Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Is Redirected To Fake Sites


  • Please log in to reply
19 replies to this topic

#1 Geronimo

Geronimo

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 24 August 2006 - 03:08 PM

Hello,

I have a problem that keeps getting worse. When I try to access some websites like hotmail I am redirected to fake hotmail sites. The address still says www.hotmail.com, but it obviously isn't. It is also starting to distort other webpages. More and more sites are being taken over by it, even though some are not affected at all.

I went through all of the prep stages. Ad-aware found a few tracking cookies. Spy-bot didn't find anything. Panda found the same things that Ad-aware found, so they are obviously sticking around. Bit Defender didn't find anything. When I tried to run Macafee Stinger I was redirected to another fake site www.Nai.com.

Please help!!!

Here is my HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 1:53:06 PM, on 8/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\PROGRA~1\NORTON~1\navw32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.majorgeeks.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ESPNJavaUtilsCab - http://espn.go.com/livedraft/ESPNJavaUtils.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca12.custhelp.com/7530-b327h/rnl/java/RntX.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Benchmark.local
O17 - HKLM\Software\..\Telephony: DomainName = Benchmark.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{93955E1A-3EF0-4E0A-B6E6-C6FEAD96C663}: NameServer = 12.127.16.69,12.10.250.111
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Benchmark.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = benchmark.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = benchmark.local
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: TPLogon - TPLogon.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:23 PM

Posted 03 September 2006 - 03:17 PM

Hello Geronimo and welcome to the BC HijackThis forum. I see no signs of viruses or malware in the log. It is clean.

Can you give me some examples of the sites you are trying to get to and what you are actually sent to? For the 2 examples given I do not see a problem. If you go to www.hotmail.com you should end up at their login.live.com site to login to hotmail. That is normal. For stinger, you should be going to the nai site. Nai (Network Associates, Inc) and McAfee are the same thing. I don't see any problems there.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 Geronimo

Geronimo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 06 September 2006 - 09:03 AM

Hi Old Timer,

Well, there definitely is a problem. When I try to go to hotmail I am redirected to a site with the hotmail address but it is for directNIC with lots of strange advertising links. No hotmail to be found. After leaving my computer off for a few days it seemed to be better. It would go to the login page, but would not let me logon -saying that this page was not part of the Microsoft Passport Network. There are other problems as well. When I click on news stories on yahoo - I get redirected to a directNIC page with a url of - http://l.yimg.com/. The formatting on news sites like cnn.com and nytimes.net are messed up as well. I can still get the work done that I need, but this seems to be growing. Any ideas?

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:23 PM

Posted 06 September 2006 - 03:28 PM

Hi Geronimo. I'mnot sure about the directNIC. It is simply a domain registrar and it could be from a link on the HotMail page. The http://l.yimg.com/ is where yahoo stores their image files so it would be a part of any yahoo page.

I think maybe the DNS cache is corrupted. Let's flush it and see what happens.

Click Start->Run, type cmd into the editbox and click Ok. Enter the following command into the command prompt window:ipconfig /flushdns
(there is a space between the ipconfig and /flushdns parameter) and then press the Enter key.

You should get a confirmation that the cache was flushed. Now close the command prompt window and try connecting to any of the problem sites again.

Cheers.

OT

Edited by OldTimer, 06 September 2006 - 03:31 PM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 Geronimo

Geronimo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 06 September 2006 - 03:41 PM

Hi OldTimer,

I flushed the DNS cache, but no change. Now, some pages are loading, but in every place where there would be an ad or a photo it is bright yellow and says Click Here Now!

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:23 PM

Posted 06 September 2006 - 04:59 PM

Hmm. Sounds pretty wild. Let's try this.

Download WinPFind2.zip and unzip it to your Desktop. It will create a folder named WinPFind2. Do NOT run the program directly from the zip file.
  • Open the WinPFind2 folder and double-click on winpfind2.exe to start the program.
  • In the File Options box click the checkbox in then Show All column for Hosts File and then in the AddOn-Options box click the checkboxes for
    • HKCU_IEDesktop.def
    • Policies.def
    • SID_Run_Policies.def
    to select them.
  • Now click the Run All Scans button on the toolbar.
  • When the scans are complete click the Simple Report button in the lower right-hand corner to create a report file. Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button to post the information back here and I will review it when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 Geronimo

Geronimo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 06 September 2006 - 05:10 PM

Hey OT,

Here is the log file.

Thanks for taking a look.

Logfile created on: 09/06/2006 16:07
WinPFind2 by OldTimer - Version 1.0.8 Folder = C:\Documents and Settings\jmcdaniel\Desktop\winpfind2\WinPFind2\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)


< Processes (Non-Microsoft Only) >
c:\progra~1\grisoft\avgfre~1\avgamsvr.exe - (GRISOFT, s.r.o. )
c:\progra~1\grisoft\avgfre~1\avgcc.exe - (GRISOFT, s.r.o. )
c:\progra~1\grisoft\avgfre~1\avgupsvc.exe - (GRISOFT, s.r.o. )
c:\program files\ca\etrust internet security suite\caissdt.exe - (Computer Associates International, Inc. )
c:\windows\system32\hkcmd.exe - (Intel Corporation )
c:\program files\hp\hpcoretech\hpcmpmgr.exe - (Hewlett-Packard Company )
c:\program files\hp\hp software update\hpwuschd2.exe - (Hewlett-Packard Co. )
c:\windows\system32\igfxtray.exe - (Intel Corporation )
c:\program files\ca\etrust internet security suite\etrust pestpatrol anti-spyware\ppactivedetection.exe - (Computer Associates )
c:\windows\soundman.exe - (Realtek Semiconductor Corp. )
c:\windows\system32\zonelabs\vsmon.exe - (Zone Labs, LLC )
c:\documents and settings\jmcdaniel\desktop\winpfind2\winpfind2\winpfind2.exe - (OldTimer Tools )
c:\program files\zone labs\zonealarm\zlclient.exe - (Zone Labs, LLC )

< Registry Entries >

[>> Internet Explorer Settings <<]
HKLM->Main\\Start Page - http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
HKLM->Main\\Search Page - http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKLM->Main\\Default_Page_URL - http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
HKLM->Main\\Default_Search_URL - http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKLM->Main\\Local Page - %SystemRoot%\system32\blank.htm
HKCU->Main\\Start Page - http://www.majorgeeks.com/
HKCU->Main\\Search Bar - http://search.msn.com/spbasic.htm
HKCU->Main\\Search Page - http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKCU->Main\\Local Page - C:\WINDOWS\system32\blank.htm
HKLM->Search\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKLM->Search\\SearchAssistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKCU->Search\\CustomizeSearch - Reg Data missing or invalid
HKCU->Search\\SearchAssistant - Reg Data missing or invalid
HKCU->URLSearchHooks\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
HKCU->Internet Settings\\ProxyEnable - 0
HKCU->Internet Settings\\ProxyOverride -

[>> BHO's <<]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ( )
{53707962-6F74-2D53-2644-206D7942484F} - = C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited )

[>> Internet Explorer Bars, Toolbars and Extensions <<]

[HKLM-> Internet Explorer Bars]
{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )

[HKCU-> Internet Explorer Bars]
{32683183-48a0-441b-a342-7c2a440a9478} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
{EFA24E62-B078-11D0-89E4-00C04FC9E26E} - History Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Explorer Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )

[HKCU-> Internet Explorer ToolBars]
ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
ShellBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))

[HKCU-> Internet Explorer CmdMapping]
{85d1f590-48f4-11d9-9669-0800200c9a66} - 8196 - Uninstall BitDefender Online Scanner v8
{92780B25-18CC-41C8-B9BE-3C9C571A8263} - 8193 -
{B13B4423-2647-4cfc-A4B3-C7D56CB83487} - 8195 - Reg Data missing or invalid
{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8194 - Reg Data missing or invalid
NextId - 8197

[HKLM-> Internet Explorer Extensions]
{85d1f590-48f4-11d9-9669-0800200c9a66} - MenuText: Uninstall BitDefender Online Scanner v8 = Reg Data missing or invalid (File not found))
{92780B25-18CC-41C8-B9BE-3C9C571A8263} - ButtonText: Research = (File not found))

[HKCU-> Internet Explorer Menu Extensions]
E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 (Microsoft Corporation )

[HKLM-> Internet Explorer Plugins]
.spop - = C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (Intertrust Technologies, Inc. )

[>> Approved Shell Extensions (Non-Microsoft only) <<]

[HKLM-> Approved Shell Extensions]
{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = Reg Data missing or invalid (File not found))
{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = Reg Data missing or invalid (File not found))
{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll (File not found))
{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = Reg Data missing or invalid (File not found))
{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = Reg Data missing or invalid (File not found))
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = Reg Data missing or invalid (File not found))
{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc. )
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} - AVG7 Shell Extension = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o. )
{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} - AVG7 Find Extension = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o. )
{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = C:\Program Files\Real\RealPlayer\rpshell.dll (RealNetworks, Inc. )

[>> ContextMenuHandlers (Non-Microsoft only) <<]

[HKLM-> ContextMenuHandlers]
* - AVG7 Shell Extension - {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o. )
Directory\Background - igfxcui - {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} = C:\WINDOWS\System32\igfxpph.dll (Intel Corporation )
Folder - AVG7 Shell Extension - {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o. )

[>> ColumnHandlers (Non-Microsoft only) <<]

[HKLM-> ColumnHandlers]

[>> Registry Run Keys <<]
HKLM->Run\\AVG7_CC - C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP (GRISOFT, s.r.o. )
HKLM->Run\\CaISSDT - "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe" (Computer Associates International, Inc. )
HKLM->Run\\eTrustPPAP - "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe" (Computer Associates )
HKLM->Run\\HotKeysCmds - C:\WINDOWS\System32\hkcmd.exe (Intel Corporation )
HKLM->Run\\HP Component Manager - "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" (Hewlett-Packard Company )
HKLM->Run\\HP Software Update - C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Co. )
HKLM->Run\\IgfxTray - C:\WINDOWS\System32\igfxtray.exe (Intel Corporation )
HKLM->Run\\SoundMan - SOUNDMAN.EXE (Realtek Semiconductor Corp. )
HKLM->Run\\Zone Labs Client - "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" (Zone Labs, LLC )
HKLM->Run\OptionalComponents\IMAIL - Installed = 1
HKLM->Run\OptionalComponents\MAPI - Installed = 1
HKLM->Run\OptionalComponents\MSFS - Installed = 1
HKCU->Run\\ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation )

[>> Startup Lnks <<]
HKCU->Startup - desktop.ini - C:\Documents and Settings\jmcdaniel\Start Menu\Programs\Startup\desktop.ini ( )

[>> Disabled MSConfig Items <<]

[>> User Agent Post Platform <<]
SV1 -

[>> AppInit DLLs <<]

[>> Image File Execution Options <<]
Your Image File Name Here without a path - Debugger = ntsd -d

[>> Shell Service Object Delay Load <<]
CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation )
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation )

[>> Shell Execute Hooks <<]
{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation )

[>> Shared Task Scheduler <<]
{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )

[>> Winlogon <<]
UserInit - C:\WINDOWS\system32\userinit.exe, (Microsoft Corporation )
Shell - Explorer.exe (Microsoft Corporation )
System - (File not found))
Notify\crypt32chain - crypt32.dll (Microsoft Corporation )
Notify\cryptnet - cryptnet.dll (Microsoft Corporation )
Notify\cscdll - cscdll.dll (Microsoft Corporation )
Notify\igfxcui - igfxsrvc.dll (Intel Corporation )
Notify\ScCertProp - wlnotify.dll (Microsoft Corporation )
Notify\Schedule - wlnotify.dll (Microsoft Corporation )
Notify\sclgntfy - sclgntfy.dll (Microsoft Corporation )
Notify\SensLogn - WlNotify.dll (Microsoft Corporation )
Notify\termsrv - wlnotify.dll (Microsoft Corporation )
Notify\TPLogon - TPLogon.dll (File not found))
Notify\WgaLogon - WgaLogon.dll (Microsoft Corporation )
Notify\wlballoon - wlnotify.dll (Microsoft Corporation )

[>> DNS Name Servers <<]
{93955E1A-3EF0-4E0A-B6E6-C6FEAD96C663} - 12.127.16.69,12.10.250.111 (Intel® PRO/100 VE Network Connection)

[>> All Winsock2 Catalogs <<]
NameSpace_Catalog5\Catalog_Entries\000000000001 - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000003 - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )

[>> Protocol Handlers (Non-Microsoft only) <<]
cetihpz - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company )
ipp - (File not found))
msdaipp - (File not found))

[>> Protocol Filters (Non-Microsoft only) <<]

< Services (Non-Microsoft Only) >
AVG7 Alert Manager Server (Avg7Alrt) - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (GRISOFT, s.r.o. ) [Automatic - Running - Win32, running in it's own process]
AVG7 Update Service (Avg7UpdSvc) - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (GRISOFT, s.r.o. ) [Automatic - Running - Win32, running in it's own process]
TrueVector Internet Monitor (vsmon) - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service (Zone Labs, LLC ) [Automatic - Running - Win32, running in it's own process]

< Files >

AllUsers ApplicationData Folder
C:\Documents and Settings\All Users\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 03/15/2004 06:48 | Attr = HS])
C:\Documents and Settings\All Users\Application Data\hpzinstall.log - ( [Ver = | Size = 771 bytes | Date = 03/24/2004 19:14 | Attr = ])

CurrentUser ApplicationData Folder
C:\Documents and Settings\jmcdaniel\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 03/15/2004 06:48 | Attr = HS])
C:\Documents and Settings\jmcdaniel\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log - ( [Ver = | Size = 5278 bytes | Date = 05/12/2006 12:50 | Attr = ])

DPF files
{01111F00-3E00-11D2-8470-0060089874ED} - - CodeBase = http://www.microsoft.com/sdccommon/download/tgctlins.cab
{166B1BCA-3F9C-11CF-8075-444553540000} - Shockwave ActiveX Control - CodeBase = http://download.macromedia.com/pub/shockwa...director/sw.cab
{1F2F4C9E-6F09-47BC-970D-3C54734667FE} - LSSupCtl Class - CodeBase = http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
{3451DEDE-631F-421C-8127-FD793AFC6CC8} - ActiveDataInfo Class - CodeBase = https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
{44990200-3C9D-426D-81DF-AAB636FA4345} - Symantec SmartIssue - CodeBase = https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab
{44990301-3C9D-426D-81DF-AAB636FA4345} - Symantec Script Runner Class - CodeBase = https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - BDSCANONLINE Control - CodeBase = http://download.bitdefender.com/resources/scan8/oscan8.cab
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://acs.pandasoftware.com/activescan/as5free/asinst.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - Shockwave Flash Object - CodeBase = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
DirectAnimation Java Classes - - CodeBase = file://C:\WINDOWS\Java\classes\dajava.cab
ESPNJavaUtilsCab - - CodeBase = http://espn.go.com/livedraft/ESPNJavaUtils.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab

Hosts file = 698 bytes. Reading all entries. C:\WINDOWS\System32\drivers\etc\Hosts
# Copyright 1993-1999 Microsoft Corp. -
# -
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows. -
# -
# This file contains the mappings of IP addresses to host names. Each -
# entry should be kept on an individual line. The IP address should -
# be placed in the first column followed by the corresponding host name. -
# The IP address and the host name should be separated by at least one -
# space. -
# -
# Additionally, comments (such as these) may be inserted on individual -
# lines or following the machine name denoted by a "#" symbol. -
# -
# For example: -
# -
# 102.54.94.97 rhino.acme.com # source server -
# 38.25.63.10 x.acme.com # x client host -
# -
127.0.0.1 localhost -

< Add On's >

>>>>Output for AddOn file HKCU_IEDesktop.def<<<<

KEY - HKCU\Software\Microsoft\Internet Explorer\Desktop - Include SUBKEYS
HKCU\Software\Microsoft\Internet Explorer\Desktop -
Desktop\Components -
Desktop\Components\\DeskHtmlVersion - 272
Desktop\Components\\DeskHtmlMinorVersion - 5
Desktop\Components\\Settings - 1
Desktop\Components\\GeneralFlags - 5
Desktop\Components\0 -
Desktop\Components\0\\Source - file:///C:/DOCUME~1/JMCDAN~1/LOCALS~1/Temp/msohtml1/01/clip_image002.gif
Desktop\Components\0\\SubscribedURL - file:///C:/DOCUME~1/JMCDAN~1/LOCALS~1/Temp/msohtml1/01/clip_image002.gif
Desktop\Components\0\\FriendlyName -
Desktop\Components\0\\Flags - 1
Desktop\Components\0\\Position - 2C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E8 03 00 00 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
Desktop\Components\0\\CurrentState - 01 00 00 40
Desktop\Components\0\\OriginalStateInfo - 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 40
Desktop\Components\0\\RestoredStateInfo - DC FF AB 03 F3 99 83 7C 70 9A 80 7C FF FF FF FF 66 9A 80 7C 66 9A 80 7C
Desktop\Components\1 -
Desktop\Components\1\\Source - file:///C:/DOCUME~1/JMCDAN~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
Desktop\Components\1\\SubscribedURL - file:///C:/DOCUME~1/JMCDAN~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
Desktop\Components\1\\FriendlyName -
Desktop\Components\1\\Flags - 1
Desktop\Components\1\\Position - 2C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EA 03 00 00 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
Desktop\Components\1\\CurrentState - 01 00 00 40
Desktop\Components\1\\OriginalStateInfo - 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 40
Desktop\Components\1\\RestoredStateInfo - DC FF BD 03 F3 99 83 7C 70 9A 80 7C FF FF FF FF 66 9A 80 7C 66 9A 80 7C
Desktop\Components\2 -
Desktop\Components\2\\Source - About:Home
Desktop\Components\2\\SubscribedURL - About:Home
Desktop\Components\2\\FriendlyName - My Current Home Page
Desktop\Components\2\\Flags - 2
Desktop\Components\2\\Position - 2C 00 00 00 E6 00 00 00 00 00 00 00 9A 03 00 00 42 03 00 00 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
Desktop\Components\2\\CurrentState - 04 00 00 40
Desktop\Components\2\\OriginalStateInfo - 18 00 00 00 E6 00 00 00 00 00 00 00 9A 03 00 00 42 03 00 00 04 00 00 40
Desktop\Components\2\\RestoredStateInfo - 18 00 00 00 E6 00 00 00 00 00 00 00 9A 03 00 00 42 03 00 00 01 00 00 00
Desktop\General -
Desktop\General\\BackupWallpaper - %USERPROFILE%\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
Desktop\General\\WallpaperFileTime - A9 7A BC 1E 94 90 C6 01
Desktop\General\\WallpaperLocalFileTime - A9 0A 22 D4 61 90 C6 01
Desktop\General\\TileWallpaper - 0
Desktop\General\\WallpaperStyle - 2
Desktop\General\\Wallpaper - %USERPROFILE%\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
Desktop\General\\ComponentsPositioned - 1
Desktop\Old WorkAreas -
Desktop\Old WorkAreas\\NoOfOldWorkAreas - 1
Desktop\Old WorkAreas\\OldWorkAreaRects - 00 00 00 00 00 00 00 00 80 04 00 00 42 03 00 00
Desktop\SafeMode -
Desktop\SafeMode\Components -
Desktop\SafeMode\Components\\DeskHtmlVersion - 272
Desktop\SafeMode\Components\\DeskHtmlMinorVersion - 5
Desktop\SafeMode\Components\\Settings - 1
Desktop\SafeMode\Components\\GeneralFlags - 4
Desktop\SafeMode\General -
Desktop\SafeMode\General\\Wallpaper - %SystemRoot%\Web\SafeMode.htt
Desktop\SafeMode\General\\VisitGallery - 0
Desktop\Scheme -
Desktop\Scheme\\Edit -
Desktop\Scheme\\Display -

>>>>Output for AddOn file Policies.def<<<<

KEY - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\explorer -
policies\explorer\\NoWelcomeScreen - 1
policies\NonEnum -
policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} - 1
policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} - 1073741857
policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - 32
policies\Ratings -
policies\system -
policies\system\\dontdisplaylastusername - 0
policies\system\\legalnoticecaption -
policies\system\\legalnoticetext -
policies\system\\shutdownwithoutlogon - 1
policies\system\\undockwithoutlogon - 1

KEY - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\Explorer -
policies\Explorer\\NoDriveTypeAutoRun - 145

>>>>Output for AddOn file SID_Run_Policies.def<<<<

KEY - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run - No SUBKEYS
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run -
Run\\AVG7_Run - C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE

KEY - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run - No SUBKEYS
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run -
Run\\AVG7_Run - C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE

KEY - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies - Include SUBKEYS
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies -
Policies\Explorer -
Policies\Explorer\\NoDriveTypeAutoRun - 145

KEY - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies - Include SUBKEYS
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies -
Policies\Explorer -
Policies\Explorer\\NoDriveTypeAutoRun - 145

< End of report >

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:23 PM

Posted 06 September 2006 - 06:39 PM

Hi Geronimo. Ok, let's try this.

Download and install ATF Cleaner by Atribune. Do not run it yet.

Start WinPFind2 and then do the following.
  • In the AddOn Options box check the checkbox for HKCU_IEDesktop.def
  • Click on the Add On's tab
  • Click the Run Add On's button
  • Locate the following items and click the checkboxes in front of each one to select them:
    • Desktop\Components\0 -
      Desktop\Components\1 -
  • Now click the Delete Items button.
  • Close WinPFind.
Start ATF Cleaner and do the following:
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Ok. Reboot the machine and see how the websites act now.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 Geronimo

Geronimo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 07 September 2006 - 09:41 AM

Hey OT,

It is a little better, but there are definitely still some big problems. When I clicked on Hotmail I actually got the log in page which I haven't seen in a while. But, it wouldn't let me log on. It said that the site was either experiencing problems or is not a member of the Microsoft Passport Network. Some of the news sites like Yahoo and NYTimes are cleaned up, but cnn is still a mess with all of those bright yellow Click Here Now! boxes all over it.
When I click on a story headline on cnn.com it takes me to the same directNIC page but the url is http://i.a.cnn.net/

????

Geronimo

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:23 PM

Posted 08 September 2006 - 03:45 PM

Hey Geronimo. Let's see what Ewido shows us.

First download ewido anti-spyware from HERE and save that file to your desktop.
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Launch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
    • IMake sure that Set all elements to: shows Quarantine, if not click on the link and choose Quarantine from the popup menu.
    • At the bottom of the window click on the "Apply all actions" button
    Note: Don't save the report before you hit the Apply action button.
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.
Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 Geronimo

Geronimo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 08 September 2006 - 05:19 PM

Interesting.... It only found one infected item a "tribalfusion" tracking cookie. But, once that was removed the computer was acting much better. I still cannot log in to Hotmail, but I did get the log in page. And before it was removed I was redirected to the directNIC page. And, the news pages were all messed up with the bright yellow Click Here Now! boxes. Those are gone. That has been a pattern the last couple of days, though. You have me run a scan and something is removed... the computer is Ok for a bit and then it comes back. Something is hidden in there - Know anything about tribalfusion?

Here is the report

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:07:11 PM 9/8/2006

+ Scan result:



C:\Documents and Settings\jmcdaniel\Cookies\jmcdaniel@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).


::Report end

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:23 PM

Posted 08 September 2006 - 06:42 PM

Yes that is interesting. I would have thought if things are better now that more would have shown up in the Ewido log.

TribalFusion is simply an advertizing system for website owners like Google's AdSense. It pays the owners for clicks done on ads on their web pages. There isn't anything malicious that I know of from it.

Do you still get an error when attempting to log into Hotmail? Is it the error regarding not being a Passport site? Other than that site, can you now log into other secure sites that you could not log into previously?

This is a longshot but let's look for a rootkit. I don't see anything else here that looks bad.

Download F-Secure Blacklight (blbeta.exe) to your C:\ drive.
- Open a command window. (Start>Run and type: cmd)
- Copy paste or type the following in the command window:

C:\blbeta.exe /expert

- Accept the user agreement.
- Click Scan.
After the scan finishes, click on Next, then Exit.

BlackLight will create a log in your C:\ drive with the name "fsbl-xxxxxxx.log". Please post that log.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#13 Geronimo

Geronimo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 11 September 2006 - 09:52 AM

09/11/06 08:35:16 [Info]: BlackLight Engine 1.0.46 initialized
09/11/06 08:35:16 [Info]: OS: 5.1 build 2600 (Service Pack 2)
09/11/06 08:35:16 [Note]: 7019 4
09/11/06 08:35:16 [Note]: 7005 0
09/11/06 08:35:29 [Note]: 7006 0
09/11/06 08:35:29 [Note]: 7022 0
09/11/06 08:35:29 [Note]: 7011 1456
09/11/06 08:35:29 [Note]: 7026 0
09/11/06 08:35:29 [Note]: 7026 0
09/11/06 08:35:30 [Note]: FSRAW library version 1.7.1019
09/11/06 08:37:49 [Note]: 7007 0


It has changed since it first showed up a few weeks ago. First, when I clicked on hotmail it took me to a fake hotmail page. Now, it goes to the directNIC page

Another sypware moderator identified the first hotmail redirect as being linked or modeled on these pages -
http://www.optinemail4u.com/search/i...il/hotmail.htm

http://www.cheapest-long-distance-ra...dy_profile.htm

The first time I tried hotmail this morning it gave the "not a member of the passport network" message. However, that page quickly was replaced by the directNIC page.

I have a Microsoft Outlook email account and that hasn't been affect, and I work on a secure site that hasn't been affected. As soon as this started though, I stopped going to my bank sites and things like that. So, I have really only noticed it when I have tried news sites and .gov sites. Then I either get the weird formatting of Click Here Now! in all photo and ad spaces or the redirect to direct NIC.

You are now the second moderator who hasn't been able to find anything. Is it time just to send the computer in for a reformat?

Thanks,
Geronimo

#14 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:23 PM

Posted 11 September 2006 - 05:25 PM

Hi Geronimo. Well, I'm not totally convinced that the problem is on this computer. Let's try a couple of things.

Open your browser and put this IP into the address bar (it's the IP for Hotmail): 216.74.180.189. Where do you go to? Hotmail or the DirectNic site?

Let's also try this. Copy/paste the information in the quotebox below into a new Notepad document and save it on your desktop as iptest.bat. Once saved, double-click on the iptest.bat file and when it is finished copy/paste the information in the c:\iptest.txt file back here so I can review it.

ipconfig /all>>c:\iptest.txt
ping www,hotmail.com>>c:\iptest.txt
ping 216.74.180.189>>c:\iptest.txt
tracert www.hotmail.com>>c:\iptest.txt
tracert 216.74.180.189>>c:\iptest.txt


Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#15 Geronimo

Geronimo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 12 September 2006 - 11:03 AM

Hi OT,

When I entered the hotmail IP address it took me to the Hotmail login page, but when I tried to log in I got the normal message:

The Microsoft Passport Network is unavailable from this site for one of the following reasons:

This site may be experiencing a problem.
The site may not be a member of the Passport Network.

That has happened before when I turned on the computer in the morning, but soon after it starts sending me to the directNIC site.

Here are the results of the test.



Windows IP Configuration



Host Name . . . . . . . . . . . . : Mathew

Primary Dns Suffix . . . . . . . : Benchmark.local

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : Benchmark.local



Ethernet adapter Local Area Connection 2:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel® PRO/100 VE Network Connection

Physical Address. . . . . . . . . : 00-0C-F1-C2-74-61

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 12.10.250.21

Subnet Mask . . . . . . . . . . . : 255.255.255.128

Default Gateway . . . . . . . . . : 12.10.250.1

DNS Servers . . . . . . . . . . . : 12.127.16.69

12.10.250.111



Pinging www,hotmail.com.benchmark.local [204.251.15.175] with 32 bytes of data:



Request timed out.

Request timed out.

Request timed out.

Request timed out.



Ping statistics for 204.251.15.175:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),



Pinging 216.74.180.189 with 32 bytes of data:



Reply from 216.74.180.189: bytes=32 time=92ms TTL=52

Reply from 216.74.180.189: bytes=32 time=86ms TTL=52

Reply from 216.74.180.189: bytes=32 time=86ms TTL=52

Reply from 216.74.180.189: bytes=32 time=86ms TTL=52



Ping statistics for 216.74.180.189:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 86ms, Maximum = 92ms, Average = 87ms



Tracing route to www.hotmail.aate.nsatc.net [208.172.48.254]

over a maximum of 30 hops:



1 <1 ms <1 ms <1 ms 12.10.250.1

2 35 ms 34 ms 29 ms 12.117.164.209

3 49 ms 50 ms 50 ms tbr2012701.phmaz.ip.att.net [12.123.206.30]

4 50 ms 54 ms 50 ms tbr2-cl1592.dlstx.ip.att.net [12.122.10.81]

5 49 ms 49 ms 48 ms ggr3-ge90.dlstx.ip.att.net [12.123.16.197]

6 48 ms 48 ms 48 ms br2-a3120s5.dlstx.ip.att.net [192.205.33.134]

7 48 ms 49 ms 57 ms dcr1-so-3-0-0.dallas.savvis.net [204.70.193.14]

8 49 ms 75 ms 70 ms dcr2-so-6-0-0.dallas.savvis.net [204.70.192.50]

9 96 ms 146 ms 76 ms dcr2-so-7-0-0.Chicago.savvis.net [204.70.192.97]

10 94 ms 96 ms 96 ms acr2-so-4-0-0.Boston.savvis.net [204.70.193.181]

11 97 ms 94 ms 94 ms 208.172.48.254



Trace complete.



Tracing route to 216.74.180.189 over a maximum of 30 hops



1 <1 ms <1 ms <1 ms 12.10.250.1

2 29 ms 29 ms 29 ms 12.117.164.209

3 49 ms 49 ms 49 ms tbr2012701.phmaz.ip.att.net [12.123.206.30]

4 49 ms 62 ms 49 ms tbr2-cl1592.dlstx.ip.att.net [12.122.10.81]

5 62 ms 48 ms 48 ms ggr3-ge110.dlstx.ip.att.net [12.123.16.205]

6 48 ms 48 ms 48 ms bcr2-so-6-0-0.Dallas.savvis.net [208.172.139.225]

7 48 ms 48 ms 51 ms dcr1-so-3-0-0.dallas.savvis.net [204.70.193.14]

8 131 ms 69 ms 71 ms dcr2-so-6-0-0.Atlanta.savvis.net [204.70.192.69]

9 97 ms 80 ms 137 ms bcs2-so-1-1-0.Washington.savvis.net [204.70.192.58]

10 89 ms 89 ms 129 ms bcs1-so-7-0-0.Washington.savvis.net [204.70.192.33]

11 85 ms 89 ms 89 ms ahr1-pos-10-0.Weehawkennj2.savvis.net [206.24.238.230]

12 87 ms 85 ms 87 ms 216.74.180.189



Trace complete.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users