Articles

DNS Redirect & False Virus Detection (maybe)

June 8, 2010 at 09:45:23
Specs: Microsoft Windows XP Home Edition SP3, 1.60GHz / .99GB

Computer listed is not correct, Dell Vostro 1500 laptop

Son home from college and brought us a gift. He said his virus software wasn't updating (Since Feb), he was having problem with being redirected to random ad pages when using search engine. Also had false Virus Found warnings popping up directing him to page to purchase software. This has now spread to two other PC's on the network and I'm stuck and looking for help.

Here's what I've done and where things stand as of now. After last reboot I can no longer access the internet from the PC. Connects to wireless but can't aquire network address. Tried repair but that failed too.

Initially couldn't update existing anti-virus or load anything new. Was able to get to Microsoft web page and run their on-line tool. It found several items and cleaned the system. No log file or ability to cut and paste that window so no history. After that still having redirect issue but false Virus Found seemed to be gone. Updated SuperAntiSpyware and ran. More items found and quarantined. Still having redirect issue. Loaded and ran Malwarebytes, more items found and removed. After reboot can't access internet so not sure where I'm at now.

Also at suggestions of wife's PC friend at work I checked the following file and removed what were described as extra entries.

c:\windows\system32\drivers\etc\hosts
127.0.0.1 local host (no edit, left)
::1 local host (removed)
91.212.127.226 osguard-pro.com.microsoft.com (removed)
91.212.127.226 osguard-pro.com (removed)
91.212.127.226 www.osguard-pro.com

Frustrated, hope someone can help


See More: DNS Redirect & False Virus Detection (maybe)

Report •


#1
June 8, 2010 at 12:28:14

Try using Combo Fix found here: http://www.bleepingcomputer.com/com...

And WinSock Fix found here to fix your internet connection: http://majorgeeks.com/WinSock_XP_Fi...

(Which is what saved me when I too was DNS Hijacked last year).

Let me know if it helps!


Report •

#2
June 8, 2010 at 14:27:50

Update, getting worse. Downloaded both applications on this PC (Work laptop, not infected) and saved them on thumb drive. Ran WinSock fix and after reboot I'm now getting a new error; Generic Host Process Win32 Services, Generic Host Process Win32 Services has encountered a problem and needs to close. Still can't get network address on wireless and tried wired and same issue. Connects but no network address.

Moving on to ComboFix. As mentioned saved to thumb drive and on the infected PC I copied it from thumb drive to desktop folder. Turned off Windows firewall and antivirus software and closed all applications. Clicked on the ComboFix icon on the desktop and I get a small gray box labeled ComboFix with a progress indicator. Progress indicator fills the box right to left until full and then nothing. Been sitting in this state for 20+ minutes. I haven't moved the mouse or touched anything on the PC since I clicked the application.


Report •

#3
June 8, 2010 at 14:38:21

Patience is a virtue, one I'm very short of right now but anyway. I left ComboFix in the state described in last post and now it's running. Further update when complete.

Report •

Related Solutions

#4
June 8, 2010 at 15:54:44

Log from ComboFix. Still can't get network address so not sure if I've removed the redirect virus or not?

Suggestions?

ComboFix 10-06-08.02 - Home Laptop 06/08/2010 17:51:45.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.705 [GMT -4:00]
Running from: c:\documents and settings\Home Laptop\Desktop\ComboFix.exe
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Documents\.TemporaryItems\_desktop.ini
c:\documents and settings\All Users\Documents\.TemporaryItems\folders.501\_desktop.ini
c:\documents and settings\All Users\Documents\.Trashes\501\Recovered files\_desktop.ini
c:\documents and settings\All Users\Documents\My Pictures\_desktop.ini
c:\documents and settings\All Users\Documents\My Pictures\Sample Pictures\_desktop.ini
c:\documents and settings\All Users\Documents\My Videos\_desktop.ini
c:\documents and settings\All Users\Start Menu\Programs\WebMediaPlayer
c:\documents and settings\All Users\Start Menu\Programs\WebMediaPlayer\Privacy Policy.url
c:\documents and settings\All Users\Start Menu\Programs\WebMediaPlayer\Terms and Conditions.url
c:\documents and settings\All Users\Start Menu\Programs\WebMediaPlayer\Uninstall.lnk
c:\documents and settings\All Users\Start Menu\Programs\WebMediaPlayer\WebMediaPlayer.lnk
c:\documents and settings\All Users\Start Menu\Programs\WebMediaPlayer\Website.url
c:\documents and settings\Home Laptop\Application Data\inst.exe
c:\documents and settings\Home Laptop\Local Settings\Application Data\ysiqo_navfx.dat
c:\program files\Shared

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2010-05-08 to 2010-06-08 )))))))))))))))))))))))))))))))
.

2010-06-08 19:33 . 2010-06-08 19:33 -------- d-----w- C:\ERDNT
2010-06-08 12:02 . 2010-06-08 12:02 -------- d-----w- c:\documents and settings\Home Laptop\Application Data\Malwarebytes
2010-06-08 07:32 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-06-08 00:07 . 2010-06-08 03:47 -------- d-----w- c:\program files\Windows Live Safety Center
2010-06-07 22:09 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-07 22:09 . 2010-06-07 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-07 22:09 . 2010-06-07 23:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-07 22:09 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-07 03:58 . 2010-06-08 14:02 -------- d-----w- c:\documents and settings\Home Laptop\Local Settings\Application Data\tbobyuxxe
2010-05-13 21:18 . 2010-05-13 21:18 -------- d-----w- C:\spoolerlogs
2010-05-12 03:20 . 2010-05-12 03:20 -------- d-----w- c:\documents and settings\Home Laptop\Application Data\Media Player Classic
2010-05-11 17:02 . 2004-08-04 10:00 18944 ----a-w- c:\windows\system32\simptcp.dll
2010-05-11 17:02 . 2004-08-04 10:00 18944 ----a-w- c:\windows\system32\dllcache\simptcp.dll
2010-05-11 16:47 . 2010-03-15 09:31 165376 ----a-w- c:\windows\system32\unrar.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-08 12:03 . 2009-10-23 13:30 117760 ----a-w- c:\documents and settings\Home Laptop\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-07 22:35 . 2009-10-23 02:20 -------- d-----w- c:\program files\Common Files\BitDefender
2010-06-07 22:35 . 2009-10-23 02:25 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2010-06-07 12:22 . 2010-01-02 22:05 -------- d-----w- c:\program files\PeerBlock
2010-06-07 12:22 . 2009-12-07 01:21 -------- d-----w- c:\documents and settings\Home Laptop\Application Data\BitTorrent
2010-06-06 23:08 . 2010-01-09 23:58 -------- d-----w- c:\documents and settings\Home Laptop\Application Data\vlc
2010-05-16 21:58 . 2010-01-02 22:30 -------- d-----w- c:\program files\PcWinTech
2010-05-12 03:22 . 2009-12-07 15:09 -------- d-----w- c:\documents and settings\Home Laptop\Application Data\DivX
2010-05-11 16:44 . 2009-10-23 13:28 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-29 05:51 . 2010-04-29 05:51 0 ----a-w- c:\windows\system32\SBRC.dat
2010-04-29 05:16 . 2010-04-29 05:16 -------- d-----w- c:\program files\Sunbelt Software
2010-04-20 16:36 . 2010-04-20 16:36 503808 ----a-w- c:\documents and settings\Home Laptop\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-383ea9aa-n\msvcp71.dll
2010-04-20 16:36 . 2010-04-20 16:36 499712 ----a-w- c:\documents and settings\Home Laptop\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-383ea9aa-n\jmc.dll
2010-04-20 16:36 . 2010-04-20 16:36 348160 ----a-w- c:\documents and settings\Home Laptop\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-383ea9aa-n\msvcr71.dll
2010-04-20 16:35 . 2010-04-20 16:35 61440 ----a-w- c:\documents and settings\Home Laptop\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5b2e5439-n\decora-sse.dll
2010-04-20 16:35 . 2010-04-20 16:35 12800 ----a-w- c:\documents and settings\Home Laptop\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5b2e5439-n\decora-d3d.dll
2010-04-20 16:33 . 2009-02-21 02:38 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-20 16:08 . 2008-08-22 15:23 -------- d-----w- c:\program files\JExamStudent3
2010-04-20 16:08 . 2009-12-07 12:34 -------- d-----w- c:\program files\DivX
2010-04-20 16:04 . 2007-08-08 08:43 -------- d-----w- c:\program files\Common Files\Java
2010-04-17 06:25 . 2010-04-17 06:23 -------- d-----w- c:\program files\The Rosetta Stone
2010-04-17 06:21 . 2010-04-17 04:44 -------- d-----w- c:\documents and settings\Home Laptop\Application Data\ImgBurn
2010-04-17 03:51 . 2010-04-17 03:51 -------- d-----w- c:\program files\ImgBurn
2010-04-17 03:51 . 2010-04-17 03:50 -------- d-----w- c:\program files\Ask.com
2010-04-16 23:28 . 2007-08-08 08:43 -------- d-----w- c:\program files\Java
2010-04-16 23:09 . 2007-08-26 21:45 -------- d-----w- c:\program files\PokerStars.NET
2010-04-16 23:07 . 2007-08-08 08:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-16 23:07 . 2007-08-08 08:46 -------- d-----w- c:\program files\Dell
2010-04-16 23:07 . 2007-08-08 08:50 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2010-04-16 22:57 . 2010-01-10 15:56 -------- d-----w- c:\documents and settings\Home Laptop\Application Data\Vso
2010-04-16 22:57 . 2010-01-10 15:56 47360 ----a-w- c:\documents and settings\Home Laptop\Application Data\pcouffin.sys
2010-04-16 22:57 . 2010-01-10 15:56 47360 ----a-w- c:\documents and settings\Home Laptop\Application Data\pcouffin.sys
.

------- Sigcheck -------

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\System32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]
"{6fc6fe49-c1ea-4cc0-bfe8-acb42adc059e}"= "c:\program files\PcWinTech\tbPcW1.dll" [2010-05-16 2515552]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_CLASSES_ROOT\clsid\{6fc6fe49-c1ea-4cc0-bfe8-acb42adc059e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6fc6fe49-c1ea-4cc0-bfe8-acb42adc059e}]
2010-05-16 21:58 2515552 ----a-w- c:\program files\PcWinTech\tbPcW1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 20:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6fc6fe49-c1ea-4cc0-bfe8-acb42adc059e}"= "c:\program files\PcWinTech\tbPcW1.dll" [2010-05-16 2515552]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{6fc6fe49-c1ea-4cc0-bfe8-acb42adc059e}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{6FC6FE49-C1EA-4CC0-BFE8-ACB42ADC059E}"= "c:\program files\PcWinTech\tbPcW1.dll" [2010-05-16 2515552]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{6fc6fe49-c1ea-4cc0-bfe8-acb42adc059e}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-10 2002160]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-06 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-06 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-06 138008]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-05-09 1392640]
"SigmatelSysTrayApp"="stsystra.exe" [2007-06-06 405504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Billminder.lnk - c:\program files\Quicken\billmind.exe [2002-7-30 36864]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-8-8 50688]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2002-7-30 53248]
Quicken Startup.lnk - c:\program files\Quicken\QWDLLS.EXE [2002-7-30 36864]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
"35452:TCP"= 35452:TCP:SPF Port 35452 TCP
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 10:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 10:24 PM 74480]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [1/15/2008 10:28 AM 204800]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 10:24 PM 7408]
S1 fxwqenun;fxwqenun;\??\c:\windows\system32\drivers\fxwqenun.sys --> c:\windows\system32\drivers\fxwqenun.sys [?]
S1 jlsgzpxe;jlsgzpxe;\??\c:\windows\system32\drivers\jlsgzpxe.sys --> c:\windows\system32\drivers\jlsgzpxe.sys [?]
S2 mrtRate;mrtRate; [x]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [12/22/2007 2:37 PM 34639]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2010-04-17 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 20:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.catt.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} -
DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} - hxxps://my.uga.edu/nps/portal/gadgets/com.novell.nps.gadgets.shortcut.ShortcutGadget/LocalExec.CAB
FF - ProfilePath - c:\documents and settings\Home Laptop\Application Data\Mozilla\Firefox\Profiles\ytos9r8h.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.catt.com/
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=IMB&o=15781&locale=en_US&q=
FF - component: c:\program files\BitDefender\BitDefender 2010\bdaphffext\components\bdaphff2.dll
FF - component: c:\program files\BitDefender\BitDefender 2010\bdaphffext\components\bdaphff3.6.dll
FF - component: c:\program files\BitDefender\BitDefender 2010\bdaphffext\components\bdaphff3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-WeatherWatcherLive - c:\program files\Weather Watcher Live\ww.exe
SharedTaskScheduler-{00ca2394-2798-48ff-863e-463edb316704} - c:\windows\system32\vulakiye.dll
SSODL-duwiyarel-{00ca2394-2798-48ff-863e-463edb316704} - c:\windows\system32\vulakiye.dll
AddRemove-vksiq - c:\documents and settings\home laptop\local settings\application data\vksiq.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-08 18:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\NdisWanIp]
@DACL=(02 0000)
"LLInterface"="WANARP"
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{2810EB22-763D-4D0C-9450-64BBD1758685}\00Tcpip\\Parameters\\Interfaces\\{531D3D38-B38F-4A40-9052-52EFBA55506B}\00\00"
"NumInterfaces"=dword:00000002
"IpInterfaces"=hex:22,eb,10,28,3d,76,0c,4d,94,50,64,bb,d1,75,86,85,38,3d,1d,53,
8f,b3,40,4a,90,52,52,ef,ba,55,50,6b

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{1F2FDFD7-D690-44CC-A023-154A802CC03E}]
@DACL=(02 0000)
"LLInterface"=""
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{1F2FDFD7-D690-44CC-A023-154A802CC03E}\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{6F3CCBF9-6AEB-4E95-A721-BDC4D70FE81B}]
@DACL=(02 0000)
"LLInterface"=""
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{6F3CCBF9-6AEB-4E95-A721-BDC4D70FE81B}\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{DB6F9624-C2F5-46D6-9ECB-68207F1F618B}]
@DACL=(02 0000)
"LLInterface"="ARP1394"
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{DB6F9624-C2F5-46D6-9ECB-68207F1F618B}\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{EC1B29F8-D5FF-445E-93A9-864570968740}]
@DACL=(02 0000)
"LLInterface"=""
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{EC1B29F8-D5FF-445E-93A9-864570968740}\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1F2FDFD7-D690-44CC-A023-154A802CC03E}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"DefaultGatewayMetric"=multi:"\00"
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=multi:"0\00\00"
"UDPAllowedPorts"=multi:"0\00\00"
"RawIPAllowedProtocols"=multi:"0\00\00"
"NTEContextList"=multi:"\00"
"DhcpClassIdBin"=hex:
"DhcpServer"="192.168.1.1"
"Lease"=dword:00015180
"LeaseObtainedTime"=dword:4c0e3106
"T1"=dword:4c0ed9c6
"T2"=dword:4c0f5856
"LeaseTerminatesTime"=dword:4c0f8286
"IPAutoconfigurationAddress"="0.0.0.0"
"IPAutoconfigurationMask"="255.255.0.0"
"IPAutoconfigurationSeed"=dword:1768bbb7
"AddressType"=dword:00000000
"IsServerNapAware"=dword:00000000
"DhcpIPAddress"="192.168.1.109"
"DhcpSubnetMask"="255.255.255.0"
"DhcpDomain"="lan"
"DhcpNameServer"="213.109.64.5 213.109.72.21 172.16.1.1"
"DhcpDefaultGateway"=multi:"192.168.1.1\00\00"
"DhcpSubnetMaskOpt"=multi:"255.255.255.0\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{2810EB22-763D-4D0C-9450-64BBD1758685}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{531D3D38-B38F-4A40-9052-52EFBA55506B}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6F3CCBF9-6AEB-4E95-A721-BDC4D70FE81B}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"DefaultGatewayMetric"=multi:"\00"
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=multi:"0\00\00"
"UDPAllowedPorts"=multi:"0\00\00"
"RawIPAllowedProtocols"=multi:"0\00\00"
"NTEContextList"=multi:"0x00000004\00\00"
"DhcpClassIdBin"=hex:

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{C0F1A0A3-3FD2-4C60-81E0-E16FC41AA8BE}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{DB6F9624-C2F5-46D6-9ECB-68207F1F618B}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000001
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"DefaultGatewayMetric"=multi:"\00"
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=multi:"0\00\00"
"UDPAllowedPorts"=multi:"0\00\00"
"RawIPAllowedProtocols"=multi:"0\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{DF6A5038-EFED-4930-B556-C40FF4C77306}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{EC1B29F8-D5FF-445E-93A9-864570968740}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"DefaultGatewayMetric"=multi:"\00"
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=multi:"0\00\00"
"UDPAllowedPorts"=multi:"0\00\00"
"RawIPAllowedProtocols"=multi:"0\00\00"
"NTEContextList"=multi:"\00"
"DhcpClassIdBin"=hex:
"DhcpIPAddress"="169.254.23.238"
"DhcpSubnetMask"="255.255.0.0"
"DhcpServer"="255.255.255.255"
"Lease"=dword:00000000
"LeaseObtainedTime"=dword:49e90c7f
"T1"=dword:49e90c7f
"T2"=dword:49e90c7f
"LeaseTerminatesTime"=dword:7fffffff
"IPAutoconfigurationAddress"="169.254.23.238"
"IPAutoconfigurationMask"="255.255.0.0"
"IPAutoconfigurationSeed"=dword:00000000
"AddressType"=dword:00000001
"IsServerNapAware"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{FA3E55B3-83A6-4121-9095-F5516E059ACE}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(580)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(4428)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\tcpsvcs.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\java.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\stsystra.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2010-06-08 18:32:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-08 22:32

Pre-Run: 125,681,541,120 bytes free
Post-Run: 129,368,821,760 bytes free

- - End Of File - - FE79B9C269E6C46576E01621AD2C559D


Report •

#5
June 9, 2010 at 16:19:45

Try downloading this patch here: http://support.microsoft.com/?kbid=... for Windows XP 32bit, which might fix the generic hosts error.

Or trying this: http://hubpages.com/hub/How-to-Fix-...



Report •

#6
June 9, 2010 at 16:52:51

Repaire windows LSP. After doing that, download the latest antivirus software such as kaspersky internet security 2011 from another pc and copy it to the infected pc. Make a deep scan in the SAFE Mode. Good luck!

Report •

#7
June 9, 2010 at 17:04:22

Try scanning with Hitman Pro 3.5. found here: http://download.cnet.com/Hitman-Pro...

or this tool (Download the one that says TDSS): http://support.kaspersky.com/viruse...


Report •


Ask Question