Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With 7fasst, Zlobdnschanger, & Possibly Other Browser Hijacker


  • Please log in to reply
19 replies to this topic

#1 TheNinjaMDC

TheNinjaMDC

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 06 December 2007 - 08:53 PM

Hello All,
I posted a log a while ago that tried to get rid of 7Fasst & Zlob.DNSChanger. I had thought that it worked, but they're still there and now I have a browser hijacker that changes the webpage everytime I click on a link from a search engine (Yahoo, Google, etc).

To see what we tried in the other topic, you can see it here: http://www.bleepingcomputer.com/forums/t/107009/infected-with-7fasst-zlobdnschanger/

I also ran Ad-Aware, Spybot, A-squared Free, & SuperAntiSpyware without any luck. Also ran Housecall, Bit Defender and Panda Anti-virus, which picked up some stuff but didn't get rid of the others.

My HiJackThis log is below.

Should I be worried about "O2 - BHO: dsWebAllowBHO Class" ? That one caught my eye as being out of place. Desktop search was installed while installing my SolidWorks CAD software.

Thanks in advance!
-Mike

---------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:44:56 PM, on 12/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\A-Squared Free\a2service.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\PROGRA~1\AVGFRE~1\AVGANT~1\avgamsvr.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\AVGFRE~1\AVGANT~1\avgupsvc.exe
C:\WINDOWS\BisonCam\BisonHK.exe
C:\WINDOWS\BisonCam\BisonTrayIcon.exe
C:\PROGRA~1\AVGFRE~1\AVGANT~1\avgcc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Comodo\Firewall\cfp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\ITECIR\RemoteControlService.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BisonHK] C:\WINDOWS\BisonCam\BisonHK.exe
O4 - HKLM\..\Run: [BisonTrayIcon] C:\WINDOWS\BisonCam\BisonTrayIcon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVGFRE~1\AVGANT~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -s
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\AVGFRE~1\AVGANT~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\AVGFRE~1\AVGANT~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\AVGFRE~1\AVGANT~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\AVGFRE~1\AVGANT~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-_UNO/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\A-Squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVGFRE~1\AVGANT~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVGFRE~1\AVGANT~1\avgupsvc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ITE Remote Controler service (ITECIRService) - ITE Tech. Inc. - C:\Program Files\ITECIR\RemoteControlService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Solver for COSMOSFloWorks 2007 - Unknown owner - C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 10627 bytes

BC AdBot (Login to Remove)

 


#2 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:35 PM

Posted 23 December 2007 - 08:09 AM

Can you redo this step for me?
http://www.bleepingcomputer.com/forums/ind...st&p=614576
Greets Jürgenv

Donation: Click me.

#3 TheNinjaMDC

TheNinjaMDC
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 15 January 2008 - 01:03 AM

Ok, Sorry this has taken me so long to get back to you - I just got back in town to my computer.

Here's the log from Fixwareout:

-----------------------------------------------------------
Username "Michael D. Cola" - 01/18/2008 0:40:54 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{37B47DD8-A7A3-4B57-997D-C74E51E33119}
"DhcpNameServer"="85.255.113.139" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"RTHDCPL"="RTHDCPL.EXE"
"Alcmtr"="ALCMTR.EXE"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"IntelZeroConfig"="\"C:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe\""
"IntelWireless"="\"C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe\" /tf Intel PROSet/Wireless"
"SMSERIAL"="C:\\Program Files\\Motorola\\SMSERIAL\\sm56hlpr.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"LanguageShortcut"="\"C:\\Program Files\\CyberLink\\PowerDVD\\Language\\Language.exe\""
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"BisonHK"="C:\\WINDOWS\\BisonCam\\BisonHK.exe"
"BisonTrayIcon"="C:\\WINDOWS\\BisonCam\\BisonTrayIcon.exe"
"AVG7_CC"="C:\\PROGRA~1\\AVGFRE~1\\AVGANT~1\\avgcc.exe /STARTUP"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe\""
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE"
"COMODO Firewall Pro"="\"C:\\Program Files\\Comodo\\Firewall\\cfp.exe\" -s"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"CTSyncU.exe"="\"C:\\Program Files\\Creative\\Sync Manager Unicode\\CTSyncU.exe\""
"Aim6"=""
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

#4 TheNinjaMDC

TheNinjaMDC
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 15 January 2008 - 01:24 AM

After Fixwareout ran, I still noticed that my webpages were diverted to other pages when I click on webpage links or if I mistype a website URL.
When I click on a yahoo search weblink, the page is diverted to "http://results.yahoo.com" that displays a single "Continue" button for a few seconds and then is routed to some other junk spam website. The re-directions occur less, if at all, on google websearches.

For example, I ran a search for AP Racing, and clicked on the link for AP Racing's website, and I was diverted to
"http://www.clckm.com/ap%20racing.cfm?dn=best-result.com&pid=3PO158M27&sp=2&pt=2"

Other re-routed pages include:

http://6127.nosubid.clickshield.net/click/...8FN5UzN3MDMwITM

http://adservices10.enhance.com/cap?e1=ZcZ...HW5NkFPYIXtAdpT

#5 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:35 PM

Posted 15 January 2008 - 01:42 AM

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

Greets Jürgenv

Donation: Click me.

#6 TheNinjaMDC

TheNinjaMDC
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 15 January 2008 - 12:56 PM

OK, I ran Dr.Web Cureit without much result. The contents of the log was a single line as follows:

CTMDEngU.dll;C:\Program Files\Creative\ZENcast Organizer;Adware.BookedSpace.origin;Incurable.Moved.;

Problems still persist.

Please let me know what is next.

Thanks,
-Mike

#7 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:35 PM

Posted 15 January 2008 - 01:12 PM

do you still have redirects with firefox?
Greets Jürgenv

Donation: Click me.

#8 TheNinjaMDC

TheNinjaMDC
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 15 January 2008 - 01:16 PM

Yes - again, mostly with Yahoo.

Finefinder.net is a common root URL that I see when the redirection occurs.

There are hardly any redirects in Google.

#9 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:35 PM

Posted 15 January 2008 - 03:05 PM

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply with a new hijackthis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Greets Jürgenv

Donation: Click me.

#10 TheNinjaMDC

TheNinjaMDC
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 15 January 2008 - 09:33 PM

Here's the ComboFix log and a new HJT log.

---------------------------------------------------------------------------------

ComboFix 08-01-09.2 - Michael D. Cola 2008-01-15 21:01:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1397 [GMT -5:00]
Running from: C:\Documents and Settings\Michael D. Cola\Desktop\ComboFix.exe
* Created a new restore point
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll


((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.

2008-01-18 02:22 . 2008-01-18 02:22 <DIR> d-------- C:\Documents and Settings\Michael D. Cola\DoctorWeb
2008-01-18 01:06 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-01-15 21:00 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-10 20:22 . 2008-01-10 20:22 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-01-10 19:04 . 2008-01-10 19:04 <DIR> d-------- C:\My Installations
2008-01-10 19:04 . 1997-11-19 15:31 143,360 --a------ C:\WINDOWS\system32\isdbgi51.dll
2008-01-10 19:04 . 1996-09-17 17:46 0 --a------ C:\WINDOWS\Isdbg.ini
2008-01-10 19:03 . 2008-01-10 19:03 <DIR> d-------- C:\Program Files\InstallShield
2008-01-10 18:51 . 2008-01-10 18:51 288 --a------ C:\WINDOWS\ODBC.INI
2008-01-10 18:51 . 2008-01-10 19:37 185 --a------ C:\WINDOWS\mdm.ini
2008-01-10 18:49 . 2008-01-10 18:49 <DIR> d-------- C:\Program Files\Web Publish
2008-01-08 20:58 . 2008-01-16 00:37 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-08 20:58 . 2008-01-08 20:58 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-08 01:49 . 2008-01-08 01:49 <DIR> d-------- C:\Program Files\QuickTime
2008-01-08 01:49 . 2008-01-08 01:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-08 01:48 . 2008-01-08 01:48 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-08 01:48 . 2008-01-08 01:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-08 01:32 . 2004-02-22 16:11 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-01-08 01:32 . 2005-10-29 00:44 308,224 --a------ C:\WINDOWS\system32\avisynth.dll
2008-01-08 01:31 . 2008-01-08 01:52 <DIR> d-------- C:\Program Files\Ultra Video To iPod Converter
2008-01-07 02:11 . 1999-12-13 01:01 44,032 --------- C:\WINDOWS\system32\CTSVCCDA.EXE
2008-01-07 02:11 . 1999-11-18 01:00 25,088 --------- C:\WINDOWS\system32\CTSVCCTL.EXE
2008-01-07 02:10 . 2008-01-07 02:12 <DIR> d--h----- C:\Program Files\Creative Installation Information
2008-01-07 02:10 . 2008-01-07 02:10 <DIR> d-------- C:\Program Files\Common Files\Creative
2008-01-07 01:20 . 2003-06-12 23:25 7,062 --a------ C:\WINDOWS\system32\audiopid.vxd
2007-12-18 09:47 . 2007-12-18 09:47 <DIR> d-------- C:\Documents and Settings\Michael D. Cola\Application Data\Snapfish

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 06:06 155,995 ----a-w C:\WINDOWS\java\Packages\RVDZ33XZ.ZIP
2008-01-15 20:10 --------- d-----w C:\Documents and Settings\Michael D. Cola\Application Data\SolidWorks
2008-01-15 20:00 --------- d-----w C:\Documents and Settings\Michael D. Cola\Application Data\AVG7
2008-01-12 17:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-11 14:54 --------- d-----w C:\Documents and Settings\Michael D. Cola\Application Data\AdobeUM
2008-01-07 21:16 --------- d-----w C:\Documents and Settings\Michael D. Cola\Application Data\Creative
2008-01-07 07:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-07 07:11 --------- d-----w C:\Program Files\Creative
2008-01-05 07:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-15 21:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-10 17:40 --------- d-----w C:\Documents and Settings\Michael D. Cola\Application Data\uTorrent
2007-12-05 15:03 37,027 ----a-w C:\WINDOWS\atmoUn.exe
2007-12-05 07:03 --------- d-----w C:\Program Files\Windows Desktop Search
2007-12-05 07:03 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-12-05 06:47 --------- d-----w C:\Program Files\Pi Toolbox
2007-12-05 06:47 --------- d-----w C:\Program Files\Pi Data Access Objects
2007-12-05 06:44 --------- d-----w C:\Program Files\MSN Messenger
2007-12-05 06:41 --------- d-----w C:\Program Files\ITECIR
2007-12-05 06:35 --------- d-----w C:\Program Files\A-Squared Free
2007-12-04 08:12 --------- d-----w C:\Program Files\uTorrent
2007-12-03 04:18 --------- d-----w C:\Program Files\SpywareBlaster
2007-11-24 17:49 --------- d-----w C:\Program Files\BitPim
2007-11-24 17:38 --------- d-----w C:\Program Files\LG Electronics
2007-11-24 16:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comodo
2007-11-24 16:18 79,096 ----a-w C:\WINDOWS\system32\drivers\cmdGuard.sys
2007-11-24 16:18 23,672 ----a-w C:\WINDOWS\system32\drivers\cmdhlp.sys
2007-11-24 16:18 139,008 ----a-w C:\WINDOWS\system32\guard32.dll.vir
2007-11-24 16:18 --------- d-----w C:\Program Files\Comodo
2007-11-24 16:18 --------- d-----w C:\Documents and Settings\Michael D. Cola\Application Data\Comodo
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-25 15:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
.
<pre>
----a-w		 6,890,528 2007-10-19 13:40:00  C:\Documents and Settings\Michael D. Cola\My Documents\Program Install Files\NVU (1.0 Installer) .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 20:05 143360]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 13:32 700416]
"Aim6"="" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 07:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-04 05:34 7700480]
"nwiz"="nwiz.exe" [2007-04-04 05:34 1622016 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 05:08 16342528 C:\WINDOWS\RTHDCPL.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-12 20:55 815104]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-04-16 13:24 819200]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-04-16 13:22 970752]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 03:31 630784]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 17:10 56928]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 00:55 54832]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40 155648]
"BisonHK"="C:\WINDOWS\BisonCam\BisonHK.exe" [2006-11-27 13:25 73728]
"BisonTrayIcon"="C:\WINDOWS\BisonCam\BisonTrayIcon.exe" [2005-09-05 18:51 45056]
"AVG7_CC"="C:\PROGRA~1\AVGFRE~1\AVGANT~1\avgcc.exe" [2008-01-04 09:57 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 14:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 14:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\cfp.exe" [2007-11-24 11:18 1481984]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\AVGFRE~1\AVGANT~1\avgw.exe" [2007-10-28 23:15 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 23:37:56]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-09-21 11:57:52]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-10-04 23:29:42]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-03-26 22:44:08]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 13:11 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2007-11-24 11:18]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2007-11-24 11:18]
R2 ITECIRService;ITE Remote Controler service;C:\Program Files\ITECIR\RemoteControlService.exe [2006-12-15 13:59]
R2 Remote Solver for COSMOSFloWorks 2007;Remote Solver for COSMOSFloWorks 2007;"C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe" [2007-04-02 10:38]
R3 ITECIR;ITE EC CIR Driver (PMC);C:\WINDOWS\system32\DRIVERS\ITECIR.sys [2006-12-28 20:24]
S3 lgatbus;LG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\lgatbus.sys [2005-06-14 07:22]
S3 lgatmdm;LG CDMA USB Modem Drivers;C:\WINDOWS\system32\DRIVERS\lgatmdm.sys [2005-06-14 07:22]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);C:\WINDOWS\system32\DRIVERS\lgatserd.sys [2005-06-14 07:22]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-01-16 20:08:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 21:17:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-01-15 21:18:06
.
2008-01-18 06:06:58 --- E O F ---

--------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:10 PM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\A-Squared Free\a2service.exe
C:\PROGRA~1\AVGFRE~1\AVGANT~1\avgamsvr.exe
C:\PROGRA~1\AVGFRE~1\AVGANT~1\avgupsvc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ITECIR\RemoteControlService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\BisonCam\BisonHK.exe
C:\WINDOWS\BisonCam\BisonTrayIcon.exe
C:\PROGRA~1\AVGFRE~1\AVGANT~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Comodo\Firewall\cfp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BisonHK] C:\WINDOWS\BisonCam\BisonHK.exe
O4 - HKLM\..\Run: [BisonTrayIcon] C:\WINDOWS\BisonCam\BisonTrayIcon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVGFRE~1\AVGANT~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\AVGFRE~1\AVGANT~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\AVGFRE~1\AVGANT~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\AVGFRE~1\AVGANT~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\AVGFRE~1\AVGANT~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-_UNO/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://delivery1.corvettemuseum.com/active...sCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidO...PhotoOnline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15033/CTPID.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\A-Squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVGFRE~1\AVGANT~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVGFRE~1\AVGANT~1\avgupsvc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ITE Remote Controler service (ITECIRService) - ITE Tech. Inc. - C:\Program Files\ITECIR\RemoteControlService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Solver for COSMOSFloWorks 2007 - Unknown owner - C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 12027 bytes

#11 TheNinjaMDC

TheNinjaMDC
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 15 January 2008 - 09:41 PM

Just tried another search - same problems. Thanks again for your help.

#12 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:35 PM

Posted 16 January 2008 - 10:24 AM

Go to http://www.virustotal.com/nl/ and upload the following file:

C:\WINDOWS\atmoUn.exe

Post the results here.
Greets Jürgenv

Donation: Click me.

#13 TheNinjaMDC

TheNinjaMDC
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 16 January 2008 - 11:45 AM

Here it is:

MD5: e0b430876f3b60cc10bb98936a23e7fa
Date: 06.12.2007 11:30:34 (CET) [>218D]
Results: 1/30
Permalink: analisis/f351da7e5df5daa3c972953d01945986

---------------------------

File atmoUn.exe received on 01.16.2008 17:34:44 (CET)Antivirus Version Last Update Result
AhnLab-V3 2008.1.16.11 2008.01.16 -
AntiVir 7.6.0.48 2008.01.16 -
Authentium 4.93.8 2008.01.16 -
Avast 4.7.1098.0 2008.01.16 -
AVG 7.5.0.516 2008.01.16 -
BitDefender 7.2 2008.01.16 -
CAT-QuickHeal 9.00 2008.01.16 -
ClamAV 0.91.2 2008.01.16 -
DrWeb 4.44.0.09170 2008.01.16 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5462 2008.01.16 -
Ewido 4.0 2008.01.16 -
FileAdvisor 1 2008.01.16 -
Fortinet 3.14.0.0 2008.01.16 -
F-Prot 4.4.2.54 2008.01.15 -
F-Secure 6.70.13260.0 2008.01.16 -
Ikarus T3.1.1.20 2008.01.16 -
Kaspersky 7.0.0.125 2008.01.16 -
McAfee 5209 2008.01.16 -
Microsoft 1.3109 2008.01.16 -
NOD32v2 2798 2008.01.16 -
Norman 5.80.02 2008.01.16 -
Panda 9.0.0.4 2008.01.15 -
Prevx1 V2 2008.01.16 -
Rising 20.27.22.00 2008.01.16 -
Sophos 4.24.0 2008.01.16 -
Sunbelt 2.2.907.0 2008.01.15 -
Symantec 10 2008.01.16 -
TheHacker 6.2.9.188 2008.01.16 -
VBA32 3.12.2.5 2008.01.15 -
VirusBuster 4.3.26:9 2008.01.16 -
Webwasher-Gateway 6.6.2 2008.01.16 -

Additional information
File size: 37027 bytes
MD5: e0b430876f3b60cc10bb98936a23e7fa
SHA1: c59dc247a35d6d57c941f39045d91abb9a5d1dbc
PEiD: Nullsoft Install System v1.98

#14 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:35 PM

Posted 16 January 2008 - 11:51 AM

Perform a full system scan with AVg in safe mode. :thumbsup:
Greets Jürgenv

Donation: Click me.

#15 TheNinjaMDC

TheNinjaMDC
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 16 January 2008 - 07:17 PM

Jurgenv,
I ran the AVG scan in safe mode and nothing came up. Results are below.

However seeing that nothing has picked something up, I started to wonder whether Yahoo was just hacked and causing problems since Google is working fine. I happened to mention something to one of my roommates and he said that he is having the same exact problem with his personal laptop (Yahoo redirects but Google does not). :thumbsup: Is it possible that something in our wireless setup is hijacked (4 of us are sharing a netgear wireless router connection w/ WPA-Personal encryption that I set up), or could it go further back to our ISP?

This also caused me to realize that this has only occurred after my move from my hometown in Cleveland, Ohio. None of us have had problems with Yahoo before we lived in this apartment complex.

Any Ideas?

-Mike

---------------------------------------

General properties
Report name Complete Test
Start time 1/16/2008 12:07
End time 1/16/2008 3:52:16 PM (total: 3:44:40.3 hrs)
Launch method Scanning launched manually
Scanning result No threats found
Report status Scanning completed successfully

Object summary
Scanned 294554
Threats Found 0
Cleaned 0
Moved to vault 0
Deleted 0
Errors 0
C:\WINDOWS\system32\shell32.dll Change Changed




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users