Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Browser Has Been Hijacked And Registry Files Compromised


  • This topic is locked This topic is locked
39 replies to this topic

#1 korniceman3000

korniceman3000

  • Members
  • 186 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 23 April 2008 - 03:18 PM

Hi,

I recently experienced some problems with my IE browser. Everytime I open a link in Yahoo or Google, i get redirected to a different page. I have run avg, adaware, and spy bot S & D but the problem still remains. Both AVG and Adaware find no viruses and Spybot claims to have fixed and removed the Zlob dns trojan. Sometimes, I get a pop-up message that task manager claims is from crss.exe stating that I have registry problems and I should visit a webpage called registryfix.com or something similar. I also discovered that the radio dialog button for "show all hidden files and folders" is missing in the folder options menu. Furthermore, AVG states that windows\system32\drivers\etc\hosts has a status change. Windows explorer also periodically shuts down due to an unexpected error and everytime I insert my flashdrive into the USB port, my desktop shutsdown and restarts...

I ran Hijackthis and discovered 2 log entries that I don't recognize and I suspect they may be part of the problem but since i am not a computer expert, i am afraid to make any changes

Can you please help me with this dilemma. Your help is greatly appreciated. Below is the Dekkard Log Scan for your perusal.

Thank you for your time.
Ice



Deckard's System Scanner v20071014.68
Run by Justin Tak-Lee Leung on 2008-04-23 15:47:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
32: 2008-04-23 17:22:19 UTC - RP366 - Deckard's System Scanner Restore Point
31: 2008-04-23 07:42:27 UTC - RP365 - Spybot-S&D Spyware removal
30: 2008-04-23 03:00:22 UTC - RP364 - Spybot-S&D Spyware removal
29: 2008-04-22 07:42:19 UTC - RP363 - Spybot-S&D Spyware removal
28: 2008-04-21 07:41:43 UTC - RP362 - Spybot-S&D Spyware removal


-- First Restore Point --
1: 2008-03-29 02:14:35 UTC - RP335 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 255 MiB (512 MiB recommended).
System Drive C: has 7.05 GiB (less than 15%) free.


-- HijackThis (run as Justin Tak-Lee Leung.exe) --------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-23 16:03:24
Platform: Windows XP Service Pack 1 (5.01.2600)
MSIE: Internet Explorer (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Justin Tak-Lee Leung\My Documents\My Downloads\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Program Files\MegauploadToolbar\megauploadtoolbar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: (no name) - {B3AAAAFB-FD33-4314-BF81-B21DAF304585} - C:\Program Files\Common Files\hokeC:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Program Files\MegauploadToolbar\megauploadtoolbar.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe /h
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [Remove] "C:\Program Files\Remove on Reboot\Remove.exe" "C:\PROGRA~1\eMule\Incoming\_-_THE~1.AVI"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2119940C-F1CE-4258-8B96-41ECCA2BB184} (FTUploaderCtlX Control) - http://www.fototime.com/ftweb/activeX/WebUploadControl.cab
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/0/C...C4D/mp43dmo.CAB
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_12) - http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O20 - Winlogon Notify: hggfgff - C:\WINDOWS\System32\hggfgff.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgemc.exe
O23 - Service: Crypkey License - Unknown owner - crypserv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Unknown owner - C:\Program Files\Nero\Nero8\Nero
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.Exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Corporation - C:\Program Files\Retrospect\Retrospect Express HD 2.0\retrorun.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe


--
End of file - 8887 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\JUSTIN~1\Desktop\backups\) ------------

backup-20071118-151302-314 O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx
backup-20071118-151303-850 O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
backup-20071119-133221-333 O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
backup-20071119-144806-218 O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
backup-20071119-144806-248 O2 - BHO: (no name) - {2C80EAD3-74CD-4700-83A4-AA878CD1C03C} - C:\WINDOWS\System32\hggfgff.dll (file missing)
backup-20071119-144806-823 O4 - HKLM\..\Run: [6D766F76717A7477] CCD5CED5D0D9D3.exe
backup-20071119-144806-856 O2 - BHO: (no name) - {5EBAFF9F-FF25-4BEF-ADB4-96579001C270} - C:\Program Files\Common Files\hoke4444.dll
backup-20080210-140251-463 O2 - BHO: BndBlock5 BHO Class - {82EA1A55-9CBC-404b-9D0C-E8BFB7EAAE9B} - C:\Program Files\QdrDrive\QdrDrive10.dll
backup-20080210-140251-533 O4 - HKCU\..\Run: [QdrPack12] "C:\Program Files\QdrPack\QdrPack12.exe"
backup-20080210-140251-754 O4 - HKCU\..\Run: [QdrModule12] "C:\Program Files\QdrModule\QdrModule12.exe"
backup-20080309-131138-607 O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
backup-20080309-131138-627 O2 - BHO: BndFibu7 IE Helper - {8041E642-8CFC-4720-BC9D-D2DB8904286F} - C:\Program Files\QdrDrive\QdrDrive12.dll (file missing)
backup-20080309-131138-659 O4 - HKCU\..\Run: [QdrModule13] "C:\Program Files\QdrModule\QdrModule13.exe"
backup-20080309-131138-739 O4 - HKCU\..\Run: [QdrPack13] "C:\Program Files\QdrPack\QdrPack13.exe"
backup-20080309-131138-837 O2 - BHO: BndAero6 IE Helper - {82E5E2FF-9260-4d88-B0C6-7CC358C5D418} - C:\Program Files\QdrDrive\QdrDrive11.dll (file missing)
backup-20080309-131138-847 O2 - BHO: (no name) - {7AE956A3-0039-41C0-811A-785D8959EBC1} - C:\WINDOWS\System32\mllmj.dll (file missing)
backup-20080309-131138-933 O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Bat\Bat.dll
backup-20080309-131138-938 O4 - HKCU\..\Run: [Lis] C:\WINDOWS\?ymbols\??anregw.exe
backup-20080309-142225-412 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
backup-20080309-142225-504 O2 - BHO: (no name) - {3613E8C4-2504-59A4-0066-5B00CCC588B7} - C:\WINDOWS\System32\has.dll
backup-20080309-142226-586 O17 - HKLM\System\CCS\Services\Tcpip\..\{F73FC8B1-86DB-4C6C-8FCF-56634923D76B}: NameServer = 207.69.188.187 207.69.188.186
backup-20080309-142226-981 O18 - Filter: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
backup-20080311-134434-591 O4 - HKCU\..\Run: [Wkdiim] C:\WINDOWS\system32\A?pPatch\?ti2evxx.exe
backup-20080401-140031-421 O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
backup-20080401-140031-480 O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
backup-20080401-140031-641 O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
backup-20080401-145338-696 O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
backup-20080401-145338-811 O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
backup-20080401-145338-916 O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
backup-20080405-124930-169 O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
backup-20080405-124930-263 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.68 85.255.112.69
backup-20080405-124930-352 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.68 85.255.112.69
backup-20080405-124930-448 O17 - HKLM\System\CCS\Services\Tcpip\..\{F73FC8B1-86DB-4C6C-8FCF-56634923D76B}: NameServer = 85.255.114.68 85.255.112.69
backup-20080405-124930-551 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.68 85.255.112.69
backup-20080405-124930-866 O17 - HKLM\System\CCS\Services\Tcpip\..\{CD3AAFEE-151F-44A9-B9D1-295360360AE6}: NameServer = 85.255.114.68,85.255.112.69
backup-20080406-130005-119 O17 - HKLM\System\CCS\Services\Tcpip\..\{F73FC8B1-86DB-4C6C-8FCF-56634923D76B}: NameServer = 85.255.114.68 85.255.112.69
backup-20080406-130005-139 O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
backup-20080407-124520-413 O17 - HKLM\System\CCS\Services\Tcpip\..\{F73FC8B1-86DB-4C6C-8FCF-56634923D76B}: NameServer = 85.255.114.68 85.255.112.69
backup-20080408-140316-797 O17 - HKLM\System\CCS\Services\Tcpip\..\{F73FC8B1-86DB-4C6C-8FCF-56634923D76B}: NameServer = 85.255.114.68 85.255.112.69
backup-20080411-130350-308 O17 - HKLM\System\CCS\Services\Tcpip\..\{F73FC8B1-86DB-4C6C-8FCF-56634923D76B}: NameServer = 85.255.114.68 85.255.112.69

-- File Associations -----------------------------------------------------------

.bat - batfile - shell\edit\command - dfwe45fhfdg.exe %1
.ini - inifile - shell\open\command - dfwe45fhfdg.exe %1
.reg - regfile - shell\edit\command - dfwe45fhfdg.exe %1
.txt - txtfile - shell\open\command - dfwe45fhfdg.exe %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 vax347b - c:\windows\system32\drivers\vax347b.sys
R0 vax347s - c:\windows\system32\drivers\vax347s.sys
R1 NetworkX - c:\windows\system32\ckldrv.sys
R2 Nsynas32 - c:\windows\system32\drivers\nsynas32.sys <Not Verified; Syncrosoft Hard- und Software GmbH; Internet Protection Hardware Driver>
R3 CLEDX (Team H2O CLEDX service) - c:\windows\system32\drivers\cledx.sys <Not Verified; Team H2O; CLEDX>
R3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 pgfilter - c:\program files\peerguardian2\pgfilter.sys

S3 EWAVE - c:\windows\system32\drivers\ew.sys <Not Verified; TASCAM; GigaStudio 3.10>
S3 FILESPY - c:\windows\system32\drivers\filespy.sys (file missing)
S3 NSTATION - c:\windows\system32\drivers\nstation.sys (file missing)
S3 SynasUSB - c:\windows\system32\drivers\synasusb.sys <Not Verified; SIA Syncrosoft; USB protection device>
S3 tbhsd (Tunebite High-Speed Dubbing) - c:\windows\system32\drivers\tbhsd.sys (file missing)
S3 VMnetAdapter (VMware Virtual Ethernet Adapter Driver) - c:\windows\system32\drivers\vmnetadapter.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 Crypkey License - crypserv.exe (file missing)
S2 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe
S2 NMSSvc (Intel® NMS) - c:\windows\system32\nmssvc.exe <Not Verified; Intel Corporation; NMS>
S2 RetroExpLauncher (Retrospect Express HD Launcher) - "c:\progra~1\retros~1\retros~1.0\retrorun.exe" <Not Verified; EMC Corporation; Retrospect Express HD>
S3 PictureTaker - c:\windows\system32\pctkrnt.sys <Not Verified; LANovation; PictureTaker Software Family>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA GeForce4 MX 440 (Gateway)
Device ID: PCI\VEN_10DE&DEV_0171&SUBSYS_87311462&REV_A3\4&BCE2C57&0&0008
Manufacturer: NVIDIA
Name: NVIDIA GeForce4 MX 440 (Gateway)
PNP Device ID: PCI\VEN_10DE&DEV_0171&SUBSYS_87311462&REV_A3\4&BCE2C57&0&0008
Service: nv


-- Scheduled Tasks -------------------------------------------------------------

2008-04-23 08:55:13 362 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
2008-04-22 21:07:11 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-03-23 and 2008-04-23 -----------------------------

2008-04-23 13:04:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-23 13:03:55 0 d-------- C:\WINDOWS\System32\Kaspersky Lab
2008-04-23 13:03:50 0 d-------- C:\WINDOWS\LastGood
2008-04-23 10:54:33 0 d-------- C:\Program Files\Remove on Reboot
2008-04-10 16:09:15 0 d-------- C:\WINDOWS\System32\NtmsData
2008-04-07 13:45:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-07 13:37:42 0 d-------- C:\Documents and Settings\Justin Tak-Lee Leung\Application Data\VMware
2008-04-07 13:36:59 0 d-------- C:\Documents and Settings\LocalService\Application Data\VMware
2008-04-07 13:35:44 0 d-------- C:\WINDOWS\LastGood.Tmp
2008-04-07 13:35:06 0 d-------- C:\Documents and Settings\All Users\Application Data\VMware
2008-04-06 12:51:24 0 d-------- C:\Program Files\Unused Waves Plug-Ins
2008-04-04 13:30:17 1158 --a------ C:\WINDOWS\mozver.dat
2008-04-04 13:28:48 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-04 13:28:40 0 d-------- C:\Documents and Settings\Justin Tak-Lee Leung\Application Data\Mozilla
2008-04-03 14:37:02 0 d-------- C:\WINDOWS\System32\drivers\downld
2008-04-03 14:26:22 0 d-------- C:\Documents and Settings\Justin Tak-Lee Leung\Application Data\AVSMedia
2008-04-03 14:26:13 0 d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-04-03 14:20:26 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-04-03 14:19:23 0 d-------- C:\Program Files\Live_TV
2008-04-03 14:15:01 638976 --a------ C:\WINDOWS\System32\divx.dll <Not Verified; DivXNetworks, Inc.; DivX Video for Windows Codec>
2008-04-03 14:14:59 0 d-------- C:\Program Files\AVSMedia
2008-04-02 14:28:52 0 d-------- C:\Documents and Settings\Justin Tak-Lee Leung\Application Data\Waves
2008-04-02 14:28:50 0 d-------- C:\Documents and Settings\Justin Tak-Lee Leung\Application Data\Waves Preferences
2008-04-02 14:24:26 0 d-------- C:\Program Files\Waves
2008-04-01 15:35:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-31 14:53:14 210 --a------ C:\WINDOWS\MicroSoft.vbs
2008-03-28 13:21:04 0 d-------- C:\Documents and Settings\Justin Tak-Lee Leung\Application Data\AVS Video Converter
2008-03-25 14:54:13 1706784 --a------ C:\WINDOWS\System32\drivers\ew.sys <Not Verified; TASCAM; GigaStudio 3.10>
2008-03-25 14:24:08 720 --a------ C:\scope
2008-03-25 14:13:35 165888 --a------ C:\WINDOWS\Ckconfig.exe <Not Verified; Kenonic Controls; CKCONFIG Application>
2008-03-25 14:13:32 28518 --a------ C:\WINDOWS\System32\Ckldrv.sys
2008-03-25 14:13:24 81920 --a------ C:\WINDOWS\System32\MidiAutomation32.dll <Not Verified; TASCAM; GigaStudio 3.20>
2008-03-25 14:13:24 27648 --a------ C:\WINDOWS\Setup_ck.exe
2008-03-25 14:13:24 18432 --a------ C:\WINDOWS\Setup_ck.dll
2008-03-25 14:13:24 11776 --a------ C:\WINDOWS\Ckrfresh.exe
2008-03-25 14:13:18 45056 -----n--- C:\WINDOWS\System32\msg32.exe <Not Verified; TASCAM; GigaStudio 3.21>
2008-03-25 14:13:18 5632 -----n--- C:\WINDOWS\System32\gmidi.dll <Not Verified; TASCAM; GigaStudio 3.21>
2008-03-25 14:13:18 253952 -----n--- C:\WINDOWS\System32\ewctl32.dll <Not Verified; TASCAM; GigaStudio 3.21>
2008-03-25 14:13:05 139264 -----n--- C:\WINDOWS\System32\wstrm32.dll <Not Verified; TASCAM; GigaStudio 3.21>
2008-03-25 14:13:03 0 d-------- C:\Program Files\Tascam


-- Find3M Report ---------------------------------------------------------------

2008-04-23 15:44:56 0 d-------- C:\Program Files\PeerGuardian2
2008-04-23 13:05:05 64 --a------ C:\WINDOWS\System32\msvcsv60.dll
2008-04-23 13:05:05 64 --a------ C:\WINDOWS\msocreg32.dat
2008-04-23 13:03:15 0 d-------- C:\Documents and Settings\Justin Tak-Lee Leung\Application Data\MegauploadToolbar
2008-04-23 04:47:50 0 d-------- C:\Program Files\eMule
2008-04-22 22:14:56 664 --a------ C:\WINDOWS\System32\d3d9caps.dat
2008-04-16 16:08:06 0 d-------- C:\Documents and Settings\Justin Tak-Lee Leung\Application Data\BitTorrent
2008-04-11 09:16:07 0 d-------- C:\Documents and Settings\Justin Tak-Lee Leung\Application Data\AVG7
2008-04-08 15:17:07 0 d-------- C:\Program Files\Common Files
2008-04-04 13:30:26 0 d-------- C:\Documents and Settings\Justin Tak-Lee Leung\Application Data\Adobe
2008-04-03 14:15:57 0 d-------- C:\Program Files\Common Files\AVSMedia
2008-04-02 14:57:43 0 d-------- C:\Program Files\VstPlugins
2008-04-01 15:35:09 0 d-------- C:\Program Files\Lavasoft
2008-04-01 15:35:02 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-23 13:34:35 0 d-------- C:\Program Files\MusicLab
2008-03-20 14:12:40 0 d-------- C:\Program Files\Common Files\iZotope
2008-03-20 14:12:39 0 d-------- C:\Program Files\iZotope
2008-03-11 14:22:00 0 d-------- C:\Program Files\Tunebite
2008-03-09 14:18:54 0 d-------- C:\Documents and Settings\Justin Tak-Lee Leung\Application Data\tunebite
2008-03-09 01:31:08 0 d-------- C:\Program Files\Sysinternals
2008-03-08 23:36:52 30720 --a------ C:\WINDOWS\voiceip.dll
2008-03-08 23:36:51 24064 --a------ C:\WINDOWS\swin32.dll
2008-03-08 23:36:41 9472 --a------ C:\WINDOWS\salm.exe
2008-03-08 23:36:36 10240 --a------ C:\WINDOWS\System32\MSNSA32.dll
2008-03-08 23:36:35 9728 --a------ C:\WINDOWS\msapasrc.dll
2008-03-08 23:36:35 18176 --a------ C:\WINDOWS\msa64chk.dll
2008-03-08 23:36:33 16896 --a------ C:\WINDOWS\System32\SIPSPI32.dll
2008-03-08 23:36:32 12288 --a------ C:\WINDOWS\System32\shdocpe.dll
2008-03-08 23:36:32 13312 --a------ C:\WINDOWS\System32\ntnut32.exe
2008-03-08 23:36:32 16384 --a------ C:\WINDOWS\shdocpl.dll
2008-03-08 23:36:32 18432 --a------ C:\WINDOWS\shdocpe.dll
2008-03-08 23:36:32 10496 --a------ C:\WINDOWS\ntnut.exe
2008-03-08 23:36:30 30720 --a------ C:\WINDOWS\winsb.dll
2008-03-08 23:36:28 30720 --a------ C:\WINDOWS\browserad.dll
2008-03-08 23:36:27 24064 --a------ C:\WINDOWS\aviwrap32.dll
2008-03-08 23:36:25 20992 --a------ C:\WINDOWS\avisynthex32.dll
2008-03-08 23:36:25 10240 --a------ C:\WINDOWS\avifile32.dll
2008-03-08 23:36:25 23296 --a------ C:\WINDOWS\autodisc32.dll
2008-03-08 23:36:24 32000 --a------ C:\WINDOWS\audiosrv32.dll
2008-03-08 23:36:22 27648 --a------ C:\WINDOWS\ati2dvag32.dll
2008-03-08 23:36:20 27648 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-03-08 23:36:18 9984 --a------ C:\WINDOWS\athprxy32.dll
2008-03-08 23:36:18 13568 --a------ C:\WINDOWS\asycfilt32.dll
2008-03-08 23:36:17 25856 --a------ C:\WINDOWS\asferror32.dll
2008-03-08 23:36:15 18432 --a------ C:\WINDOWS\apphelp32.dll
2008-03-08 23:36:14 15872 --a------ C:\WINDOWS\changeurl_30.dll
2008-03-08 23:25:24 3805830 --a------ C:\WINDOWS\rVAiiCm6L0.exe
2008-03-08 23:23:45 43008 --a------ C:\WINDOWS\qrehafqz.exe
2008-03-08 23:23:19 185856 --a------ C:\WINDOWS\qjkdghyh.dll
2008-03-08 23:20:31 4 --a------ C:\WINDOWS\System32\winfrun32.bin
2008-03-04 15:04:06 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-04 15:03:57 0 d-------- C:\Program Files\Pegasys Inc
2008-03-02 08:20:30 0 d-------- C:\Program Files\Essentials Codec Pack
2008-03-02 08:19:15 0 d-------- C:\Program Files\Xvid
2008-02-29 13:57:20 0 d-------- C:\Documents and Settings\Justin Tak-Lee Leung\Application Data\Real
2008-02-26 15:22:18 0 d-------- C:\Program Files\AC3Filter
2008-02-23 21:27:32 0 d-------- C:\Program Files\Cucusoft


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3AAAAFB-FD33-4314-BF81-B21DAF304585}]
C:\Program Files\Common Files\hokeC:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\CEMG555077.exe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"GWMDMMSG"="GWMDMMSG.exe" [06/15/2006 05:48 PM C:\WINDOWS\GWMDMMSG.exe]
"GWMDMpi"="C:\WINDOWS\GWMDMpi.exe" [06/15/2006 05:48 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [04/15/2008 08:25 AM]
"WD Button Manager"="WDBtnMgr.exe" [06/27/2007 03:10 PM C:\WINDOWS\system32\WDBtnMgr.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 06:24 AM]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [10/03/2002 10:50 PM]
"RetroExpress"="C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe" [09/11/2006 05:32 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/31/2007 06:44 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [08/19/2007 02:57 PM]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [05/11/2005 02:46 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe" [05/02/2007 05:15 AM]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [03/01/2007 04:57 PM]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [08/08/2007 10:25 AM]
"Media Codec Update Service"="C:\Program Files\Essentials Codec Pack\update.exe" [04/08/2007 12:44 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [08/03/2007 01:51 PM]
"Pando"="C:\Program Files\Pando Networks\Pando\Pando.exe" [02/09/2008 03:02 PM]
"@"="" []
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [09/07/2007 07:01 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [08/20/2002 06:08 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Remove"="C:\Program Files\Remove on Reboot\Remove.exe" "C:\PROGRA~1\eMule\Incoming\_-_THE~1.AVI"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"EnableLUA"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggfgff]
hggfgff.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\mllmj.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


*Newly Created Service* - PGFILTER



-- Hosts -----------------------------------------------------------------------

127.0.0.1 .supercocklol.com
127.0.0.1 www..webloyalty.com
127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com

8325 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-23 16:05:12 ------------

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:33 PM

Posted 25 April 2008 - 09:54 AM

Hello korniceman3000,

NOTE: If you have downloaded SmitfraudFix previously please delete that version and download it again! Also delete C:\rapport.txt

Please download SmitfraudFix

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of the SmitfraudFix report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Edited by SifuMike, 25 April 2008 - 09:54 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 korniceman3000

korniceman3000
  • Topic Starter

  • Members
  • 186 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 25 April 2008 - 01:08 PM

Hi Sifu Mike,

Thank you for your response. Your help is greatly appreciated :thumbsup: I have carried out the procedures as you have instructed and have enclosed the Smitfraud and HiJackThis logs for your inspection. The copy of Rapport is in the attachment section because it was too long to post and the forum wouldn't allow it. So far, my browser has still re-directed me to different pages from the specified link but if I quickly go back before the page changes, the next time I open the link, it takes me to the actual site...



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:01:32 PM, on 4/25/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\taskmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\WDBtnMgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Justin Tak-Lee Leung\My Documents\My Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.come/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: (no name) - {B3AAAAFB-FD33-4314-BF81-B21DAF304585} - C:\Program Files\Common Files\hokeC:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe /h
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2119940C-F1CE-4258-8B96-41ECCA2BB184} (FTUploaderCtlX Control) - http://www.fototime.com/ftweb/activeX/WebUploadControl.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F73FC8B1-86DB-4C6C-8FCF-56634923D76B}: NameServer = 85.255.114.68 85.255.112.69
O20 - Winlogon Notify: hggfgff - hggfgff.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Crypkey License - Unknown owner - crypserv.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 8142 bytes

#4 korniceman3000

korniceman3000
  • Topic Starter

  • Members
  • 186 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 25 April 2008 - 01:10 PM

I can't seem to upload the Rapport file because the forum claims my attachment is larger than the available space even though it is only 232k. Please advise...

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:33 PM

Posted 25 April 2008 - 01:24 PM

Hi korniceman3000,

At the top of the screen, Go to My Controls >
Options > Manage Your Attachments and delete all your previous Attachments.

Now that is is empty you should be able to save the SmitfruadFix report as an attachment.


If you edit out the hosts portion of the SmitfraudFix report, then you can either post it or attach it.

Edited by SifuMike, 25 April 2008 - 01:39 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 korniceman3000

korniceman3000
  • Topic Starter

  • Members
  • 186 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 25 April 2008 - 03:57 PM

Thank you for your help. Attached is a copy of the Smifraud Report.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:01:32 PM, on 4/25/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\taskmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\WDBtnMgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Justin Tak-Lee Leung\My Documents\My Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.come/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: (no name) - {B3AAAAFB-FD33-4314-BF81-B21DAF304585} - C:\Program Files\Common Files\hokeC:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe /h
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2119940C-F1CE-4258-8B96-41ECCA2BB184} (FTUploaderCtlX Control) - http://www.fototime.com/ftweb/activeX/WebUploadControl.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F73FC8B1-86DB-4C6C-8FCF-56634923D76B}: NameServer = 85.255.114.68 85.255.112.69
O20 - Winlogon Notify: hggfgff - hggfgff.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Crypkey License - Unknown owner - crypserv.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 8142 bytes

#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:33 PM

Posted 25 April 2008 - 05:06 PM

Hello korniceman3000,

For some reason, SmitfraudFix did not work. Did you have Teatimer enable while SmitfraudFix run?

We will try a different tool.

I notice that you have Spybot's TeaTimer running.
While this is normally a wonderful tool to protect against hijackers, it can also interfere with the fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 korniceman3000

korniceman3000
  • Topic Starter

  • Members
  • 186 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 26 April 2008 - 01:23 PM

Hi SifuMike,

Thank you so much for your quick response! :thumbsup: It seems SDFix has removed quite a number of backdoor trojan files from my computer :blink: but this ZlobDNSChanger is a lot more deeply rooted than I thought. On connecting my dsl, I've realized that there is no longer a long stall and sudden increase in CPU usage which is a good sign but I still get redirected when I open links in my IE browser... How do they come up with viruses like these...

Listed below is the SDFix report. The Hijack this log is on the following post.


SDFix: Version 1.175
Run by Justin Tak-Lee Leung on Sat 04/26/2008 at 01:43 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\JUSTIN~1\MYDOCU~1\MYDOWN~1\SDFix\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\FTPUPD.EXE - Deleted
C:\WINDOWS\puofdnhl\1.png - Deleted
C:\WINDOWS\puofdnhl\2.png - Deleted
C:\WINDOWS\puofdnhl\3.png - Deleted
C:\WINDOWS\puofdnhl\4.png - Deleted
C:\WINDOWS\puofdnhl\5.png - Deleted
C:\WINDOWS\puofdnhl\6.png - Deleted
C:\WINDOWS\puofdnhl\7.png - Deleted
C:\WINDOWS\puofdnhl\8.png - Deleted
C:\WINDOWS\puofdnhl\9.png - Deleted
C:\WINDOWS\puofdnhl\bottom-rc.gif - Deleted
C:\WINDOWS\puofdnhl\config.png - Deleted
C:\WINDOWS\puofdnhl\content.png - Deleted
C:\WINDOWS\puofdnhl\download.gif - Deleted
C:\WINDOWS\puofdnhl\frame-bg.gif - Deleted
C:\WINDOWS\puofdnhl\frame-bottom-left.gif - Deleted
C:\WINDOWS\puofdnhl\frame-h1bg.gif - Deleted
C:\WINDOWS\puofdnhl\head.png - Deleted
C:\WINDOWS\puofdnhl\icon.png - Deleted
C:\WINDOWS\puofdnhl\indexwp.html - Deleted
C:\WINDOWS\puofdnhl\main.css - Deleted
C:\WINDOWS\puofdnhl\memory-prots.png - Deleted
C:\WINDOWS\puofdnhl\net.png - Deleted
C:\WINDOWS\puofdnhl\pc.gif - Deleted
C:\WINDOWS\puofdnhl\pc-mag.gif - Deleted
C:\WINDOWS\puofdnhl\poloska1.png - Deleted
C:\WINDOWS\puofdnhl\poloska2.png - Deleted
C:\WINDOWS\puofdnhl\poloska3.png - Deleted
C:\WINDOWS\puofdnhl\promowp1.html - Deleted
C:\WINDOWS\puofdnhl\promowp2.html - Deleted
C:\WINDOWS\puofdnhl\promowp3.html - Deleted
C:\WINDOWS\puofdnhl\promowp4.html - Deleted
C:\WINDOWS\puofdnhl\promowp5.html - Deleted
C:\WINDOWS\puofdnhl\reg.png - Deleted
C:\WINDOWS\puofdnhl\repair.png - Deleted
C:\WINDOWS\puofdnhl\scr-1.png - Deleted
C:\WINDOWS\puofdnhl\scr-2.png - Deleted
C:\WINDOWS\puofdnhl\start.png - Deleted
C:\WINDOWS\puofdnhl\styles.css - Deleted
C:\WINDOWS\puofdnhl\top-rc.gif - Deleted
C:\WINDOWS\puofdnhl\vline.gif - Deleted
C:\WINDOWS\puofdnhl\wp.png - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Temp\abW9\tPho.log - Deleted
C:\WINDOWS\PerfInfo\rVAiiCm6L0wp.exe.bak - Deleted
C:\Program Files\ISM\ism.exe - Deleted
C:\Program Files\ISM\Uninstall.exe - Deleted
C:\WINDOWS\123messenger.per - Deleted
C:\WINDOWS\apphelp32.dll - Deleted
C:\WINDOWS\asferror32.dll - Deleted
C:\WINDOWS\asycfilt32.dll - Deleted
C:\WINDOWS\athprxy32.dll - Deleted
C:\WINDOWS\ati2dvaa32.dll - Deleted
C:\WINDOWS\ati2dvag32.dll - Deleted
C:\WINDOWS\audiosrv32.dll - Deleted
C:\WINDOWS\autodisc32.dll - Deleted
C:\WINDOWS\avifile32.dll - Deleted
C:\WINDOWS\avisynthex32.dll - Deleted
C:\WINDOWS\aviwrap32.dll - Deleted
C:\WINDOWS\browserad.dll - Deleted
C:\WINDOWS\changeurl_30.dll - Deleted
C:\WINDOWS\licencia.txt - Deleted
C:\WINDOWS\msa64chk.dll - Deleted
C:\WINDOWS\msapasrc.dll - Deleted
C:\WINDOWS\ntnut.exe - Deleted
C:\WINDOWS\salm.exe - Deleted
C:\WINDOWS\shdocpe.dll - Deleted
C:\WINDOWS\shdocpl.dll - Deleted
C:\WINDOWS\swin32.dll - Deleted
C:\WINDOWS\system32\MSNSA32.dll - Deleted
C:\WINDOWS\system32\ntnut32.exe - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\shdocpe.dll - Deleted
C:\WINDOWS\system32\SIPSPI32.dll - Deleted
C:\WINDOWS\telefonos.txt - Deleted
C:\WINDOWS\textos.txt - Deleted
C:\WINDOWS\voiceip.dll - Deleted
C:\WINDOWS\winsb.dll - Deleted



Folder C:\Program Files\ISM - Removed
Folder C:\Temp\abW9 - Removed
Folder C:\Temp\1cb - Removed
Folder C:\WINDOWS\PerfInfo - Removed
Folder C:\WINDOWS\system32\a1 - Removed
Folder C:\WINDOWS\system32\g2 - Removed
Folder C:\WINDOWS\system32\rMa01yy - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 13:51:52
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum]
"Count"=dword:00000001
"NextInstance"=dword:00000001
"0"="SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vax347s\Config\jdgg40]

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120% (Trial Version)"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"

Remaining Files :


File Backups: - C:\DOCUME~1\JUSTIN~1\MYDOCU~1\MYDOWN~1\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Tue 14 Aug 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 24 Dec 2006 400 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.bla.bak"
Sun 24 Dec 2006 48 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.sec.bak"
Tue 14 Aug 2007 4,348 ...H. --- "C:\Documents and Settings\Justin Tak-Lee Leung\My Documents\My Music\License Backup\drmv1key.bak"
Wed 15 Aug 2007 20 A..H. --- "C:\Documents and Settings\Justin Tak-Lee Leung\My Documents\My Music\License Backup\drmv1lic.bak"
Tue 14 Aug 2007 9,856 A.SH. --- "C:\Documents and Settings\Justin Tak-Lee Leung\My Documents\My Music\License Backup\drmv2key.bak"

Finished!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:08:04 PM, on 4/26/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\WDBtnMgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Justin Tak-Lee Leung\My Documents\My Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: (no name) - {B3AAAAFB-FD33-4314-BF81-B21DAF304585} - C:\Program Files\Common Files\hokeC:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe /h
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2119940C-F1CE-4258-8B96-41ECCA2BB184} (FTUploaderCtlX Control) - http://www.fototime.com/ftweb/activeX/WebUploadControl.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O20 - Winlogon Notify: hggfgff - hggfgff.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Crypkey License - Unknown owner - crypserv.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 7649 bytes

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:33 PM

Posted 26 April 2008 - 01:45 PM

Hello korniceman3000,

Please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.

Download CCleaner and install it. (default location is best). Do not run it yet!

Beginners Guide to CCleaner

*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {B3AAAAFB-FD33-4314-BF81-B21DAF304585} - C:\Program Files\Common Files\hokeC:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O20 - Winlogon Notify: hggfgff - hggfgff.dll (file missing)
O23 - Service: Crypkey License - Unknown owner - crypserv.exe (file missing)


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot your computer,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire report in your next reply along with a fresh HijackThis log and tell me how your computer is running.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 korniceman3000

korniceman3000
  • Topic Starter

  • Members
  • 186 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 27 April 2008 - 01:25 PM

Hi SifuMike,

Thank you for your prompt response. Sorry about the delay. I was away from the computer for a while. Both programs definitely helped my browser run a lot smoother than before but I still keep getting redirected. I've checked the add/remove software of my computer for unwanted programs but nothing new was installed aside from the antimalware you provided.

Every time I click a link in Yahoo it starts searching then goes to a blank page to an address for results.yahoo.com while the status bar shows the page being re-directed to allofweb.net and brings me to some webpage like search11.info.com. When I try to go back, it refuses and the status bar revaals http://info.intelli-direct.com.

Furthermore, the moment the mouse pointer passes over the listed yahoo search results in IE, a very light brownish tan box envelopes the entire entry. Even touching the letters in the text description causes the browser to be re-directed.

Below is my MBAM report and HijackThis Log for your review. I apologize for this being such a lengthy problem and really appreciate all the help and assistance you've provided. I didn't think this DNSchanger would be so difficult to remove.


Malwarebytes' Anti-Malware 1.11
Database version: 690

Scan type: Quick Scan
Objects scanned: 31743
Time elapsed: 8 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 38
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{5a148cf2-9c7b-4499-8e25-c9383a5e8680} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndaero6.band (Adware.SearchAid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndaero6.band.1 (Adware.SearchAid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{15f56b17-a0f8-4288-a24c-0f913b34d67b} (Adware.SearchAid) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{15f56b17-a0f8-4288-a24c-0f913b34d67b} (Adware.SearchAid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndaero6.bho (Adware.SearchAid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndaero6.bho.1 (Adware.SearchAid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{ddbc293e-52e4-45e8-a684-2c3c96efc069} (Adware.SearchAid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{543bd811-f148-4b3a-a0b9-177014555bf9} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock5.band (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock5.band.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1f2f95d9-bafd-4769-85a2-4169957db67e} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{1f2f95d9-bafd-4769-85a2-4169957db67e} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock5.bho (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock5.bho.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d6b0c179-6343-442c-8175-9652e200cb55} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{5c9da244-a571-4fe7-ab8c-ca47703c686b} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{daa07812-5c88-4ccc-8d25-10fef65b77b1} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{f663b917-591f-4172-8d87-3d7d729007ca} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho.1 (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d279bc2b-a85b-4559-8fd9-ddc55f5d402d} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{b80a3586-caa5-41c8-89bf-e617f0b6cfbf} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BndFibu7.DLL (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BndAero6.DLL (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndfibu7.band (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndfibu7.band.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndfibu7.bho (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndfibu7.bho.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrDrive (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BndBlock5.DLL (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\BATCO (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Batco (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\bat.DLL (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\xflock (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\PostInstallC (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\nGpxx01 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Rabio (Adware.Rabio) -> Quarantined and deleted successfully.
C:\Documents and Settings\Justin Tak-Lee Leung\Start Menu\Programs\Internet Speed Monitor (Adware.AdSponsor) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\qrehafqz.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Justin Tak-Lee Leung\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Justin Tak-Lee Leung\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk (Adware.AdSponsor) -> Quarantined and deleted successfully.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:30 PM, on 4/27/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\WDBtnMgr.exe
C:\WINDOWS\System32\taskmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\PeerGuardian2\pg2.exe
C:\Documents and Settings\Justin Tak-Lee Leung\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe /h
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2119940C-F1CE-4258-8B96-41ECCA2BB184} (FTUploaderCtlX Control) - http://www.fototime.com/ftweb/activeX/WebUploadControl.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F73FC8B1-86DB-4C6C-8FCF-56634923D76B}: NameServer = 85.255.114.68 85.255.112.69
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 7228 bytes

Edited by korniceman3000, 27 April 2008 - 01:40 PM.


#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:33 PM

Posted 27 April 2008 - 02:00 PM

Hello korniceman3000,

This computer is really infected, so we will have to use several tools.


Please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it.
Click Next, then Install, then make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.

You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts.

 If your system does not reboot, then reboot it manually.

Please boot into Normal Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.”

O17 - HKLM\System\CCS\Services\Tcpip\..\{F73FC8B1-86DB-4C6C-8FCF-56634923D76B}: NameServer = 85.255.114.68 85.255.112.69

Close HijackThis, and click OK to proceed.


* Go to Control Panel. - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step.

Double-click the Network Connections icon
Right-click the Local Area Connection icon and select Properties.
Higlight Internet Protocol (TCP/IP) and click the Properties button.
Be sure Obtain DNS server address automatically is selected.
OK your way out.

* Go to Start > Run and type in cmd
Click OK.
This will open a command prompt.
Type or copy and paste the following line in the command window:

ipconfig /flushdns

Hit Enter.
Exit the command window.


Reboot your computer again.

Please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 korniceman3000

korniceman3000
  • Topic Starter

  • Members
  • 186 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 28 April 2008 - 02:02 PM

Hi SifuMike,

Thank you for your response. After looking through the HijackThis log, I can't find anything that I don't recognize from before the virus infection. However, I still can't seem to remove the DNSChanger. Fixware removed the Tcipip redirection and after a run through with HijackThis,

O17 - HKLM\System\CCS\Services\Tcpip\..\{F73FC8B1-86DB-4C6C-8FCF-56634923D76B}: NameServer = 85.255.114.68 85.255.112.69

was removed but shortly after restarting the computer and connecting to the internet, Peerguardian stopped IE from going to any webpage because Malware was trying to enter the computer.

Range: Malware exploits Source:66.32.111.31:3025 Destination: 85.255.112.69:53 Protocol: UDP

Please advise on my next step. Thank you and sorry for the inconvenience.


Username "Justin Tak-Lee Leung" - 04/28/2008 13:21:57 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{F73FC8B1-86DB-4C6C-8FCF-56634923D76B}
"nameserver"="85.255.114.68" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"GWMDMMSG"="GWMDMMSG.exe"
"GWMDMpi"="C:\\WINDOWS\\GWMDMpi.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"WD Button Manager"="WDBtnMgr.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"RetroExpress"="C:\\PROGRA~1\\RETROS~1\\RETROS~1.0\\RetroExpress.exe /h"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"H2O"="C:\\Program Files\\SyncroSoft\\Pos\\H2O\\cledx.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_12\\bin\\jusched.exe\""
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Nero\\Lib\\NeroCheck.exe"
"NBKeyScan"="\"C:\\Program Files\\Nero\\Nero8\\Nero BackItUp\\NBKeyScan.exe\""
"Media Codec Update Service"="C:\\Program Files\\Essentials Codec Pack\\update.exe -silent"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Nero\\Lib\\NMBgMonitor.exe\""
"Pando"="\"C:\\Program Files\\Pando Networks\\Pando\\Pando.exe\" /Minimized"
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:38:18 PM, on 4/28/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\WDBtnMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Justin Tak-Lee Leung\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe /h
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2119940C-F1CE-4258-8B96-41ECCA2BB184} (FTUploaderCtlX Control) - http://www.fototime.com/ftweb/activeX/WebUploadControl.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 7098 bytes

Edited by korniceman3000, 28 April 2008 - 02:06 PM.


#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:33 PM

Posted 28 April 2008 - 03:42 PM

I still can't seem to remove the DNSChanger.


Where are you seeing DNSChanger? I dont see it in your log.

but shortly after restarting the computer and connecting to the internet, Peerguardian stopped IE from going to any webpage because Malware was trying to enter the computer.

Range: Malware exploits Source:66.32.111.31:3025 Destination: 85.255.112.69:53 Protocol: UDP


Is not that the purpose of PeerGuardian? It acts like similar to a firewall preventing incoming and outgoing packets.

Are you using a commerical firewall?

Your log looks clean.

Edited by SifuMike, 28 April 2008 - 03:43 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 korniceman3000

korniceman3000
  • Topic Starter

  • Members
  • 186 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 28 April 2008 - 04:29 PM

Hi SifuMike,

Thank you so much for the quick response. The DNS changer never shows in any of the logs of the malware removal programs used thus far. They only appear in my Spybot S & D Fixed Logs. Everyday, Spybot cleans my computer at 3 AM in the morning and everyday it says it removed both Zlob DNSChanger and Right Media but both keep reappearing in the logs. I just performed a new HijackThis scan and the log reveals

O17 - HKLM\System\CCS\Services\Tcpip\..\{F73FC8B1-86DB-4C6C-8FCF-56634923D76B}: NameServer = 85.255.114.68 85.255.112.69

again.

To answer your quetsion about peerguardian: Yes I do use it as my primary firewall in place of my Black Ice defender which ran really slowly and used a lot of my RAM. It was blocking the malware from re-entering the computer but at the same time, prevented me from opening any webpage because every webpage I inputed in the address bar or via ctr+L was being re-directed and peerguardian managed to stop this but at the cost of IE functioning at all regardless of what website I entered.

After restarting my computer, the DNS changer was dormant but then re-activated once I started searching on Yahoo via both IE and Firefox. I tried to click on a Yahoo search return for a WWE link and the page was re-directed to quicklex.com. Listed below is my most recent HijackThis log from 20 minutes ago. I have also enclosed the most recent copy of the Spybot S & D Fix logs for your review.

Thank you again and sorry about this mess.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:13:16 PM, on 4/28/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\WDBtnMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\eMule\emule.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Pegasys Inc\TMPGEnc Plus 2.5\TMPGEnc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Documents and Settings\Justin Tak-Lee Leung\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe /h
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2119940C-F1CE-4258-8B96-41ECCA2BB184} (FTUploaderCtlX Control) - http://www.fototime.com/ftweb/activeX/WebUploadControl.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F73FC8B1-86DB-4C6C-8FCF-56634923D76B}: NameServer = 85.255.114.68 85.255.112.69
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 7523 bytes



--- Report generated: 2008-04-28 03:44 ---

Zlob.DNSChanger: [SBI $041D1396] TCP/IP Settings #1 (Undefined) (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F73FC8B1-86DB-4C6C-8FCF-56634923D76B}\NameServer=208.67.220.220,208.67.222.222

Right Media: Tracking cookie (Internet Explorer: Justin Tak-Lee Leung) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-04-07 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-04-16 Includes\Adware.sbi (*)
2008-04-17 Includes\AdwareC.sbi (*)
2008-04-17 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-04-17 Includes\DialerC.sbi (*)
2008-04-17 Includes\HeavyDuty.sbi (*)
2008-03-19 Includes\Hijackers.sbi (*)
2008-04-17 Includes\HijackersC.sbi (*)
2008-02-27 Includes\Keyloggers.sbi (*)
2008-04-17 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-03-26 Includes\Malware.sbi (*)
2008-04-17 Includes\MalwareC.sbi (*)
2008-03-26 Includes\PUPS.sbi (*)
2008-04-17 Includes\PUPSC.sbi (*)
2008-04-17 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-04-17 Includes\SecurityC.sbi (*)
2008-04-16 Includes\Spybots.sbi (*)
2008-04-17 Includes\SpybotsC.sbi (*)
2008-04-16 Includes\Spyware.sbi (*)
2008-04-17 Includes\SpywareC.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-04-16 Includes\Trojans.sbi (*)
2008-04-17 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:33 PM

Posted 28 April 2008 - 05:11 PM

Hi,

To answer your quetsion about peerguardian: Yes I do use it as my primary firewall in place of my Black Ice defender which ran really slowly and used a lot of my RAM.


PeerGuardian is a small firewall made for p2p users. I would not use it as my main firewall.

Here are five free firewalls available for personal use. If one conflicts with your system, try another.

You Need a (Properly Configured) Firewall
Understanding and Using Firewalls

Comodo Firewall Pro
Comodo Firewall Pro user guide

Online Armor Free

Sunbelt Kerio Firewall

Outpost Firewall Free

ZoneAlarm
ZoneAlarm Manual http://download.zonelabs.com/bin/media/pdf/ZAP40_manual.pdf



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Sun Java Runtime Environment 6 Update 6.
  • Scroll down to where it says "Sun Java Runtime Environment 6 Update 6".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

Spybot cleans my computer at 3 AM in the morning and everyday it says it removed both Zlob DNSChanger and Right Media but both keep reappearing in the logs.
Zlob.DNSChanger: [SBI $041D1396] TCP/IP Settings #1 (Undefined) (Registry change, fixed)


Sounds like you are being reinfected in the middle of the night. :thumbsup:


O17 - HKLM\System\CCS\Services\Tcpip\..\{F73FC8B1-86DB-4C6C-8FCF-56634923D76B}: NameServer = 85.255.114.68 85.255.112.69 again.


That is Wareout redirection, cause by visiting certain web sites. What web sites were you visiting when you got this infection?

Another possiblilty is that your Emule and/or BitTorrent P2P is the cause. :blink: Are you leaving them active and letting others access your computer? That is asking for trouble!

I see you are running P2P programs eMule BitTorrent on Startup. This is a very bad idea, as it give others access to your computer. Disable them both from running at startup.

Any peer-to-peer file swapping program, such as Audiogalaxy, Bearshare, BitTorrent, Blubster, E-Mule, Gnucleus, Grokster, Imesh, KaZaa, KaZaa Lite, Limewire, Morpheus, Shareaza, WinMX and Xolox can degrade system performance and consume vast amounts of storage and may create security issues as outsiders are granted access to internal files.

They are often bundled with adware or spyware. Recently, peer-to-peer file swapping programs have been used for identity theft.


Please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.

Run FixWareout
Click Next, then Install, then make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.

You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts.

If your system does not reboot, then reboot it manually.

Please boot into Normal Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix all"

O17 - HKLM\System\CCS\Services\Tcpip\..\{F73FC8B1-86DB-4C6C-8FCF-56634923D76B}: NameServer = 85.255.114.68 85.255.112.69

Close HijackThis, and click OK to proceed.

Run Spybot and see if the infections appear.

Reboot your computer.

Run Spybot and see if the infections appear.

Post a fresh Hijackthis log.

Edited by SifuMike, 28 April 2008 - 06:12 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users