couldn't connect to Beepingcomputer.com but the link here works fine so I will continue with the steps for now.

Droid
droidnoise
Regular Member
 
Posts: 20
Joined: August 5th, 2009, 8:34 am

Re: Search result links getting hijacked

Unread postby droidnoise » August 12th, 2009, 2:34 pm

Cannot continue. CA, Windows Defender and Spybot all refuse to open well enough to update or dis-able.
droidnoise
Regular Member
 
Posts: 20
Joined: August 5th, 2009, 8:34 am

Re: Search result links getting hijacked

Unread postby turtledove » August 13th, 2009, 11:25 am

Hello droidnoise,

The items I've had you use do not disable , they only look to see what exists on your computer. The infection, may have disabled your CA Suite and caused others not to run.
**Copy/Print these instructions for reference.
*Stop if you have any problems with any instruction; describing the issue**

Did you receive any error messages when trying to open Windows Defender, CA or Spybot?
Any message on web page when you tried to get Combo Fix instructions? Did you try with Internet Explorer and/or Firefox?


SysProt Antirootkit

Download SysProt Antirootkit from HERE (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors). Unzip it into a folder on your desktop.

  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select all items.
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive.
  • Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.


Post
SysProt text file the scan made
Describe any other/continuing issues fully

Thank you

TD
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Search result links getting hijacked

Unread postby droidnoise » August 13th, 2009, 5:50 pm

Here are logs from Combofix and Antiroot kit. Still unable to update CA Antivirus.

ComboFix 09-08-10.06 - O'Kelley 08/13/2009 16:16.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.84 [GMT -5:00]
Running from: c:\documents and settings\O'Kelley\Desktop\ComboFix.exe
AV: CA Anti-Virus *On-access scanning disabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.


c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-07-13 to 2009-08-13 )))))))))))))))))))))))))))))))
.

2009-08-13 00:48 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-10 22:59 . 2009-08-10 22:59 -------- d-----w- C:\rsit
2009-08-10 21:59 . 2009-08-10 21:59 -------- d-----w- c:\documents and settings\O'Kelley\Application Data\Malwarebytes
2009-08-10 21:59 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 21:59 . 2009-08-10 21:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 21:59 . 2009-08-10 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 21:59 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-03 23:25 . 2009-08-03 23:25 -------- d-----w- c:\program files\Common Files\Scanner
2009-08-03 23:25 . 2009-02-18 18:54 111856 ----a-w- c:\windows\system32\wbem\canvprov.dll
2009-08-03 22:19 . 2009-03-14 11:48 5120 ----a-w- c:\windows\system32\drivers\Start1Driver.SYS
2009-07-29 04:37 . 2009-07-29 04:37 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2009-07-29 04:37 . 2009-07-29 04:37 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2009-07-18 13:03 . 2009-07-18 13:03 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2009-07-17 19:01 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll
2009-07-17 12:01 . 2009-08-03 23:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-13 05:01 . 2008-05-13 23:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-05 09:01 . 2004-08-12 14:01 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 23:25 . 2008-01-09 23:20 -------- d-----w- c:\program files\CA
2009-08-02 22:22 . 2009-07-06 18:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-29 04:37 . 2004-08-12 14:07 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2004-08-12 13:57 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-19 03:40 . 2008-01-20 23:15 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-17 19:01 . 2004-08-12 13:55 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 12:22 . 2008-05-13 23:48 -------- d-----w- c:\program files\Google
2009-07-14 15:59 . 2009-07-14 15:59 -------- d-----w- c:\program files\Trend Micro
2009-07-14 04:43 . 2004-08-12 14:10 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 02:31 . 2008-01-20 23:16 -------- d-----w- c:\documents and settings\O'Kelley\Application Data\AdobeUM
2009-07-07 18:58 . 2009-07-07 18:58 0 ----a-w- c:\windows\nsreg.dat
2009-07-06 23:00 . 2004-08-12 13:57 1033728 ----a-w- c:\windows\explorer.exe
2009-07-06 21:34 . 2008-01-10 01:09 -------- d-----w- c:\program files\Windows Media Connect 2
2009-07-06 18:43 . 2009-07-06 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-20 18:39 . 2008-01-07 00:02 -------- d-----w- c:\program files\Dell AIO Printer A920
2009-06-12 12:31 . 2004-08-12 14:07 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2008-01-05 18:48 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-12 13:55 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-12 14:09 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-13 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2004-04-15 270336]
"cctray"="c:\program files\CA\CA Internet Security Suite\casc.exe" [2009-02-18 374000]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2009-08-03 230664]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"CAPPActiveProtection"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe" [2009-02-15 324848]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="c:\progra~1\SYMNET~1\SNDWarn.exe" [2004-10-29 218232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-06-06 20:46 79368 ----a-w- c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WinDefend"=2 (0x2)
"spkrmon"=2 (0x2)
"ose"=3 (0x3)
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"MyWebSearchService"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [1/5/2009 11:36 AM 107512]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [11/18/2008 12:14 PM 72696]
R1 Start1Driver;Start1Driver;c:\windows\system32\drivers\Start1Driver.SYS [8/3/2009 5:19 PM 5120]
R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [8/3/2009 6:24 PM 128240]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [12/12/2008 12:37 PM 1153528]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [12/10/2008 12:58 PM 797176]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [12/19/2008 1:59 PM 297464]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [12/12/2008 12:37 PM 205304]
R3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\O'Kelley\Desktop\SysProt\SysProtDrv.sys [8/13/2009 3:50 PM 44288]
S1 hdfmopkg;hdfmopkg;\??\c:\windows\system32\drivers\hdfmopkg.sys --> c:\windows\system32\drivers\hdfmopkg.sys [?]
S3 HidCom;USB-HID -> COM Driver Service;c:\windows\system32\drivers\BdHidCom.sys [1/12/2008 10:19 AM 17408]
S3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [8/3/2009 6:25 PM 222448]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SYSPROTDRV.SYS

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-08-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-08-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-13 16:54]

2009-08-13 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toast.net/start
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\VetRedir.dll
FF - ProfilePath - c:\documents and settings\O'Kelley\Application Data\Mozilla\Firefox\Profiles\i4innrkf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.toast.net/start/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-13 16:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(808)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(4256)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-13 16:26
ComboFix-quarantined-files.txt 2009-08-13 21:26
ComboFix2.txt 2009-08-13 20:39

Pre-Run: 141,556,117,504 bytes free
Post-Run: 141,540,335,616 bytes free

170 --- E O F --- 2009-08-13 08:03

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 672
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 728
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 752
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 796
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 808
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ati2evxx.exe
PID: 964
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 980
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1064
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1160
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1276
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1356
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\LEXBCES.EXE
PID: 1524
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 1552
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\LEXPPS.EXE
PID: 1568
Hidden: No
Window Visible: No

Name: C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
PID: 1620
Hidden: No
Window Visible: No

Name: C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
PID: 1712
Hidden: No
Window Visible: No

Name: C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
PID: 1744
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1880
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PID: 1916
Hidden: No
Window Visible: No

Name: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 1972
Hidden: No
Window Visible: No

Name: C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
PID: 2008
Hidden: No
Window Visible: No

Name: C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
PID: 2028
Hidden: No
Window Visible: No

Name: C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
PID: 304
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PID: 336
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 540
Hidden: No
Window Visible: No

Name: C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
PID: 660
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\alg.exe
PID: 2116
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wscntfy.exe
PID: 2152
Hidden: No
Window Visible: No

Name: C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
PID: 2852
Hidden: No
Window Visible: No

Name: C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
PID: 2892
Hidden: No
Window Visible: No

Name: C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe
PID: 2900
Hidden: No
Window Visible: Yes

Name: C:\Program Files\iTunes\iTunesHelper.exe
PID: 3104
Hidden: No
Window Visible: No

Name: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PID: 3420
Hidden: No
Window Visible: No

Name: C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
PID: 3444
Hidden: No
Window Visible: No

Name: C:\Program Files\iPod\bin\iPodService.exe
PID: 3756
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wuauclt.exe
PID: 2520
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 604
Hidden: No
Window Visible: No

Name: C:\Program Files\Mozilla Firefox\firefox.exe
PID: 1680
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\O'Kelley\Desktop\SysProt\SysProt.exe
PID: 3116
Hidden: No
Window Visible: Yes

Name: C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
PID: 3148
Hidden: No
Window Visible: Yes

Name: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
PID: 3300
Hidden: No
Window Visible: No

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\O'Kelley\Desktop\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: B2901000
Module End: B290C000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Service Name: Fastfat
Module Base: B2208000
Module End: B222C000
Hidden: No

Module Name: \WINDOWS\system32\ntoskrnl.exe
Service Name: ---
Module Base: 804D7000
Module End: 806FF000
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806FF000
Module End: 8071FD00
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F8C1A000
Module End: F8C1C000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F8B2A000
Module End: F8B2D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F86CB000
Module End: F86F9000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: F8C1C000
Module End: F8C1E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F86BA000
Module End: F86CB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F871A000
Module End: F8724000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: F8CE2000
Module End: F8CE3000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F899A000
Module End: F89A1000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\intelide.sys
Service Name: IntelIde
Module Base: F8C1E000
Module End: F8C20000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F872A000
Module End: F8735000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F869B000
Module End: F86BA000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F89A2000
Module End: F89A7000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F873A000
Module End: F8747000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F8683000
Module End: F869B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\iaStor.sys
Service Name: iastor
Module Base: F8610000
Module End: F8683000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F874A000
Module End: F8753000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F875A000
Module End: F8767000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: F85F0000
Module End: F8610000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F85DE000
Module End: F85F0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F85C7000
Module End: F85DE000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F853A000
Module End: F85C7000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F850D000
Module End: F853A000
Hidden: No

Module Name: Combo-Fix.sys
Service Name: ---
Module Base: F876A000
Module End: F8779000
Hidden: Yes

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F84F3000
Module End: F850D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\kmxstart.sys
Service Name: KmxStart
Module Base: F84D3000
Module End: F84F3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: F898A000
Module End: F8993000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Service Name: ati2mtag
Module Base: F7927000
Module End: F79F5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F7913000
Module End: F7927000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\b57xp32.sys
Service Name: b57w2k
Module Base: F78E5000
Module End: F7913000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: F8A5A000
Module End: F8A60000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F78C1000
Module End: F78E5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F8A62000
Module End: F8A6A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\IntelC53.sys
Service Name: IntelC53
Module Base: F878A000
Module End: F8798000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: F789E000
Module End: F78C1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\IntelC51.sys
Service Name: IntelC51
Module Base: F7777000
Module End: F789E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\IntelC52.sys
Service Name: IntelC52
Module Base: F76E2000
Module End: F7777000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mohfilt.sys
Service Name: mohfilt
Module Base: F8A6A000
Module End: F8A70000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: F8A72000
Module End: F8A7A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\smwdm.sys
Service Name: smwdm
Module Base: F764C000
Module End: F76E2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: F7628000
Module End: F764C000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: F879A000
Module End: F87A9000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aeaudio.sys
Service Name: aeaudio
Module Base: F8C52000
Module End: F8C54000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: F87AA000
Module End: F87B7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F8A82000
Module End: F8A88000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F8A8A000
Module End: F8A90000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\parport.sys
Service Name: Parport
Module Base: F7614000
Module End: F7628000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\serial.sys
Service Name: Serial
Module Base: F87BA000
Module End: F87CA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\serenum.sys
Service Name: serenum
Module Base: F8492000
Module End: F8496000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F7A85000
Module End: F7A90000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Afc.sys
Service Name: Afc
Module Base: F8A92000
Module End: F8A9A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F7A75000
Module End: F7A85000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F7A65000
Module End: F7A74000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Service Name: GEARAspiWDM
Module Base: F8A9A000
Module End: F8A9F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F8D47000
Module End: F8D48000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F7A55000
Module End: F7A62000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F848A000
Module End: F848D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F75FD000
Module End: F7614000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F7A45000
Module End: F7A50000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F7A35000
Module End: F7A41000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F8AA2000
Module End: F8AA7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F75EC000
Module End: F75FD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F7A25000
Module End: F7A2E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F8AAA000
Module End: F8AAF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F8AB2000
Module End: F8AB7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F7A15000
Module End: F7A1F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F8C54000
Module End: F8C56000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: F758E000
Module End: F75EC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F847E000
Module End: F8482000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\windrvr6.sys
Service Name: WinDriver6
Module Base: F755E000
Module End: F758E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\USBD.SYS
Service Name: ---
Module Base: F8C56000
Module End: F8C58000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F894A000
Module End: F8954000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: B90EF000
Module End: B90FE000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MODEMCSA.sys
Service Name: MODEMCSA
Module Base: B88EC000
Module End: B88F0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\flpydisk.sys
Service Name: Flpydisk
Module Base: ECD7E000
Module End: ECD83000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\VETFDDNT.SYS
Service Name: VETFDDNT
Module Base: EDC27000
Module End: EDC2B000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\kmxagent.sys
Service Name: KmxAgent
Module Base: B4330000
Module End: B4345000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\kmxcfg.sys
Service Name: KmxCfg
Module Base: B42F9000
Module End: B4330000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\VETEBOOT.SYS
Service Name: VETEBOOT
Module Base: B42E1000
Module End: B42F9000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbscan.sys
Service Name: usbscan
Module Base: B5509000
Module End: B550D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbprint.sys
Service Name: usbprint
Module Base: B4365000
Module End: B436C000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: F8CAE000
Module End: F8CB0000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\VETEFILE.SYS
Service Name: VETEFILE
Module Base: B421D000
Module End: B42E1000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\VET-REC.SYS
Service Name: VET-REC
Module Base: B4B04000
Module End: B4B08000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\VET-FILT.SYS
Service Name: VET-FILT
Module Base: B4345000
Module End: B434B000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\VETMONNT.SYS
Service Name: VETMONNT
Module Base: B87A9000
Module End: B87B0000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: B4B51000
Module End: B4B52000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: F8CB0000
Module End: F8CB2000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: B87A1000
Module End: B87A7000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F8CB2000
Module End: F8CB4000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F8CB4000
Module End: F8CB6000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: B8799000
Module End: B879E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: B8791000
Module End: B8799000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: B88E8000
Module End: B88EB000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: B41EA000
Module End: B41FD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: B4191000
Module End: B41EA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: B4169000
Module End: B4191000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: B4143000
Module End: B4169000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: B4121000
Module End: B4143000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: B8B80000
Module End: B8B89000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: B8B70000
Module End: B8B79000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Start1Driver.SYS
Service Name: Start1Driver
Module Base: B8789000
Module End: B8790000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: B40F6000
Module End: B4121000
Hidden: No

Module Name: C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
Service Name: OMCI
Module Base: B8733000
Module End: B8737000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: B4086000
Module End: B40F6000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: B8101000
Module End: B810C000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: B80D1000
Module End: B80E1000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_iastor.sys
Service Name: ---
Module Base: B4013000
Module End: B4086000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: B8480000
Module End: B8483000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: B8771000
Module End: B8776000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: F8CE8000
Module End: F8CE9000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: EE57C000
Module End: EE580000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: B2F46000
Module End: B2F73000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Service Name: ParVdm
Module Base: BA325000
Module End: BA327000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: B2DDC000
Module End: B2E2E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: B2B1F000
Module End: B2B34000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: B2C34000
Module End: B2C43000
Hidden: No

Module Name: \??\C:\ComboFix\catchme.sys
Service Name: catchme
Module Base: B435D000
Module End: B4365000
Hidden: Yes

Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Service Name: ---
Module Base: F8CB6000
Module End: F8CB8000
Hidden: Yes

Module Name: C:\WINDOWS\system32\DRIVERS\asyncmac.sys
Service Name: AsyncMac
Module Base: B2F02000
Module End: B2F06000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\fdc.sys
Service Name: Fdc
Module Base: F8A7A000
Module End: F8A81000
Hidden: No

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwSetInformationProcess
Address: B433ACE8
Driver Base: B4330000
Driver End: B4345000
Driver Name: \SystemRoot\System32\DRIVERS\kmxagent.sys

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: PsGetProcessWin32WindowStation
At Address: 804F41EC
Jump To: FD806070
Module Name: _unknown_

Hooked Function: PsGetProcessJob
At Address: 804F41EC
Jump To: FD806070
Module Name: _unknown_

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: HAL:1092
Remote Address: ADDONS.ACELB.SJ.MOZILLA.COM:HTTPS
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HAL:1091
Remote Address: DYNA-AUS2.NSLB.SJ.MOZILLA.COM:HTTPS
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HAL:1088
Remote Address: IW-IN-F137.GOOGLE.COM:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HAL:1087
Remote Address: IW-IN-F102.GOOGLE.COM:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: LAST_ACK

Local Address: HAL:1086
Remote Address: IW-IN-F100.GOOGLE.COM:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: LAST_ACK

Local Address: HAL:1085
Remote Address: 74.125.95.106:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: LAST_ACK

Local Address: HAL:1084
Remote Address: 74.125.95.106:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: LAST_ACK

Local Address: HAL:1083
Remote Address: IW-IN-F102.GOOGLE.COM:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HAL:1082
Remote Address: IW-IN-F102.GOOGLE.COM:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: LAST_ACK

Local Address: HAL:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: HAL:27015
Remote Address: LOCALHOST:1034
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: ESTABLISHED

Local Address: HAL:27015
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: LISTENING

Local Address: HAL:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING

Local Address: HAL:1041
Remote Address: LOCALHOST:1040
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HAL:1040
Remote Address: LOCALHOST:1041
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HAL:1038
Remote Address: LOCALHOST:1037
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HAL:1037
Remote Address: LOCALHOST:1038
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HAL:1034
Remote Address: LOCALHOST:27015
Type: TCP
Process: C:\Program Files\iTunes\iTunesHelper.exe
State: ESTABLISHED

Local Address: HAL:1033
Remote Address: LOCALHOST:1028
Type: TCP
Process: C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
State: ESTABLISHED

Local Address: HAL:1031
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: HAL:1030
Remote Address: LOCALHOST:1026
Type: TCP
Process: C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
State: ESTABLISHED

Local Address: HAL:1028
Remote Address: LOCALHOST:1033
Type: TCP
Process: C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
State: ESTABLISHED

Local Address: HAL:1028
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
State: LISTENING

Local Address: HAL:1027
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
State: LISTENING

Local Address: HAL:1026
Remote Address: LOCALHOST:1030
Type: TCP
Process: C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
State: ESTABLISHED

Local Address: HAL:1026
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
State: LISTENING

Local Address: HAL:1025
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\LEXPPS.EXE
State: LISTENING

Local Address: HAL:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: HAL:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: HAL:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: HAL:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: HAL:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: HAL:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: HAL:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: HAL:59651
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: HAL:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: HAL:1029
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: HAL:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: HAL:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{87566595-DAB9-40BC-BFE6-514A1C53DEBE}
Status: Access denied
droidnoise
Regular Member
 
Posts: 20
Joined: August 5th, 2009, 8:34 am

Re: Search result links getting hijacked

Unread postby turtledove » August 14th, 2009, 1:31 pm

Hello Droidnoise,

Thank you for the reports.

*Copy or Print for easy reference*
*Note: Please post in order listed at end of these instructions
*Please do NOT run any tools till asked again.
I would like to see any information that might be available from the first time you ran ComboFix.

Step 1
Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to and find the following folders:

C:\qoobox In that folder you will find the ComboFix log files.

Please post the contents of each of those log files in your next reply. (Except the one you posted)



Step 2
Online Multi Antivirus file scan

Please go to either: Jotti or Virus Total and upload the following file(s) for scanning:

c:\windows\system32\drivers\hdfmopkg.sys

Using Jotti
  1. Please copy and paste... the above full path and file name(s)...in the text box next to the Browse button.
  2. Click on Submit..button.
  3. The file will be uploaded and scanned by various antivirus scanners..this may take a few minutes.
  4. When all scans have completed... Highlight the results text, beginning with "File...and select all text down to the last scan result.
  5. Copy the selected text... Open Notepad... Paste the contents into Notepad... Save the file to a convenient place.
  6. Please repeat this procedure for each file listed above.
  7. Paste the contents of all the Jotti scan results in your next reply.

OR

Using Virus Total
  1. Please copy and paste... the above mentioned full path and file name...in the text box next to the Browse button.
  2. Click on Send File...button.
  3. The file will be queued, uploaded and scanned by various antivirus scanners..this may take a few minutes.
  4. When the scan is completed...press the "Compact" icon
  5. The results will be shown in a grid like window...please Select and Copy the entire contents.
  6. Open Notepad...Paste the result contents into the Notepad window...Save this file to a convenient place.
  7. Please repeat this procedure for each file listed above.
  8. Paste the contents of all the Virus Total results in your next reply.



Step 3
Kaspersky Online Scan


Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

Note: There is a tutorial Here If you need one.



Post
Results from Virus Total OR Jotti
Results from Kaspersky Scan
Any problems still remaining, how is the computer acting?

Thank you
TD
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Search result links getting hijacked

Unread postby droidnoise » August 14th, 2009, 4:08 pm

Your post asked me to run Combofix. I did that. Your next post ask me to run Sysprot. I did that. I lost the post with the combfix text. I ran a search of the computer to find combofix.txt and got nothing so I ran it again, after all it's "just looking at what's on my computer".
Anyway, I now have no communication with my printer (restart did not help) and cannot print instructions. I'll try the new downloads scans if I can get the printer going.

2009-08-13 20:24:52 . 2009-08-13 20:24:52 1,046 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}.reg.dat
2009-08-13 20:24:52 . 2009-08-13 20:24:52 1,046 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}.reg.dat
2009-08-13 20:24:52 . 2009-08-13 20:24:52 892 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_MYWEBSEARCHSERVICE.reg.dat
2009-08-13 20:24:43 . 2009-08-13 21:20:01 5,038 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-08-13 20:18:08 . 2009-08-13 21:15:34 204 ----a-w- C:\Qoobox\Quarantine\catchme.log
2008-02-10 22:10:55 . 2008-02-10 22:11:02 8,563 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\O'Kelley\Local Settings\Temporary Internet Files\default 1 .xls.vir

ABBYY FineReader 5.0 Sprint
Adobe Flash Player 10 Plugin
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoImpression 6
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Avery DesignPro
Bonjour
Broadcom Advanced Control Suite 2
Broadcom Gigabit Integrated Controller
CA Anti-Spyware
CA Anti-Virus
CA Pest Patrol Realtime Protection
Critical Update for Windows Media Player 11 (KB959772)
Dell AIO Printer A920
Dell Media Experience
Dell ResourceCD
FaxTools
Google Earth
Google Updater
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Intel(R) 537EP V9x DF PCI Modem
iTunes
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 7
LightScribe System Software 1.12.29.2
Malwarebytes' Anti-Malware
MediaFACE II
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.13)
MSXML 4.0 SP2 (KB954430)
mTrax
Nero 7 Essentials
neroxml
PowerDVD 5.1
Quicken 2007
QuickTime
Rhapsody Player Engine
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SoundMAX
Spybot - Search & Destroy
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Defender
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
ComboFix 09-08-10.06 - O'Kelley 08/13/2009 15:21.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.186 [GMT -5:00]
Running from: c:\documents and settings\O'Kelley\Desktop\ComboFix.exe
AV: CA Anti-Virus *On-access scanning disabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
.
ADS - explorer.exe: deleted 88 bytes in 2 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\O'Kelley\Local Settings\Temporary Internet Files\default 1 .xls


c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-07-13 to 2009-08-13 )))))))))))))))))))))))))))))))
.

2009-08-13 00:48 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-10 22:59 . 2009-08-10 22:59 -------- d-----w- C:\rsit
2009-08-10 21:59 . 2009-08-10 21:59 -------- d-----w- c:\documents and settings\O'Kelley\Application Data\Malwarebytes
2009-08-10 21:59 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 21:59 . 2009-08-10 21:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 21:59 . 2009-08-10 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 21:59 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-03 23:25 . 2009-08-03 23:25 -------- d-----w- c:\program files\Common Files\Scanner
2009-08-03 23:25 . 2009-02-18 18:54 111856 ----a-w- c:\windows\system32\wbem\canvprov.dll
2009-08-03 22:19 . 2009-03-14 11:48 5120 ----a-w- c:\windows\system32\drivers\Start1Driver.SYS
2009-07-29 04:37 . 2009-07-29 04:37 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2009-07-29 04:37 . 2009-07-29 04:37 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2009-07-18 13:03 . 2009-07-18 13:03 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2009-07-17 19:01 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll
2009-07-17 12:01 . 2009-08-03 23:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-13 05:01 . 2008-05-13 23:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-05 09:01 . 2004-08-12 14:01 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 23:25 . 2008-01-09 23:20 -------- d-----w- c:\program files\CA
2009-08-02 22:22 . 2009-07-06 18:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-29 04:37 . 2004-08-12 14:07 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2004-08-12 13:57 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-19 03:40 . 2008-01-20 23:15 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-17 19:01 . 2004-08-12 13:55 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 12:22 . 2008-05-13 23:48 -------- d-----w- c:\program files\Google
2009-07-14 15:59 . 2009-07-14 15:59 -------- d-----w- c:\program files\Trend Micro
2009-07-14 04:43 . 2004-08-12 14:10 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 02:31 . 2008-01-20 23:16 -------- d-----w- c:\documents and settings\O'Kelley\Application Data\AdobeUM
2009-07-07 18:58 . 2009-07-07 18:58 0 ----a-w- c:\windows\nsreg.dat
2009-07-06 23:00 . 2004-08-12 13:57 1033728 ----a-w- c:\windows\explorer.exe
2009-07-06 21:34 . 2008-01-10 01:09 -------- d-----w- c:\program files\Windows Media Connect 2
2009-07-06 18:43 . 2009-07-06 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-20 18:39 . 2008-01-07 00:02 -------- d-----w- c:\program files\Dell AIO Printer A920
2009-06-12 12:31 . 2004-08-12 14:07 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2008-01-05 18:48 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-12 13:55 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-12 14:09 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-13 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2004-04-15 270336]
"cctray"="c:\program files\CA\CA Internet Security Suite\casc.exe" [2009-02-18 374000]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2009-08-03 230664]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"CAPPActiveProtection"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe" [2009-02-15 324848]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="c:\progra~1\SYMNET~1\SNDWarn.exe" [2004-10-29 218232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-06-06 20:46 79368 ----a-w- c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WinDefend"=2 (0x2)
"spkrmon"=2 (0x2)
"ose"=3 (0x3)
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"MyWebSearchService"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [1/5/2009 11:36 AM 107512]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [11/18/2008 12:14 PM 72696]
R1 Start1Driver;Start1Driver;c:\windows\system32\drivers\Start1Driver.SYS [8/3/2009 5:19 PM 5120]
R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [8/3/2009 6:24 PM 128240]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [12/12/2008 12:37 PM 1153528]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [12/10/2008 12:58 PM 797176]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [12/19/2008 1:59 PM 297464]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [12/12/2008 12:37 PM 205304]
S1 hdfmopkg;hdfmopkg;\??\c:\windows\system32\drivers\hdfmopkg.sys --> c:\windows\system32\drivers\hdfmopkg.sys [?]
S3 HidCom;USB-HID -> COM Driver Service;c:\windows\system32\drivers\BdHidCom.sys [1/12/2008 10:19 AM 17408]
S3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [8/3/2009 6:25 PM 222448]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-08-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-08-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-13 16:54]

2009-08-13 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toast.net/start
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\VetRedir.dll
FF - ProfilePath - c:\documents and settings\O'Kelley\Application Data\Mozilla\Firefox\Profiles\i4innrkf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.toast.net/start/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-13 15:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(808)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(604)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
c:\windows\system32\wscntfy.exe
c:\program files\Dell AIO Printer A920\dlbkbmon.exe
c:\program files\CA\CA Internet Security Suite\ccprovsp.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-08-13 15:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-13 20:39

Pre-Run: 140,350,828,544 bytes free
Post-Run: 141,544,407,040 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

198 --- E O F --- 2009-08-13 08:03
droidnoise
Regular Member
 
Posts: 20
Joined: August 5th, 2009, 8:34 am

Re: Search result links getting hijacked

Unread postby droidnoise » August 14th, 2009, 6:31 pm

I'm sorry to get sidetracked here but I guess it can't be helped. I am getting an error message regarding the printer that says "The Directory Service is unavailable". In researching that I noticed something about "Recovery Console". During the Sysprot thing yesterday, I got a message and the Sysprot downloaded a new Recovery Console from Microsoft. It's the only thing I can think of that has changed since I last printed. Any thoughts?
droidnoise
Regular Member
 
Posts: 20
Joined: August 5th, 2009, 8:34 am

Re: Search result links getting hijacked

Unread postby turtledove » August 14th, 2009, 7:44 pm

Hello droidnoise,

You did fine, thank you. :)
While I look into the log information and printer issue, would you please go ahead and run the Kaspersky online Scan please. Step 3 in my previous post today.
You will need Internet Explorer for that.
In the meantime, just copy/paste my posts into Notepad.

Thank you

TD
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 292 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware