1. MalwareBytes
2. Combofix
3. BlockSites (Firefox addon)
4. Process Explorer – SysInternals
5. XP Files or Folders Search
6. Uninstalling/Reinstalling Firefox
Nothing I have tried to date can even detect them let alone remove them. There are websites for Widdit.com and Searchcompletion but as expected they only give you the basic add/remove programs spiel. I have also tried Googling the problem but there are no definitive answers on how to stop the process and remove the registry and dll entries. Any help in removing this malware is most appreciated, as it is becoming a bit more than an annoyance.
DDS Logs posted
Thanks in Advance
Danbarr
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_29
Run by Dan at 10:52:56 on 2012-01-09
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1594 [GMT -5:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
FW: ZoneAlarm Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\UTILITIES\ProcessExplorer\procexp.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: CrossRider: {a876e312-7d08-401a-b7a6-fafc5dc2f292} - c:\program files\crossriderwebapps\Crossrider.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [VTPreset] VTPreset.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SoundMan] SOUNDMAN.EXE
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/s ... wflash.cab
TCP: DhcpNameServer = 192.168.15.1
TCP: Interfaces\{1DF931B2-DB56-4E91-BFEA-B866661B8321} : DhcpNameServer = 192.168.15.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: AtiExtEvent - Ati2evxx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\dan\application data\mozilla\firefox\profiles\s857xbff.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
FF - Ext: Premiumplay Codec-C: crossriderapp435@crossrider.com - c:\documents and settings\all users\application data\codeccheck\firefox
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\DivXHTML5
FF - Ext: New Tab Homepage: {66E978CD-981F-47DF-AC42-E3CF417C1467} - %profile%\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
FF - Ext: BlockSite: {dd3d7613-0246-469d-bc65-2a3cc1668adc} - %profile%\extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: WebMail Notifier: {37fa1426-b82d-11db-8314-0800200c9a66} - %profile%\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-8-28 64512]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-8-5 13496]
R1 atitray;atitray;c:\program files\ray adams\ati tray tools\atitray.sys [2011-8-15 20512]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-8-24 532224]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 cpuz135;cpuz135;\??\c:\docume~1\dan\locals~1\temp\cpuz135\cpuz135_x32.sys --> c:\docume~1\dan\locals~1\temp\cpuz135\cpuz135_x32.sys [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-8-18 15232]
S3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2011-8-27 129808]
S3 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 Vsp;Vsp;c:\windows\system32\drivers\vsp.sys [2011-4-23 3351]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-8-18 2152152]
S4 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-01-08 19:35:40 -------- d-sha-r- C:\cmdcons
2012-01-08 19:34:10 98816 ----a-w- c:\windows\sed.exe
2012-01-08 19:34:10 518144 ----a-w- c:\windows\SWREG.exe
2012-01-08 19:34:10 256000 ----a-w- c:\windows\PEV.exe
2012-01-08 19:34:10 208896 ----a-w- c:\windows\MBR.exe
2011-12-19 00:58:19 -------- d-----w- c:\documents and settings\dan\application data\DDMSettings
.
==================== Find3M ====================
.
2011-12-16 15:45:56 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-20 23:26:22 94208 ----a-w- c:\windows\system32\dpl100.dll
2011-10-14 15:00:56 90112 ----a-w- c:\windows\DUMP4805.tmp
2011-10-14 14:59:58 90112 ----a-w- c:\windows\DUMP77b0.tmp
2011-10-14 14:54:54 90112 ----a-w- c:\windows\DUMP4759.tmp
2011-10-14 14:53:47 90112 ----a-w- c:\windows\DUMP4640.tmp
2011-10-13 23:29:28 15452536 ----a-w- c:\program files\IE7-WindowsXP-x86-enu.exe
2011-10-11 15:15:02 6776168 ----a-w- c:\program files\WindowsUpdateAgent30-x86.exe
2011-10-10 18:20:46 2107529 ----a-w- c:\program files\attsetup.exe
2011-09-01 19:12:50 197344 ----a-w- c:\program files\eraser2k.exe
2011-09-01 15:43:05 74066832 ----a-w- c:\program files\msert.exe
2011-08-14 12:55:38 63671296 ----a-w- c:\program files\wwtsetuppenumbra_1.msi
2011-08-14 11:27:14 63671296 ----a-w- c:\program files\wwtsetuppenumbra.msi
2002-04-15 18:48:54 233472 ----a-w- c:\program files\oclean9.dll
2002-04-15 18:48:54 217088 ----a-w- c:\program files\offcln9.exe
.
============= FINISH: 10:53:39.95 ===============
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 10/14/2011 11:35:45 AM
System Uptime: 1/9/2012 9:13:01 AM (1 hours ago)
.
Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | MS-6390
Processor: AMD Athlon(tm) XP 2600+ | Socket A | 2131/133mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 64.546 GiB free.
D: is CDROM ()
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: Lucent Win Modem
Device ID: PCI\VEN_11C1&DEV_044C&SUBSYS_044C11C1&REV_02\3&61AAA01&0&30
Manufacturer: Lucent
Name: Lucent Win Modem
PNP Device ID: PCI\VEN_11C1&DEV_044C&SUBSYS_044C11C1&REV_02\3&61AAA01&0&30
Service: Modem
.
==== System Restore Points ===================
.
RP1: 1/8/2012 2:34:11 PM - System Checkpoint
.
==== Installed Programs ======================
.
7-Zip 9.21beta
AC3Filter 1.63b
Aces High
Ad-Aware
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.0)
Adobe Shockwave Player 11.6
AMD APP SDK Runtime
ATI - Software Uninstall Utility
ATI Display Driver
Belarc Advisor 8.2
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
Catalyst Control Center Localization All
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CCleaner
Crossrider Web Apps
DH Driver Cleaner Professional Edition
DivX Setup
EASEUS Data Recovery Wizard Free Edition 5.5.1
Gadwin PrintScreen
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Java Auto Updater
Java(TM) 6 Update 29
Malwarebytes' Anti-Malware version 1.51.1.1800
Media Player Codec Pack 4.0.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Office 2000 Premium
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Mozilla Firefox (3.6.25)
MSXML 6 Service Pack 2 (KB973686)
Platform
PokerTH
Ray Adams ATI Tray Tools
Realtek AC'97 Audio
Realtek High Definition Audio Driver
Revo Uninstaller 1.93
S3Display
S3Gamma2
S3Info2
S3Overlay
Sandboxie 3.58 (32-bit)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Windows XP (KB923789)
SIW version 2011.10.29
Skins
Smart Defrag 2
swMSM
System Explorer 3.0.6
Tweak UI
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC80CRTRedist - 8.0.50727.6195
Veetle TV
VIA Audio Driver Setup Program
VIA Platform Device Manager
VIA Rhine-Family Fast Ethernet Adapter
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Wise Registry Cleaner 5.9.4
Xvid MPEG-4 Video Codec
ZoneAlarm
.
==== Event Viewer Messages From Past Week ========
.
1/8/2012 2:55:32 PM, error: Service Control Manager [7001] - The Windows Firewall/Internet Connection Sharing (ICS) service depends on the Network Connections service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
1/8/2012 2:34:21 PM, error: Service Control Manager [7001] - The TrueVector Internet Monitor service depends on the Cryptographic Services service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
1/8/2012 2:33:56 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service winmgmt with arguments "" in order to run the server: {C49E32C6-BC8B-11D2-85D4-00105A1F8304}
1/8/2012 2:33:45 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
1/8/2012 2:01:11 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
1/8/2012 1:19:15 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
1/8/2012 1:19:15 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
1/7/2012 11:42:22 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
.
==== End Of File ===========================
