Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Brower DNS Hijack


  • This topic is locked This topic is locked
2 replies to this topic

#1 Martin_D

Martin_D

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:55 PM

Posted 20 February 2009 - 06:22 PM

A virus is hijacking my browsers

For example a Google Search for "Analytic Philosophy" brought up several links, one of which is suppose to take me to: en.wikipedia.org/wiki/Analytic_philosophy.

However, when I click on the link title it takes me to:

<hxxp://windowsclick.com/go.php?u=wxvmzofl9KRIhSYJJnTpAQXTOBYRKSycSH9rQY30PG2m65CSBt-Sbd-SKgAObfJ8_zQ_hfSIhCrEvkIcK...>(this address goes on quite awhile)

The site I was (re) directed to then tries to download yet another virus.

On the other hand, if instead of clicking in the link title, I copy and paste the the link address itself (en.wikipedia.org/wiki/Analytic_philosophy) into the address box then it will go to the proper address.


Since the virus problem began various (new except as noted) errors appear on startup and during software installation.

The following errors occur during startup

Google Installer encountered a problem and needs to close
Error signature
szAppName: GoogleUpdate.exe szAppVer: 1.2.131.7
szModName: GoogleUpdate.exe szModVer: 1.2.131.7 offset: 00006eef

Spyware Terminator Realtime Shield has encountered a problem and needs to close.
Error signature
AppName: spywareterminatorshield.exe AppVer: 2.5.0.480
ModName: spywareterminatorshield.exe ModVer: 2.5.0.480 Offset: 000ecaa8

Symantic User Session
A necessar file could not be loaded: PIF:AlertEng.dll
1002,1
(this began appearing a few weeks BEFORE I noticed the virus)


Google Installer encountered a problem and needs to close
Error signature
szAppName: GoogleUpdate.exe szAppVer: 1.2.131.7
szModName: GoogleUpdate.exe szModVer: 1.2.131.7 offset: 00006eef



The following programs/files are also unable to be installed (installations fail):

Security Update for Microsoft.NET Framework, Version 2.0 (KB928365) is unable to install.
(I was able to install all the XP updates, like SP3, except for this one)
SUPERAntiSpyware is unable to install


I have taken the following steps:

The problem began with a Spyware Protect 2009 program that began popping up on my screen with fake system scans. I determined it was virus, looked up the fix and stopped the related processes, removed two files and tree (I think) related registry entries. The Spyware Protect popups and redirects ceased to be a problem. I then did the following:

1) I scanned my system using McAfee (It removed a Generic Rootkit.d!rootkit and it quarantined a PWCrack-Winspy and several Generic.dx viruses)
2) I reinstalled XP (repair mode) and XP SP3, and installed a fresh copies of IE and Firefox (in hopes of overwriting any corrupted files)
3) Then I re scanned my system using McAfee (no viruses detected)
4) I then installed Spyware Terminator
5) I scanned my system using Spyware Terminator (It removed remaining items from PasswareRecoveryKeys and Adware.SweetBar that not been completely removed and; it removed some Affiliate tracking cookies)
6) I tried to install SuperAntiSptware and was unsuccessful
7) I checked my browsers and they were still being redirected (sometimes to ToSeekA, other times to other channels)
8) I got onto my other computer and began researching the problem and I came across the 9leepingComputer website. I found the HijackThis Malware thread and realized I was in over my head so then
10) I installed DDS and created the attached logs.
11) I installed HijackThis and created a Logfile and StartupList
12) Got an account with BleepingComputer and here I am.

Any help you could give me to lick this thing is appreciated!

DDS log:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Martin Drumm at 13:46:32.20 on Fri 02/20/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1504.1077 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\Oplmsb01.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Documents and Settings\Martin Drumm\My Documents\Computer\Downloads\Antispy\DDS\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.searchgateway.net/search
uStart Page = hxxp://www.hotsheet.com/
uSearchURL,(Default) = hxxp://www.searchgateway.net/search-Google-Gateway.php?sa=Search+Here&client=pub-4642981363251965&forid=1&ie=ISO-8859-1&oe=ISO-8859-1&cof=GALT%3A%23008000%3BGL%3A1%3BDIV%3A%23336699%3BVLC%3A663399%3BAH%3Acenter%3BBGC%3AFFFFFF%3BLBGC%3A336699%3BALC%3A0000FF%3BLC%3A0000FF%3BT%3A000000%3BGFNT%3A0000FF%3BGIMP%3A0000FF%3BFORID%3A11&q=%s
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: CmjBrowserHelperObject Object: {ac41d38f-b56d-40ad-94e0-b493d130c959} - c:\program files\mindjet\mindmanager 6\Mm6InternetExplorer.dll
BHO: ReadMe-Pointstone - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Norton SystemWorks] "c:\program files\norton systemworks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
uRunOnce: [<NO NAME>] c:\program files\mozilla firefox\firefox.exe http://www.symantec.com/techsupp/servlet/P...000049.000000bb
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [HTpatch] c:\windows\htpatch.exe
mRun: [LanguageMonitor] c:\windows\system32\Oplmsb01.exe OKI B4100
mRun: [SSBkgdUpdate] c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe -Embedding -boot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [MMReminderService] c:\program files\mindjet\mindmanager 6\MMReminderService.exe
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SpywareTerminator] "c:\program files\spyware terminator\SpywareTerminatorShield.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-ba7e-000000000002}\SC_Acrobat.exe
uPolicies-explorer: NoActiveDesktop = 00000000
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {5E638779-1818-4754-A595-EF1C63B87A56} - c:\program files\norton systemworks\norton cleanup\WCQuick.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - {AC41D38F-B56D-40AD-94E0-B493D130C959} - c:\program files\mindjet\mindmanager 6\Mm6InternetExplorer.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186950163421
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\martin~1\applic~1\mozilla\firefox\profiles\wrj8q4i4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.hotsheet.com/
FF - prefs.js: keyword.enabled - false
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPinfotl.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-8 201320]
R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2006-10-2 3744]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2006-10-2 3904]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-1-8 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-1-8 144704]
R2 NProtectService;Norton UnErase Protection;c:\progra~1\norton~2\norton~2\NPROTECT.EXE [2005-11-3 95832]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-8-23 1245064]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2009-1-8 547744]
R3 DLKRTS;D-Link DFE-530TX+ PCI Adapter;c:\windows\system32\drivers\DLKRTS.SYS [2004-6-10 25434]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-1-22 109616]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-1-8 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-8 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-8 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-1-8 40488]
S2 0303901231476218mcinstcleanup;McAfee Application Installer Cleanup (0303901231476218);c:\docume~1\martin~1\locals~1\temp\030390~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\martin~1\locals~1\temp\030390~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 gupdate1c9867d197ce13d;Google Update Service (gupdate1c9867d197ce13d);c:\program files\google\update\GoogleUpdate.exe [2009-2-3 133104]
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\system32\drivers\asushwio.sys --> c:\windows\system32\drivers\ASUSHWIO.sys [?]
S3 DVR3KUSB;DVR3KUSB.Sys Digital Voice Recorder 3K device driver;c:\windows\system32\drivers\DVR3KUSB.sys [2005-2-15 45031]
S3 ICDSX;Sony IC Recorder (SX);c:\windows\system32\drivers\IcdSX.sys [2005-9-12 31744]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-1-8 33832]
S3 MTK;Media Technology Kernel Driver;c:\windows\system32\drivers\mtk.sys --> c:\windows\system32\drivers\mtk.sys [?]
S3 OkiPar;OkiPar;c:\windows\system32\drivers\OkiPar.sys [2001-10-2 36928]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2004-6-10 279880]

============== File Associations ===============

regfile=*** no open command defined ***

=============== Created Last 30 ================

2009-02-20 09:37 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-02-20 09:37 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-02-20 09:37 6,066,688 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-02-20 09:37 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2009-02-20 09:37 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2009-02-20 09:37 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2009-02-20 09:37 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-02-20 09:37 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2009-02-20 09:37 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-02-19 18:41 142,592 a------- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-02-19 18:41 <DIR> --d----- c:\docume~1\martin~1\applic~1\Spyware Terminator
2009-02-19 18:41 <DIR> --d----- c:\program files\Spyware Terminator
2009-02-19 18:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spyware Terminator
2009-02-19 17:13 1,307,648 -c------ c:\windows\system32\dllcache\msxml6.dll
2009-02-19 17:13 79,872 -c------ c:\windows\system32\dllcache\msxml6r.dll
2009-02-19 17:08 19,569 a------- c:\windows\003454_.tmp
2009-02-19 15:17 13,274 a------- c:\windows\system32\wpa.bak
2009-02-19 14:25 76,288 ac------ c:\windows\system32\dllcache\uniime.dll
2009-02-19 14:24 22,016 ac------ c:\windows\system32\dllcache\logscrpt.dll
2009-02-19 14:23 66,594 ac------ c:\windows\system32\dllcache\c_864.nls
2009-02-19 14:23 <DIR> --d----- c:\program files\msn gaming zone
2009-02-19 14:21 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-02-19 14:21 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-02-19 14:21 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-02-19 14:21 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-02-19 14:21 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-02-19 14:21 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-02-19 14:20 16,384 ac------ c:\windows\system32\dllcache\isignup.exe
2009-02-19 14:18 169,984 ac------ c:\windows\system32\dllcache\iisui.dll
2009-02-19 14:18 60,928 ac------ c:\windows\system32\dllcache\iisclex4.dll
2009-02-19 14:18 19,968 ac------ c:\windows\system32\dllcache\inetsloc.dll
2009-02-19 14:18 7,168 ac------ c:\windows\system32\dllcache\wamregps.dll
2009-02-19 14:18 3,584 ac------ c:\windows\system32\dllcache\iismui.dll
2009-02-19 14:18 19,968 a------- c:\windows\system32\inetsloc.dll
2009-02-19 14:18 7,168 a------- c:\windows\system32\wamregps.dll
2009-02-19 14:18 3,584 a------- c:\windows\system32\iismui.dll
2009-02-17 18:57 19,569 a------- c:\windows\000001_.tmp
2009-02-17 11:05 16,896 a------- c:\windows\syssvc.exe
2009-02-16 21:11 <DIR> --dsh--- c:\windows\system32\twain32
2009-02-16 21:11 364,040 a------- c:\windows\system32\wpv731234555431.cpx
2009-02-16 21:11 20,481 a------- c:\windows\system32\digeste.dll
2009-02-11 22:02 <DIR> --d----- c:\windows\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$
2009-02-03 20:27 1,491,992 a------- c:\windows\system32\D3DCompiler_38.dll
2009-02-03 20:24 <DIR> --d-h--- c:\windows\msdownld.tmp
2009-02-03 20:24 <DIR> --d----- c:\windows\Logs

==================== Find3M ====================

2009-02-19 14:19 22,720 a------- c:\windows\system32\emptyregdb.dat
2009-01-10 20:44 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-08 23:52 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-08 23:52 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-08 23:52 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-01-08 23:52 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-01-08 20:52 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-20 15:15 826,368 a------- c:\windows\system32\wininet.dll
2005-04-15 19:14 21,256 a------- c:\docume~1\martin~1\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 13:47:37.20 ===============





Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:05:25 PM, on 2/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\Oplmsb01.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
F:\antispy\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchgateway.net/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotsheet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchgateway.net/search-Google...D%3A11&q=%s
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [LanguageMonitor] C:\WINDOWS\system32\Oplmsb01.exe OKI B4100
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\RunOnce: [] C:\Program Files\Mozilla Firefox\firefox.exe http://www.symantec.com/techsupp/servlet/P...000049.000000bb
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1186950163421
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: McAfee Application Installer Cleanup (0303901231476218) (0303901231476218mcinstcleanup) - Unknown owner - C:\DOCUME~1\MARTIN~1\LOCALS~1\Temp\030390~1.EXE (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Google Update Service (gupdate1c9867d197ce13d) (gupdate1c9867d197ce13d) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 12795 bytes

Attached Files


Edited by Orange Blossom, 11 February 2013 - 03:52 AM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 Martin_D

Martin_D
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:55 PM

Posted 22 February 2009 - 08:51 PM

Note from topic originator.
My need to deal with this was urgent enough that on 2/22/09 pm I decided to reformat and reinstall my OS. :) In any case, thanks to anyone that might have begun to look into my topic. :thumbup2:
Martin

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:04:55 PM

Posted 23 February 2009 - 09:31 AM

Thanks for informing us what you have done.

Our HJT forum is so busy that it is taking some time to respond to all that post.

If you have a new issue, please start a New Topic.

This thread is closed. Good Luck.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users