Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Abnormal behavior, redirect

  • This topic is locked This topic is locked
5 replies to this topic

#1 Talavaj


  • Members
  • 2 posts
  • Local time:05:24 AM

Posted 09 February 2010 - 04:34 PM

PC has been acting up for the past two weeks

Clicking links sometimes randomly redirects to jsc.google-analytics.com, upperup.com/1.html or new www.google.com/ window for no apparent reason.
Doesn't seem to cause any further problems but definitely doesn't look like usual behavior (and seem to encounter this issue more often).

Other issues I've encountered is fading out of browser icon (it became like 50% transparent, no idea what was the cause)
and inability of turning off/restarting of the pc (after clicking either of the buttons it just did nothing).
Don't know whether these two issues are relevant or not but as I've never encountered them before, decided to post them anyway.

running Gmer causes it open the window load for a few seconds then popping up "Application has encountered a problem and needed to close." window
after that trying to run Gmer again (and some other applications) causes application initialization error ( of address xx00000005 whatever) and furthermore when shutting down OS, instead of displaying default "saving..., shutting down..." screen explorer.exe is closed and small window showing "Windows XP home edition , saving... , shutting down..." pop ups.


DDS (Ver_09-12-01.01) - NTFSx86  
Run by PC at 21:16:23,90 on ut 09.02.2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_01
Microsoft Windows XP Home Edition  5.1.2600.2.1250.421.1029.18.767.195 [GMT 1:00]

AV: Eset NOD32 Antivirus 2.70 *On-access scanning enabled* (Outdated)   {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Kerio Personal Firewall *enabled*   {A990EAA7-8941-4621-BC27-4F16261D3180}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Eset\nod32.exe
C:\Program Files\Eset\nod32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Eset\nod32krn.exe
C:\Documents and Settings\PC\Plocha\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.naver.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.zoznam.sk/
uURLSearchHooks: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: XTTBPos00 Class: {055fd26d-3a88-4e15-963d-dc8493744b1d} - c:\progra~1\icqtoo~1\toolbaru.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: IE to GetRight Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Megaupload Toolbar: {a057a204-bacc-4d26-c39e-35f1d2a32ec8} - c:\progra~1\megaup~2\MEGAUP~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
TB: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Megaupload Toolbar: {a057a204-bacc-4d26-c39e-35f1d2a32ec8} - c:\progra~1\megaup~2\MEGAUP~1.DLL
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
EB: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Add to AMV Convert Tool... - d:\program files\amv 4.0\amvconverter\grab.html
IE: Add to AMV Converter... - d:\program files\amv player utilities\amvconverter\grab.html
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xportovať do programu Microsoft Excel -
IE: MediaManager tool grab multimedia file - d:\program files\amv 4.0\mediamanager\grab.html
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\program files\icqlite\ICQLite.exe
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6.5\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
LSP: c:\windows\system32\imon.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} - hxxp://id.hangame.com/common/HanSetup1020.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F8160836-0C11-4CA4-AD87-944542C7BCBD} - hxxp://hancdn.hangame.com/pub/plii/real/PubPlugin.cab
TCP: {C9EDA940-19D9-46EA-8EE0-075B6E506370} =
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\Skype4COM.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pc\dataap~1\mozilla\firefox\profiles\1yej9kuk.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?hl=en&tab=iw
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - plugin: c:\program files\google\google updater\2.4.1399.3742\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npWebLaunch.dll
FF - plugin: c:\program files\thrixxx\weblaunch\binaries\npWebLaunch.dll
FF - plugin: d:\program files\programs\vlc player\vlc\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.XMLHttpRequest.channel", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.jit.chrome",       false);
c:\program files\mozilla firefox\greprefs\all.js - pref("security.checkloaduri", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("bidi.characterset", 1);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\channel-prefs.js - pref("app.update.channel", "release");

============= SERVICES / DRIVERS ===============

R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [2006-9-26 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [2006-9-26 5248]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2005-12-15 274432]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2005-12-15 81920]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-4-4 15424]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-9-25 574808]
R3 CnxEtP;Conexant AccessRunner USB ADSL Adapter Filter Driver;c:\windows\system32\drivers\CnxEtP.sys [2006-5-26 131072]
R3 CnxEtU;Conexant AccessRunner USB ADSL Interface Device Driver;c:\windows\system32\drivers\CnxEtU.sys [2006-5-26 614272]
R3 CnxTgNP;Conexant AccessRunner ADSL WAN PPPoE Adapter Driver;c:\windows\system32\drivers\CnxTgNP.sys [2006-5-26 60416]
R3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\drivers\psched.sys [2004-8-18 69120]
S1 SpyEmrg;Spy Emergency Driver;c:\windows\system32\drivers\spyemrg.sys --> c:\windows\system32\drivers\spyemrg.sys [?]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2006-5-29 223128]
S3 XDva030;XDva030; [x]
S3 XDva143;XDva143;\??\c:\windows\system32\xdva143.sys --> c:\windows\system32\XDva143.sys [?]
S3 XDva248;XDva248;\??\c:\windows\system32\xdva248.sys --> c:\windows\system32\XDva248.sys [?]

=============== Created Last 30 ================

2010-01-14 18:08:05    0    d-----w-    c:\program files\common files\ChaosGroup
2010-01-14 18:07:58    0    d-----w-    c:\program files\Chaos Group

==================== Find3M  ====================

2010-01-11 12:50:46    173232    ----a-w-    c:\windows\system32\PubPlugin.dll
2009-12-28 15:07:58    76584    ----a-w-    c:\windows\War3Unin.dat
2009-12-28 14:42:36    2829    ----a-w-    c:\windows\War3Unin.pif
2009-12-28 14:42:36    139264    ----a-w-    c:\windows\War3Unin.exe
2009-12-07 14:30:16    1147296    ----a-w-    c:\windows\system32\HanWebMsg1059.dll
2008-03-10 18:54:17    3895086    ----a-w-    c:\program files\Movie Maker.rar
2002-01-01 01:20:44    56    --sh--w-    c:\windows\system32\00D4D9AC03.sys
2007-12-27 00:28:35    56    --sh--w-    c:\windows\system32\C25EDD7BE3.sys
2007-12-27 01:07:27    12888    --sha-w-    c:\windows\system32\KGyGaAvL.sys
2009-06-06 12:41:05    16384    --sha-w-    c:\windows\temp\cookies\index.dat
2009-06-06 12:41:05    32768    --sha-w-    c:\windows\temp\history\history.ie5\index.dat
2009-06-06 12:41:07    65536    --sha-w-    c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 21:19:39,75 ===============

thanks in advance

Attached Files

BC AdBot (Login to Remove)


#2 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:04:24 AM

Posted 15 February 2010 - 07:51 PM


Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 Talavaj

  • Topic Starter

  • Members
  • 2 posts
  • Local time:05:24 AM

Posted 20 February 2010 - 06:56 AM

Yes, sorry I had some issues to take care of.

#4 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:04:24 AM

Posted 20 February 2010 - 07:04 AM

Before we go on let's see if we can get a rootkit scan

Please rerun Gmer but uncheck Devices first
Posted Image
m0le is a proud member of UNITE

#5 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:04:24 AM

Posted 22 February 2010 - 08:55 PM


I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.


Posted Image
m0le is a proud member of UNITE

#6 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:04:24 AM

Posted 23 February 2010 - 08:48 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users