Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Browser Redirect Problem


  • This topic is locked This topic is locked
2 replies to this topic

#1 Chuck B

Chuck B

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:58 AM

Posted 15 April 2008 - 11:11 AM

Hello,

My browser is out of my control. I am being redirected to sites that include these ips: 64.5.219.20 and 67.29.139.220. I have tried everything on my own to learn how to remove this problem with no luck. I would greatly appreciate your help with this. I run a full scan of Norton Corporate every day...it found nothing. What is going on? Thanks in advance.

Chuck



Deckard's System Scanner v20071014.68
Run by HP_Administrator on 2008-04-15 11:56:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as HP_Administrator.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56:16 AM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MioNet\MioNetManager.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\MioNet\jvm\bin\MioNet.exe
C:\Program Files\Fawkes Engineering\AccuRIP\RipCore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\system32\wltray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\UPS\WSTD\UPSNA1Msgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBUA.EXE
C:\Program Files\Novosoft\Handy Backup\hbagent.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\UPS\WSTD\WSTDMessaging.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Documents and Settings\HP_Administrator\Desktop\dss.exe
C:\DOCUME~1\HP_ADM~1\Desktop\HJT\HP_ADM~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {37A635F9-2DFC-4BA5-8AAB-882563A063B5} - C:\WINDOWS\system32\dmusicn.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: radioskipper Toolbar - {29b060db-a1a0-429f-bbc9-199cd9ae5d56} - C:\Program Files\radioskipper\tbrad1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NA1Messenger] C:\UPS\WSTD\UPSNA1Msgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus Photo 1400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBUA.EXE /FU "C:\WINDOWS\TEMP\E_S1C01.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Handy Backup 4.0] "C:\Program Files\Novosoft\Handy Backup\hbagent.exe" -logon
O4 - HKUS\S-1-5-21-3374478975-3497621478-403786902-1009\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'QBDataServiceUser')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: msupd64887.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\WSTDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {001000AF-2DEF-0209-10B6-DC5BA692C858} (Antx Class) - http://site.x10.com/cabs/antx.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) -
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) -
O16 - DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} (F5 Virtual Sandbox Class) - https://f5-vpn.nextestate.com/vdesk/termina...=5420,0,50412,1
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {D84C4D49-A63A-4432-B319-718ECA705773} - https://f5-vpn.nextestate.com/policy/downlo...=5400,0,41115,1
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToMyPC - Citrix Online - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MioNet Service (MioNet) - Unknown owner - C:\Program Files\MioNet\MioNetManager.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: QuickBooksDB - Intuit, Inc. - C:\PROGRA~1\Intuit\QUICKB~2\QBDBMgrN.exe
O23 - Service: RipCore - Unknown owner - C:\Program Files\Fawkes Engineering\AccuRIP\RipCore.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 11661 bytes

-- Files created between 2008-03-15 and 2008-04-15 -----------------------------

2008-04-15 10:07:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-15 10:07:21 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-15 10:07:20 0 d-------- C:\WINDOWS\LastGood
2008-04-11 14:28:04 0 d-------- C:\Program Files\EPSON Print CD
2008-04-11 14:27:35 0 d-------- C:\Documents and Settings\All Users\Application Data\EPSON
2008-04-11 14:27:08 73220 --a------ C:\WINDOWS\system32\EPPICPrinterDB.dat
2008-04-11 14:27:08 1140 --a------ C:\WINDOWS\system32\EPPICPresetData_PT.dat
2008-04-11 14:27:08 1130 --a------ C:\WINDOWS\system32\EPPICPresetData_FR.dat
2008-04-11 14:27:08 1137 --a------ C:\WINDOWS\system32\EPPICPresetData_ES.dat
2008-04-11 14:27:08 1104 --a------ C:\WINDOWS\system32\EPPICPresetData_EN.dat
2008-04-11 14:27:08 1130 --a------ C:\WINDOWS\system32\EPPICPresetData_CF.dat
2008-04-11 14:27:08 1140 --a------ C:\WINDOWS\system32\EPPICPresetData_BP.dat
2008-04-11 14:27:08 4943 --a------ C:\WINDOWS\system32\EPPICPattern6.dat
2008-04-11 14:27:08 15670 --a------ C:\WINDOWS\system32\EPPICPattern5.dat
2008-04-11 14:27:08 10673 --a------ C:\WINDOWS\system32\EPPICPattern4.dat
2008-04-11 14:27:08 21021 --a------ C:\WINDOWS\system32\EPPICPattern3.dat
2008-04-11 14:27:08 13280 --a------ C:\WINDOWS\system32\EPPICPattern2.dat
2008-04-11 14:27:08 31053 --a------ C:\WINDOWS\system32\EPPICPattern131.dat
2008-04-11 14:27:08 27417 --a------ C:\WINDOWS\system32\EPPICPattern121.dat
2008-04-11 14:27:08 29114 --a------ C:\WINDOWS\system32\EPPICPattern1.dat
2008-04-11 14:27:05 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\InstallShield
2008-04-11 14:26:32 0 d-------- C:\Program Files\EPSON
2008-04-10 15:16:03 0 d-------- C:\WINDOWS\system32\AppCert
2008-04-10 15:15:59 10752 --a------ C:\WINDOWS\system32\WLCtrl32.dll
2008-04-10 15:15:52 11264 --a------ C:\WINDOWS\system32\shutdownf.exe
2008-04-10 15:15:05 88064 --a------ C:\WINDOWS\system32\dmusicn.dll
2008-04-10 08:52:07 0 d-------- C:\dev
2008-04-10 08:52:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Fawkes
2008-04-10 08:51:52 0 d-------- C:\Program Files\Fawkes Engineering
2008-03-31 16:19:58 0 d-------- C:\Program Files\MioNetApplet
2008-03-31 16:19:46 0 d-------- C:\Documents and Settings\LocalService\Application Data\Sun
2008-03-27 15:11:46 0 d-------- C:\Program Files\Skipjack
2008-03-25 10:15:43 0 d-------- C:\Program Files\Microsoft Analysis Services
2008-03-25 10:15:37 0 d-------- C:\Program Files\Microsoft SQL Server
2008-03-24 15:37:11 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-03-21 11:55:52 0 d-------- C:\WINDOWS\A5W_DATA


-- Find3M Report ---------------------------------------------------------------

2008-04-15 11:56:16 0 d-------- C:\Program Files\MioNet
2008-04-15 10:32:18 0 d-------- C:\Program Files\NavNT
2008-04-15 06:20:17 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Hamachi
2008-04-11 16:25:50 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Adobe
2008-04-11 14:28:04 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-02 10:10:04 0 d-------- C:\Program Files\Java
2008-03-25 10:14:31 0 d-------- C:\Program Files\Common Files
2008-03-11 10:00:30 0 d-------- C:\Program Files\CrossLoop


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37A635F9-2DFC-4BA5-8AAB-882563A063B5}]
08/10/2004 03:00 PM 88064 --a------ C:\WINDOWS\system32\dmusicn.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{29B060DB-A1A0-429F-BBC9-199CD9AE5D56}"= C:\Program Files\radioskipper\tbrad1.dll [07/24/2006 04:35 PM 994384]

[-HKEY_CLASSES_ROOT\CLSID\{29B060DB-A1A0-429F-BBC9-199CD9AE5D56}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/10/2004 10:04 PM]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [06/02/2005 02:35 AM]
"PCDrProfiler"="" []
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [02/26/2005 01:34 AM]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [05/10/2005 08:50 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [05/12/2005 09:12 AM]
"wltray.exe"="C:\WINDOWS\system32\wltray.exe" [06/08/2005 06:32 PM]
"vptray"="C:\Program Files\NavNT\vptray.exe" [09/24/2001 08:59 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/10/2005 08:02 PM]
"@"="" []
"StatusClient"="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [12/16/2002 05:51 PM]
"TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [03/31/2003 08:28 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"NA1Messenger"="C:\UPS\WSTD\UPSNA1Msgr.exe" [12/13/2007 04:53 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 03:00 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 07:24 PM]
"EPSON Stylus Photo 1400 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBUA.exe" [10/11/2006 04:01 AM]
"Handy Backup 4.0"="C:\Program Files\Novosoft\Handy Backup\hbagent.exe" [11/23/2005 07:52 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2/1/2006 12:07:05 PM]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [11/20/2005 1:19:41 PM]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [11/20/2005 1:19:41 PM]
hamachi.lnk - C:\Program Files\Hamachi\hamachi.exe [3/7/2007 10:42:05 AM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/12/2005 9:23:26 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 4:05:56 PM]
msupd64887.exe [4/10/2008 3:14:52 PM]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [11/6/2007 8:40:54 PM]
UPS WorldShip Messaging Utility.lnk - C:\UPS\WSTD\WSTDMessaging.exe [12/13/2007 4:55:54 PM]
UPS WorldShip PLD Reminder Utility.lnk - C:\UPS\WSTD\wstdPldReminder.exe [12/12/2007 10:05:04 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll 12/06/2005 04:47 PM 10848 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ckr01.sys]
@="Driver"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7baae10e-569e-11da-b191-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0608d7d-311f-11dc-b212-0013d35a2889}]
AutoRun\command- L:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-04-15 11:56:33 ------------

BC AdBot (Login to Remove)

 


#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 18 April 2008 - 04:10 PM

Hi

Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-

O2 - BHO: (no name) - {37A635F9-2DFC-4BA5-8AAB-882563A063B5} - C:\WINDOWS\system32\dmusicn.dll

O4 - Global Startup: msupd64887.exe


THEN ...

1. Download SDFix and save it to your Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

2. Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

3. Reboot into Safe Mode`:-

Reboot into >>>safe mode

4. Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.

It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally paste the contents of the Report.txt back on the forum.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 22 June 2008 - 04:44 PM

Due to lack of feedback this topic is now closed.

If the original poster would like it re-opened, please send me a PM with a link to this thread.

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users