Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unrequested Pages Beling Displayed In Ie


  • This topic is locked This topic is locked
9 replies to this topic

#1 the doomed

the doomed

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 24 April 2006 - 11:48 AM

When clicking on links I am not always getting the page requested instead getting referred to a google search or other search site relating to the topic in the requested link page.

Done as-aware, spybot, ewido and AVG scans and still problem exists.


HiJack This log as follows:


Logfile of HijackThis v1.99.1
Scan saved at 17:42:28, on 24/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://killiefc.com/forum/forumdisplay.php?fid=16
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://killiefc.com/forum/forumdisplay.php?fid=16
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://killiefc.com/forum/forumdisplay.php?fid=16
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Registry Toolkit] C:\Program Files\Registry Toolkit\RegToolkit.exe /scan
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Lock Computer on Startup] rundll32.exe user32.dll, LockWorkStation
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Internet Explorer.lnk = ?
O4 - Startup: to_do.lnk = D:\david\to_do.txt
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\DLink\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: DigiChat Applet - http://host9.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://assessitp2l.howtomaster.com/plugin/...cab/awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1132077963078
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37510.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {8FACB588-4A4B-46C1-807B-1F08D0AC7592} (eTours Control) - http://www.360etours.net/tours/activex/eTours.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.ladbrokescasino.com/ladbrokes/FlashAX.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35E36EAD-0607-4420-A1BB-9C373A11D611}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{36086A2E-F922-42FE-AFAA-4E0259AFC95C}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B039AE4-014A-4AF5-9809-0C726CB01DF7}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{6EF85228-30D9-44D8-BE79-6AACDDD92610}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{79D1D7C8-4BDB-45F0-8E4D-3185CE0DF684}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{9262740D-D42A-4C90-8C81-9620D3ECAA36}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE63D4C4-5877-4E69-8E64-98BA24D404D7}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CS1\Services\Tcpip\..\{35E36EAD-0607-4420-A1BB-9C373A11D611}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CS2\Services\Tcpip\..\{35E36EAD-0607-4420-A1BB-9C373A11D611}: NameServer = 85.255.115.156,85.255.112.87
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe

BC AdBot (Login to Remove)

 


m

#2 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 01 May 2006 - 07:12 AM

Hello and welcome to the forum. You have been a victim of folks in the Ukraine, hijacked, see this: http://whois.domaintools.com/85.255.115.156 In order to deny these hackers access to your computer I suggest you stay offline as much as possible until you are clean.

You have other stuff that needs to go also, see this: http://castlecops.com/clsid-927.html

FlashGet download manager - the trial bundles Cydoor adware, but when you register the ads disappear.

They put the adware there with the download. If you do not register (not sure if this means purchase) you keep the adware, and it is nasty. I have never liked this program because of that. You may do as you wish, but I suggest you remove the junk and get a free, aware/spyware free download manager of you really think you need one. I find the download speeds rarely improve with one, your call.

I am not sure about this, my security setting will not let me view it, I will remove it and if you are positive it is safe, you may leave it:
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.ladbrokescasino.com/ladbrokes/FlashAX.cab

Follow the instuctions carefully and in the posted order.

1) Turn off TeaTimer, it will block the fix we must make: http://russelltexas.com/malware/teatimer.htm

2) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
(next does not open, delete it unless you know it is safe)
O16 - DPF: DigiChat Applet - http://host9.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.ladbrokescasino.com/ladbrokes/FlashAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35E36EAD-0607-4420-A1BB-9C373A11D611}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{36086A2E-F922-42FE-AFAA-4E0259AFC95C}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B039AE4-014A-4AF5-9809-0C726CB01DF7}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{6EF85228-30D9-44D8-BE79-6AACDDD92610}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{79D1D7C8-4BDB-45F0-8E4D-3185CE0DF684}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{9262740D-D42A-4C90-8C81-9620D3ECAA36}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE63D4C4-5877-4E69-8E64-98BA24D404D7}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CS1\Services\Tcpip\..\{35E36EAD-0607-4420-A1BB-9C373A11D611}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CS2\Services\Tcpip\..\{35E36EAD-0607-4420-A1BB-9C373A11D611}: NameServer = 85.255.115.156,85.255.112.87

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Thanks to LonnyRJones, Swandog46, AutoDad and any others who helped with this fix.

3) You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt

(hold the logs until we finish)

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

4) You have ewido onboard, open the program and choose update, allow time for it to finish. Now click scanner then complete system scan. Allow ewido to remove anything it locates unless you know it is not bad. Save that scan report, I must see it.

5) Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_...refetch-XP.html

6) Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Restart the computer and post the C:\fixwareout\report.txt, the ewido scan results, a new HJT log and any comments you think will help. We may have more to do? How is the computer running now?

Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 the doomed

the doomed
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 01 May 2006 - 05:18 PM

Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

Search by size and names...
C:\WINDOWS\SYSTEM32\DMSDM.EXE
C:\WINDOWS\SYSTEM32\DMSDM.EXE

Misc files

Checking for older varients covered by the Rem3 tool


Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\DMSDM.EXE 51,260 2004-08-04



---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 21:15:43, 01/05/2006
+ Report-Checksum: 430A5B4B

+ Scan result:

HKLM\SYSTEM\ControlSet002\Enum\BTHENUM\{00001103-0000-1000-8000-00805f9b34fb}_VID&00010001_PID&1856\7&f009a2&0&000EED59C7DE_C00000001\\ClassGUID -> Adware.WebSearch : Error during cleaning
C:\Documents and Settings\David\Cookies\david@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@e-2dj6wflooldpwkp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup


::Report End



Logfile of HijackThis v1.99.1
Scan saved at 23:12:56, on 01/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://killiefc.com/forum/forumdisplay.php?fid=16
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://killiefc.com/forum/forumdisplay.php?fid=16
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://killiefc.com/forum/forumdisplay.php?fid=16
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Registry Toolkit] C:\Program Files\Registry Toolkit\RegToolkit.exe /scan
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Lock Computer on Startup] rundll32.exe user32.dll, LockWorkStation
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Internet Explorer.lnk = ?
O4 - Startup: to_do.lnk = D:\david\to_do.txt
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\DLink\Bluetooth Software\btsendto_ie_ctx.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: DigiChat Applet -
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://assessitp2l.howtomaster.com/plugin/...cab/awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1132077963078
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37510.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {8FACB588-4A4B-46C1-807B-1F08D0AC7592} (eTours Control) - http://www.360etours.net/tours/activex/eTours.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} -
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe


Comments

No longer appears to be doing same actions. Have removed flashget. - Always wondered why cydoor was a recurring threat in spybot etc.

When running ewido, my avg always alerts me to a virus in a specific folder. No idea if it related or not. The directory is that on my second hard drive (pictures, documenys etc only) and contains files from a website my work hosts. Avg scans it clean on its own.

#4 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 01 May 2006 - 08:49 PM

Hello and thanks for returning the information and your feedback. Looking at ewido first:

HKLM\SYSTEM\ControlSet002\Enum\BTHENUM\{00001103-0000-1000-8000-00805f9b34fb}_VID&00010001_PID&1856\7&f009a2&0&000EED59C7DE_C00000001\\ClassGUID -> Adware.WebSearch : Error during cleaning

Did you Backup and run the registry cleaner in CCleaner (Issues)? This is probably an isolated leftover in the registry, and perhaps CCleaner will remove it. If not you would have to edit the registry to remove the line. Let me know what you think.

Logfile of HijackThis v1.99.1 Scan saved at 23:12:56, on 01/05/2006

(two dead FlashGet lines, just clutter. You can use HJT to remove them)

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
(remove if you do not use it)
O16 - DPF: DigiChat Applet
(remove)
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} -

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

When running ewido, my avg always alerts me to a virus in a specific folder

It may be seeing something in ewido, that happens. It should tell you what and where it is also. If you can provide more information about what this is? Watch the computer for a day or so and then let me know if all is still running well. Get into the information I provided from the experts, you need that information to protect yourself from hackers so this won't happen again.

Sounds like we got the problems, you stay away from those Ukranians

Safe surfing...Phil :thumbsup:

Thanks...pskelley
BleepingComputer
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#5 the doomed

the doomed
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 02 May 2006 - 07:34 AM

Had not run the CCleaner (Issues) but have now. Fixed a fair number of issues, 661.

Fixed issues you picked up fro HJT log.

Removed all old system restore points.



Ran ewido after CCleaner and error is still there:


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 13:29:19, 02/05/2006
+ Report-Checksum: AB48796E

+ Scan result:

HKLM\SYSTEM\ControlSet002\Enum\BTHENUM\{00001103-0000-1000-8000-00805f9b34fb}_VID&00010001_PID&1856\7&f009a2&0&000EED59C7DE_C00000001\\ClassGUID -> Adware.WebSearch : Error during cleaning


::Report End



When running the AVG scan on D:\ its detecting a virus in D:\...\websites\...\downloads\Unlock exe\unlock.txt.exe

Warning: Hidden extension .exe

I can only close the bar down, no able to ignore, heal or move to vault.

Folder "\Unlock exe" doesnt not appear to exisit, looked with show all files and folders

#6 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 02 May 2006 - 08:05 AM

Getting out of my area, so make sure you follow all backups instructions:

HKLM\SYSTEM\ControlSet002\Enum\BTHENUM\{00001103-0000-1000-8000-00805f9b34fb}_VID&00010001_PID&1856\7&f009a2&0&000EED59C7DE_C00000001\\ClassGUID -> Adware.WebSearch : Error during cleaning

Free registry cleaner
http://www.hoverdesk.net/freeware.htm

Backup Registry:
Backup your Registry...
- Press "CTRL - ALT - DEL" keys all at the same time to start "Task Manager"
- In the Task Manager window click on "File", then from the drop-down menu select "New Task (Run...)"
- In the "Create New Task" window enter\type "regedit" (without quotes)
- Once Regedit opens click on the FILE menu and select Export
- Save the file as backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL

RegSeeker canned:
I recommend you download RegSeeker. Extract it to it's own folder,
open and double click RegSeeker.exe to start the program.
Maximize the window and click clean registry. Check all sections and click OK.
When the scan is complete, verify the backup box in lower left corner is checked
and click the select all button, then select all again. Then right click within
the search results and select delete. Run it again and again, deleting everything
it finds until it finds nothing. Reboot and make sure your programs are working properly,
control panel and add/remove programs windows open, etc (basically just do a quick check of everything).
In the event anything was 'broken', you can open RegSeeker, click backups and double click
any/all files to put the information back. A reboot may be required for the effects to be seen.
Reboot When done.

______________________________________________________________

Folder "\Unlock exe" doesnt not appear to exisit, looked with show all files and folders

I can not answer this one, could be a false positive but chances are if AVG is finding it, it is there. I have never seen this type of configuration before.
If you wish to ask a "peer to peer" question about that, you can do it here:
http://forum.grisoft.cz/freeforum/index.php?0

When running the AVG scan on D:\ its detecting a virus in D:\...\websites\...\downloads\Unlock exe\unlock.txt.exe
Warning: Hidden extension .exe
I can only close the bar down, no able to ignore, heal or move to vault.


I suggest you set the drive so you can view all hidden files and folders, this should be it:

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

D:\...\websites\...\downloads\Unlock exe\unlock.txt.exe
Strange pathway?

Make sure the recycle bin on this drive has not been bypassed:
Let's check you recycle bin to make sure it has not been bypassed. RIGHT click on it and choose properties. It should, by default, be set to "Use one setting for all drives"
Make sure the box "Do not move files to the Recycle Bin. Remove files immediately when deleted IS NOT CHECKED. Make sure you have space for deleted items, I keep my bin set at 5%. Now when we delete the file or folder, it will be moved to the bin and can be restored IF we make a mistake and need it back. I hope this helps.

Delete the folder I have highlited in red. You may need to do this in safe mode?
http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

Then verify you were successful. Clear the recycle bin after a few days once you are sure that folder/file was not needed.

Thanks...
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#7 the doomed

the doomed
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 04 May 2006 - 04:48 PM

have sorted the avg problem. just deleted folder, didnt need it.

Ewido is still giving me the same error. Any further ideas?

#8 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 06 May 2006 - 09:52 AM

Sorry, I did not get the notification when you posted. You said this:

Ewido is still giving me the same error. Any further ideas?

and that is why I gave you the registry cleaner, since that item is in the registry, either use the cleaner following the instructions for safety, or ignore the ewido item, I doubt it is more than a dead registry line.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#9 the doomed

the doomed
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 06 May 2006 - 12:04 PM

Thank you. Yeh used reg cleaner and never fixed it.


Would like to express my thanks to you and all those who have helped throughout. Cheers

#10 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 06 May 2006 - 12:09 PM

You are certainly welcome. I believe the reason you backup before using the cleaner is that you have to locate the registry entry: HKLM\SYSTEM\ControlSet002\Enum\BTHENUM\{00001103-0000-1000-8000-00805f9b34fb}_VID&00010001_PID&1856\7&f009a2&0&000EED59C7DE_C00000001\\ClassGUID
and delete it manually. The backup being there in the event you make an error.

Safe surfing :thumbsup:
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users