|
| ||
| IE7 Browser Redirects One of my kids was surfing with my notebook and apparently picked up something. Now, whenever a link is followed, about 75% of the time it is redirected. I have also seen redirects from Favorites shortcuts. I ran a NAV scan and came up with nothing. Any ideas? (HJT Log is attached). Logfile of HijackThis v1.99.1 Scan saved at 10:22:05 PM, on 3/25/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5700.0006) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Nhksrv.exe C:\WINDOWS\System32\Ati2evxx.exe C:\Program Files\ISS\Proventia Desktop\blackd.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Juniper Networks\Common Files\dsNcService.exe C:\Program Files\ISS\Proventia Desktop\RapApp.exe C:\WINDOWS\system32\srvany.exe C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\CA\Unicenter Software Delivery\BIN\TRIGGAG.EXE C:\Program Files\ISS\Proventia Desktop\vpatch.exe C:\WINDOWS\UMCSTUB.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\MMKeybd.exe C:\WINDOWS\system32\pctspk.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~2\VPTray.exe C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe C:\SxpInst\sxplog32.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Palm\Hotsync.exe C:\Program Files\ISS\Proventia Desktop\blackice.exe C:\Program Files\Juniper Networks\Network Connect 5.0.0\dsNetworkConnect.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\taskmgr.exe C:\Documents and Settings\206039814\Desktop\Hijack This\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Link...cid={SUB_CLCID} O1 - Hosts: 3.152.141.6 tvstx-a O1 - Hosts: 3.152.141.7 tvstx-b O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe O4 - HKLM\..\Run: [Sxplog] C:\SxpInst\sxpstub.exe O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide O4 - HKLM\..\Run: [CA-AMAgent] C:\Program Files\CA\Unicenter Asset Management\Agents\amagent.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe O4 - Global Startup: Proventia Desktop Agent.lnk = ? O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll O11 - Options group: [INTERNATIONAL] International* O14 - IERESET.INF: START_PAGE_URL=http://nbcuniversal.ge.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://anywhereny.nbcuni.com/dana-c...terisSetup.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1160412231055 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {ff348b6e-fd21-11d4-a3f0-00c04fa32518} - O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nbcuni.ge.com O17 - HKLM\Software\..\Telephony: DomainName = nbcuni.ge.com O17 - HKLM\System\CCS\Services\Tcpip\..\{05461889-57E1-4C9C-A94E-A769085F4989}: NameServer = 85.255.113.146,85.255.112.66 O17 - HKLM\System\CCS\Services\Tcpip\..\{9A96AF04-6130-4986-AA6C-11CA630B40CD}: NameServer = 85.255.113.146,85.255.112.66 O17 - HKLM\System\CCS\Services\Tcpip\..\{ADA07A99-1A45-48CA-AC97-1AE1302944E1}: NameServer = 85.255.113.146,85.255.112.66 O17 - HKLM\System\CCS\Services\Tcpip\..\{EDE15F91-024E-409F-90C3-75646524EDC2}: NameServer = 85.255.113.146,85.255.112.66 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nbcuni.ge.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = nbcuni.ge.com,nbc.com,udh.unistudios.com,e2k.ad.ge.com,ge.com,nbcnews.nbc.com,emea.sclnet.com,cnbceurope.com,nbcad.nbc.ge.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.66 O17 - HKLM\System\CS1\Services\Tcpip\..\{05461889-57E1-4C9C-A94E-A769085F4989}: NameServer = 85.255.113.146,85.255.112.66 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nbcuni.ge.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = nbcuni.ge.com,nbc.com,udh.unistudios.com,e2k.ad.ge.com,ge.com,nbcnews.nbc.com,emea.sclnet.com,cnbceurope.com,nbcad.nbc.ge.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.66 O17 - HKLM\System\CS2\Services\Tcpip\..\{05461889-57E1-4C9C-A94E-A769085F4989}: NameServer = 85.255.113.146,85.255.112.66 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nbcuni.ge.com,nbc.com,udh.unistudios.com,e2k.ad.ge.com,ge.com,nbcnews.nbc.com,emea.sclnet.com,cnbceurope.com,nbcad.nbc.ge.com O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.66 O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe O23 - Service: DST2K7_Agent - Unknown owner - C:\WINDOWS\system32\srvany.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exe O23 - Service: SafeBootAgent - Unknown owner - C:\WINDOWS\system32\srvany.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Unicenter Software Delivery (SDService) - Computer Associates International, Inc. - C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe |
| ||
| Re: IE7 Browser Redirects oh dear. there is a risk that you have been well n truly backdoored. i don't have time to help you just now, but don't use this notebook online until someone helps you fix it. It is NOT secure!! you should change your bank passwords, email pw's, the lot, after this. [who do you know lives at Solomenskaya street. room 201, kiev, ukraine?] |
| ||
| Re: IE7 Browser Redirects Please download FixWareout from one of these sites: http://downloads.subratam.org/Fixwareout.exe http://swandog46.geekstogo.com/Fixwareout.exe Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal. Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log please. |
| ||
| Re: IE7 Browser Redirects Fixwareout Last edited 2/11/2007 Post this report in the forums please ... »»»»»Prerun check HKLM\SOFTWARE\~\Winlogon\ "System"="kdtda.exe" »»»»» System restarted »»»»» Postrun check HKLM\SOFTWARE\~\Winlogon\ "system"="" .... .... »»»»» Misc files. .... »»»»» Checking for older varients. .... Search five digit cs, dm, kd, jb, other, files. The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection. Click browse, find the file then click submit. http://www.virustotal.com/flash/index_en.html Or http://virusscan.jotti.org/ »»»»» Other C:\WINDOWS\Temp\kdtda.ren 63968 08/04/2004 »»»»» Current runs [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellTouch"="C:\\WINDOWS\\MMKeybd.exe" "ATIModeChange"="Ati2mdxx.exe" "PCTVOICE"="pctspk.exe" "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe" "Synchronization Manager"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,\ 73,74,65,6d,33,32,5c,6d,6f,62,73,79,6e,63,2e,65,78,65,20,2f,6c,6f,67,6f,6e,\ 00 "DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\"" "dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe" "UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r" "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "vptray"="C:\\PROGRA~1\\SYMANT~2\\VPTray.exe" "Sxplog"="C:\\SxpInst\\sxpstub.exe" "SDJobCheck"="triggusr.exe" "AS00_Gear511"="C:\\Program Files\\NETGEAR\\WG511SCU\\Utility\\Gear511.exe -hide" "CA-AMAgent"="C:\\Program Files\\CA\\Unicenter Asset Management\\Agents\\amagent.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1" .... Hosts file was reset, If you use a custom hosts file please replace it »»»»» End report »»»»» Logfile of HijackThis v1.99.1 Scan saved at 10:26:01 PM, on 3/26/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5700.0006) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Nhksrv.exe C:\WINDOWS\System32\Ati2evxx.exe C:\Program Files\ISS\Proventia Desktop\blackd.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Juniper Networks\Common Files\dsNcService.exe C:\Program Files\ISS\Proventia Desktop\RapApp.exe C:\WINDOWS\system32\srvany.exe C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\CA\Unicenter Software Delivery\BIN\TRIGGAG.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\ISS\Proventia Desktop\vpatch.exe C:\WINDOWS\UMCSTUB.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\CA\Unicenter Asset Management\Agents\cam.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\MMKeybd.exe C:\WINDOWS\system32\pctspk.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~2\VPTray.exe C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe C:\Program Files\QuickTime\qttask.exe C:\SxpInst\sxplog32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Palm\Hotsync.exe C:\Program Files\ISS\Proventia Desktop\blackice.exe C:\Program Files\iPod\bin\iPodService.exe C:\Documents and Settings\206039814\Desktop\Hijack This\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Link...cid={SUB_CLCID} O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe O4 - HKLM\..\Run: [Sxplog] C:\SxpInst\sxpstub.exe O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide O4 - HKLM\..\Run: [CA-AMAgent] C:\Program Files\CA\Unicenter Asset Management\Agents\amagent.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe O4 - Global Startup: Proventia Desktop Agent.lnk = ? O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll O11 - Options group: [INTERNATIONAL] International* O14 - IERESET.INF: START_PAGE_URL=http://nbcuniversal.ge.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://anywhereny.nbcuni.com/dana-c...terisSetup.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1160412231055 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {ff348b6e-fd21-11d4-a3f0-00c04fa32518} - O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nbcuni.ge.com O17 - HKLM\Software\..\Telephony: DomainName = nbcuni.ge.com O17 - HKLM\System\CCS\Services\Tcpip\..\{05461889-57E1-4C9C-A94E-A769085F4989}: NameServer = 85.255.113.146,85.255.112.66 O17 - HKLM\System\CCS\Services\Tcpip\..\{9A96AF04-6130-4986-AA6C-11CA630B40CD}: NameServer = 85.255.113.146,85.255.112.66 O17 - HKLM\System\CCS\Services\Tcpip\..\{EDE15F91-024E-409F-90C3-75646524EDC2}: NameServer = 85.255.113.146,85.255.112.66 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nbcuni.ge.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = nbcuni.ge.com,nbc.com,udh.unistudios.com,e2k.ad.ge.com,ge.com,nbcnews.nbc.com,emea.sclnet.com,cnbceurope.com,nbcad.nbc.ge.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.66 O17 - HKLM\System\CS1\Services\Tcpip\..\{05461889-57E1-4C9C-A94E-A769085F4989}: NameServer = 85.255.113.146,85.255.112.66 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nbcuni.ge.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = nbcuni.ge.com,nbc.com,udh.unistudios.com,e2k.ad.ge.com,ge.com,nbcnews.nbc.com,emea.sclnet.com,cnbceurope.com,nbcad.nbc.ge.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.66 O17 - HKLM\System\CS2\Services\Tcpip\..\{05461889-57E1-4C9C-A94E-A769085F4989}: NameServer = 85.255.113.146,85.255.112.66 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nbcuni.ge.com,nbc.com,udh.unistudios.com,e2k.ad.ge.com,ge.com,nbcnews.nbc.com,emea.sclnet.com,cnbceurope.com,nbcad.nbc.ge.com O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.66 O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe O23 - Service: DST2K7_Agent - Unknown owner - C:\WINDOWS\system32\srvany.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exe O23 - Service: SafeBootAgent - Unknown owner - C:\WINDOWS\system32\srvany.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Unicenter Software Delivery (SDService) - Computer Associates International, Inc. - C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe |
| ||
| Re: IE7 Browser Redirects Can you please do the following. =============== Scan with HijackThis and then place a check next to all the following, if present: O4 - Global Startup: Proventia Desktop Agent.lnk = ? O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present ...(Unless you've set these with an anti-spyware program like SpyBot's Immunize feature, have HiJackThis fix this.) O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {ff348b6e-fd21-11d4-a3f0-00c04fa32518} - O17 - HKLM\System\CCS\Services\Tcpip\..\{05461889-57E1-4C9C-A94E-A769085F4989}: NameServer = 85.255.113.146,85.255.112.66 O17 - HKLM\System\CCS\Services\Tcpip\..\{9A96AF04-6130-4986-AA6C-11CA630B40CD}: NameServer = 85.255.113.146,85.255.112.66 O17 - HKLM\System\CCS\Services\Tcpip\..\{EDE15F91-024E-409F-90C3-75646524EDC2}: NameServer = 85.255.113.146,85.255.112.66 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.66 O17 - HKLM\System\CS1\Services\Tcpip\..\{05461889-57E1-4C9C-A94E-A769085F4989}: NameServer = 85.255.113.146,85.255.112.66 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.66 O17 - HKLM\System\CS2\Services\Tcpip\..\{05461889-57E1-4C9C-A94E-A769085F4989}: NameServer = 85.255.113.146,85.255.112.66 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.66 Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked". =============== To help protect your system from hostile ActiveX content, or special 'downloadable' files: Download, install and keep updated, SpywareBlaster. If you've installed it for the first time: 1) Check for any available updates; if present, they'll be automatically downloaded and installed. 2) Next, "Enable all protection". 3) Exit the program. - Note: Remember to regularly check for updates. =============== After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now. |
| All times are GMT -4. The time now is 4:54 pm. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC