Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Normal Search Page Is Hijacked.


  • This topic is locked This topic is locked
16 replies to this topic

#1 charleyj

charleyj

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 01 October 2006 - 05:50 PM

Problem:
when i type in a wrong domain name, instead of getting a 404 error page or Normal search page , it opens some very strange search page gives all porn site information; i will get some very scummy search page.[size=2]

Here is the log description after running Hijack This.

Logfile of HijackThis v1.99.1
Scan saved at 8:49:02 AM, on 10/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\odbc.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\JAPU\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.mcafee.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150288557953
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152088898359
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/...846/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0EF19026-CC9B-4215-A008-C3EE7BAECBDF}: NameServer = 85.255.116.108 85.255.112.93
O17 - HKLM\System\CS1\Services\Tcpip\..\{0EF19026-CC9B-4215-A008-C3EE7BAECBDF}: NameServer = 85.255.116.108 85.255.112.93
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ODBC service - Unknown owner - C:\WINDOWS\system32\odbc.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


Regards

charleyj

Edited by charleyj, 02 October 2006 - 04:24 PM.


BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:43 PM

Posted 02 October 2006 - 09:12 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:



Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log into this topic.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 charleyj

charleyj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 03 October 2006 - 04:13 AM

Hello Sam

Thanks for your reply..
I did what you told in last message. here is the log after running Fixwareout

------------------------------------------------------------------
Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

Searching by size/names...


Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.
Directory of C:\WINDOWS\system32

Misc files.

Checking for older varients covered by the Rem3 tool.

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:43 PM

Posted 03 October 2006 - 08:39 AM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{0EF19026-CC9B-4215-A008-C3EE7BAECBDF}: NameServer = 85.255.116.108 85.255.112.93
O17 - HKLM\System\CS1\Services\Tcpip\..\{0EF19026-CC9B-4215-A008-C3EE7BAECBDF}: NameServer = 85.255.116.108 85.255.112.93


===========================


Now lets check some settings on your system.
  • Enter your Control Panel and double-click on Network Connections
  • Then right click on your Default Connection
    • Usually Local Area Connection for Cable and DSL
  • Left click on Properties
  • Double-Click on the Internet Protocol (TCP/IP) item
  • Select the radio dial that says Obtain DNS Servers Automatically
  • Press OK twice to get out of the properties screen and reboot if it asks
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)



============================


Please download Ewido Anti-spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode and post the results of the ewido scan report along with a new hijackthis log.

Edited by Buckeye_Sam, 03 October 2006 - 08:40 AM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 charleyj

charleyj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 04 October 2006 - 07:18 AM

Hi Sam

here is the log from AVG.
---------------------------------------------------------------------------
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:58:01 PM 10/04/2006

+ Scan result:



C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned.
C:\Documents and Settings\JAPU\Cookies\japu@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\JAPU\Cookies\japu@ad1.clickhype[2].txt -> TrackingCookie.Clickhype : Cleaned.
C:\WINDOWS\system32\odbc.exe -> Trojan.Agent.ye : Cleaned.


::Report end
---------------------------------------------------------------------------------------------

log from Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 10:13:55 PM, on 10/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\Documents and Settings\JAPU\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Spy Sweeper Updater V 2.0.0.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.mcafee.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150288557953
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152088898359
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/...846/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0EF19026-CC9B-4215-A008-C3EE7BAECBDF}: NameServer = 85.255.116.108 85.255.112.93
O17 - HKLM\System\CS1\Services\Tcpip\..\{0EF19026-CC9B-4215-A008-C3EE7BAECBDF}: NameServer = 85.255.116.108 85.255.112.93
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ODBC service - Unknown owner - C:\WINDOWS\system32\odbc.exe (file missing)
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


Please assist me futher.

thanks
charleyj

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:43 PM

Posted 04 October 2006 - 08:10 PM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O17 - HKLM\System\CCS\Services\Tcpip\..\{0EF19026-CC9B-4215-A008-C3EE7BAECBDF}: NameServer = 85.255.116.108 85.255.112.93
O17 - HKLM\System\CS1\Services\Tcpip\..\{0EF19026-CC9B-4215-A008-C3EE7BAECBDF}: NameServer = 85.255.116.108 85.255.112.93



Reboot your computer.



Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it to the desktop and start GMER.exe
Click the Rootkit tab and click the Scan button.

Warning! Please do not select the "Show all" checkbox during the scan.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results here in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 charleyj

charleyj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 05 October 2006 - 07:18 AM

P  K  &Text   L  K L &OEM Text GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2006-10-05 22:08:00
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.11 ----

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwAllocateVirtualMemory
SSDT 82BB0168 ZwCreateKey
SSDT 82AE9100 ZwCreateProcess
SSDT 82AE9088 ZwCreateProcessEx
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwCreateThread
SSDT 82BE7190 ZwDeleteKey
SSDT 82B08580 ZwDeleteValueKey
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwMapViewOfSection
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwProtectVirtualMemory
SSDT 82BE6F30 ZwQueueApcThread
SSDT 82BE6DC8 ZwReadVirtualMemory
SSDT 82A960C8 ZwRenameKey
SSDT 82BE6020 ZwSetContextThread
SSDT 82AC04B0 ZwSetInformationKey
SSDT 82B5C298 ZwSetInformationProcess
SSDT 82B5C0B8 ZwSetInformationThread
SSDT 82B085F8 ZwSetValueKey
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwShutdownSystem
SSDT 82B5C220 ZwSuspendProcess
SSDT 82BE6FA8 ZwSuspendThread
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT 82B5C130 ZwTerminateThread
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwWriteVirtualMemory

---- Devices - GMER 1.0.11 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F78D0220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE 828B4598
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F78D0480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_READ 828B4718
Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE 828B47D8
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION 828B4898
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION 828B4958
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA 828B4A18
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA 828B4AE8
Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS 828B4DA0
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION 828B52E8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION 828B53B0
Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL 828B5470
Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL 828B70F0
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F78D05A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F78D05D0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN 828B7330
Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL 828B73F0
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP 828B7618
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT 828B76D8
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY 828B7798
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY 828B79D0
Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER 828B7A90
Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL 828B7B50
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE 828B7C18
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA 828B7CD8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA 828B7D98
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP 828B8130
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F78D0220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE 828B4598
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F78D0480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_READ 828B4718
Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE 828B47D8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION 828B4898
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION 828B4958
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA 828B4A18
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA 828B4AE8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS 828B4DA0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION 828B52E8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION 828B53B0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL 828B5470
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL 828B70F0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F78D05A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F78D05D0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN 828B7330
Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL 828B73F0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP 828B7618
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT 828B76D8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY 828B7798
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY 828B79D0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER 828B7A90
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL 828B7B50
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE 828B7C18
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA 828B7CD8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA 828B7D98
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP 828B8130
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F78D0220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE 828B4598
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F78D0480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_READ 828B4718
Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE 828B47D8
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION 828B4898
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION 828B4958
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA 828B4A18
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA 828B4AE8
Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS 828B4DA0
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION 828B52E8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION 828B53B0
Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL 828B5470
Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL 828B70F0
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F78D05A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F78D05D0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN 828B7330
Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL 828B73F0
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP 828B7618
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT 828B76D8
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY 828B7798
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY 828B79D0
Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER 828B7A90
Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL 828B7B50
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE 828B7C18
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA 828B7CD8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA 828B7D98
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP 828B8130
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F78D0220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE 828B4598
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F78D0480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_READ 828B4718
Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE 828B47D8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION 828B4898
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION 828B4958
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA 828B4A18
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA 828B4AE8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS 828B4DA0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION 828B52E8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION 828B53B0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL 828B5470
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL 828B70F0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F78D05A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F78D05D0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN 828B7330
Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL 828B73F0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP 828B7618
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT 828B76D8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY 828B7798
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY 828B79D0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER 828B7A90
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL 828B7B50
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE 828B7C18
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA 828B7CD8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA 828B7D98
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP 828B8130
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F78D0220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE 828B4598
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F78D0480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_READ 828B4718
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE 828B47D8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION 828B4898
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION 828B4958
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA 828B4A18
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA 828B4AE8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS 828B4DA0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION 828B52E8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION 828B53B0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL 828B5470
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL 828B70F0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F78D05A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F78D05D0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN 828B7330
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL 828B73F0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP 828B7618
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT 828B76D8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY 828B7798
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY 828B79D0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER 828B7A90
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL 828B7B50
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE 828B7C18
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA 828B7CD8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA 828B7D98
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP 828B8130

---- Files - GMER 1.0.11 ----

ADS ...

---- EOF - GMER 1.0.11 ----



----------------------------------------------------------------------------------------------------------
Hijackthis
Log before running

Logfile of HijackThis v1.99.1
Scan saved at 9:19:28 PM, on 10/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\JAPU\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Spy Sweeper Updater V 2.0.0.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.mcafee.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150288557953
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152088898359
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/...846/mcfscan.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ODBC service - Unknown owner - C:\WINDOWS\system32\odbc.exe (file missing)
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

---------------------------------------------------------------------------------------------------------------------

Hijack this log after rebuting computer and after running GMER.exe


Logfile of HijackThis v1.99.1
Scan saved at 10:14:32 PM, on 10/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\JAPU\Desktop\gmer\gmer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\JAPU\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Spy Sweeper Updater V 2.0.0.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.mcafee.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150288557953
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152088898359
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/...846/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0EF19026-CC9B-4215-A008-C3EE7BAECBDF}: NameServer = 85.255.116.108 85.255.112.93
O17 - HKLM\System\CS1\Services\Tcpip\..\{0EF19026-CC9B-4215-A008-C3EE7BAECBDF}: NameServer = 85.255.116.108 85.255.112.93
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ODBC service - Unknown owner - C:\WINDOWS\system32\odbc.exe (file missing)
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:43 PM

Posted 05 October 2006 - 05:32 PM

Please click Start -> Run and type these commands hitting enter after each one.

ipconfig /flushdns

ipconfig /release

ipconfig /renew



Who is your ISP?

Post a new hijackthis log after running those commands.

Edited by Buckeye_Sam, 05 October 2006 - 05:33 PM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 charleyj

charleyj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 06 October 2006 - 07:53 AM

Hi Sam

My ISP is AAPT, Australia

log is as follows:

-------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:49:06 PM, on 10/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\JAPU\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Spy Sweeper Updater V 2.0.0.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.mcafee.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150288557953
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152088898359
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/...846/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0EF19026-CC9B-4215-A008-C3EE7BAECBDF}: NameServer = 85.255.116.108 85.255.112.93
O17 - HKLM\System\CS1\Services\Tcpip\..\{0EF19026-CC9B-4215-A008-C3EE7BAECBDF}: NameServer = 85.255.116.108 85.255.112.93
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ODBC service - Unknown owner - C:\WINDOWS\system32\odbc.exe (file missing)
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:43 PM

Posted 06 October 2006 - 03:47 PM

Let's see if we can figure where the problem is.
  • Enter your Control Panel and double-click on Network Connections
  • Then right click on your Default Connection
    • Usually Local Area Connection for Cable and DSL
  • Left click on Properties
  • Double-Click on the Internet Protocol (TCP/IP) item
Is the radio dial that says Obtain DNS Servers Automatically selected?
Clear out any numbers that are in the two boxes below that.

Does your ISP require certain DNS settings?

I did find some info on what I think is your ISP, but you'll want to confirm that.

http://www.aapt.net.au/network_setting.php
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 charleyj

charleyj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 07 October 2006 - 02:08 AM

Hello Sam

I donot need to set up any DNS access ISP.

There is no entry for the Obtain DNS Servers Automatically .


regards
Charleyj

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:43 PM

Posted 07 October 2006 - 02:20 PM

You don't have a setting for "Obtain DNS Servers Automatically" ?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 charleyj

charleyj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 07 October 2006 - 07:50 PM

I do have that setting, but there is no entry for this settings. means no any phisical numbers are enter in this section.

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:43 PM

Posted 08 October 2006 - 08:03 AM

Is the radio dial that says Obtain DNS Servers Automatically selected?


Fix these lines with Hijackthis.

O17 - HKLM\System\CCS\Services\Tcpip\..\{0EF19026-CC9B-4215-A008-C3EE7BAECBDF}: NameServer = 85.255.116.108 85.255.112.93
O17 - HKLM\System\CS1\Services\Tcpip\..\{0EF19026-CC9B-4215-A008-C3EE7BAECBDF}: NameServer = 85.255.116.108 85.255.112.93




Click Start -> Run -> cmd
Press: Enter after the above, and after every command below:
At the prompt, type in: cd\
At C:\> type in:

ipconfig /flushdns

Click: OK


Reboot your computer and post a new hijackthis log.
How is your computer running now? Are you having any problems with redirects?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 charleyj

charleyj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 09 October 2006 - 08:13 AM

Hello Sam,
i did what you say.. but that two entries 017 appearing again and again.

see log below--------------------------------------
-------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 11:03:05 PM, on 10/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Documents and Settings\JAPU\Desktop\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
O2 - BHO: (no name) - -{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - -{53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - -{AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.mcafee.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150288557953
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152088898359
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/...846/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0EF19026-CC9B-4215-A008-C3EE7BAECBDF}: NameServer = 85.255.116.108 85.255.112.93
O17 - HKLM\System\CS1\Services\Tcpip\..\{0EF19026-CC9B-4215-A008-C3EE7BAECBDF}: NameServer = 85.255.116.108 85.255.112.93
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: ODBC service - Unknown owner - C:\WINDOWS\system32\odbc.exe (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users