Viruses, Spyware and other Nasties RSS Viruses, Spyware and other Nasties RSS

IE Explorer/Search Engine problems! (fake/redirect search results;dysfunctional sites

Reply

Join Date: Mar 2008
Posts: 4
Reputation: grimmers is an unknown quantity at this point 
Solved Threads: 0
grimmers grimmers is offline Offline
Newbie Poster

IE Explorer/Search Engine problems! (fake/redirect search results;dysfunctional sites

 
0
  #1
Mar 14th, 2008
Can someone review my log and advise what files I would need to delete?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:10 PM, on 3/13/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Windows\sttray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Users\Barry Grimmell\AppData\Local\Temp\Temp1_hijackthis.zip\HijackThis.exe
C:\Users\Barry Grimmell\AppData\Local\Temp\Temp2_hijackthis.zip\HijackThis.exe
C:\Users\Barry Grimmell\AppData\Local\Temp\Temp3_hijackthis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Users\Barry Grimmell\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dmdvv.exe] C:\Windows\system32\dmdvv.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [dmobx.tmp] C:\Windows\system32\dmobx.tmp
O4 - HKCU\..\Run: [dmmfy.tmp] C:\Windows\system32\dmmfy.tmp
O4 - HKCU\..\Run: [dmewh.tmp] C:\Windows\system32\dmewh.tmp
O4 - HKCU\..\Run: [dmslh.tmp] C:\Windows\system32\dmslh.tmp
O4 - HKCU\..\Run: [dmgwa.tmp] C:\Windows\system32\dmgwa.tmp
O4 - HKCU\..\Run: [dmtzk.tmp] C:\Windows\system32\dmtzk.tmp
O4 - HKCU\..\Run: [dmxgj.tmp] C:\Windows\system32\dmxgj.tmp
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Get 2 FREE Audiobooks.lnk = C:\Users\Barry Grimmell\AppData\Local\Temp\HelpInstaller_StartUp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolba...lerControl.cab
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A98FC1D4-B1CE-4CC8-BF4A-58AE61F23683}: NameServer = 85.255.115.237,85.255.112.78
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.237 85.255.112.78
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.237 85.255.112.78
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.237 85.255.112.78
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9282 bytes

thanks
Reply With Quote Quick reply to this message  
Join Date: Feb 2004
Posts: 9,982
Reputation: crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold 
Solved Threads: 754
Moderator
Featured Poster
crunchie's Avatar
crunchie crunchie is offline Offline
Spyware Killer

Re: IE Explorer/Search Engine problems! (fake/redirect search results;dysfunctional sites

 
0
  #2
Mar 14th, 2008
Hi and welcome to the Daniweb forums .

===============

Please download FixWareout from this site:
http://www.bleepingcomputer.com/file...Fixwareout.exe


Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log please.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Reply With Quote Quick reply to this message  
Join Date: Mar 2008
Posts: 4
Reputation: grimmers is an unknown quantity at this point 
Solved Threads: 0
grimmers grimmers is offline Offline
Newbie Poster

Re: IE Explorer/Search Engine problems! (fake/redirect search results;dysfunctional sites

 
0
  #3
Mar 15th, 2008
Thanks for your help. I tried to run fixaware but it does not seem to work. I am running the windows vista OS. Is there something that works with Vista?
Reply With Quote Quick reply to this message  
Join Date: Feb 2004
Posts: 9,982
Reputation: crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold 
Solved Threads: 754
Moderator
Featured Poster
crunchie's Avatar
crunchie crunchie is offline Offline
Spyware Killer

Re: IE Explorer/Search Engine problems! (fake/redirect search results;dysfunctional sites

 
0
  #4
Mar 15th, 2008
Please download ComboFix by sUBs from HERE or HERE
  • Save it to your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
  • Click on your START button and choose Run. Then copy/paste the entire content of the following quotebox (Including the "" marks and the Symbols) into the run box.

    "%userprofile%\desktop\ComboFix.exe" /KillAll


    Click image for larger version Name: th_RunBox_KillAll.jpg Views: 0 Size: 10.4 KB ID: 5458

  • Click OK and this will start ComboFix.
  • When finished, it will produce a log. Please save that log to a Notepad File and include it in your next reply along with a fresh HJT log.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

* Re-enable all the programs that were disabled prior to the running of ComboFix.

* Post the following logs/Reports:
  • ComboFix.txt
  • Fresh HijackThis log run after all the other tools have performed their cleanup.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Last edited by crunchie; Mar 15th, 2008 at 9:42 pm.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Reply With Quote Quick reply to this message  
Join Date: Mar 2008
Posts: 4
Reputation: grimmers is an unknown quantity at this point 
Solved Threads: 0
grimmers grimmers is offline Offline
Newbie Poster

Re: IE Explorer/Search Engine problems! (fake/redirect search results;dysfunctional sites

 
0
  #5
Mar 16th, 2008
First, thanks for the detailed instructions.

Attached is the ComboFix log as well as the new Hijackthis log:

ComboFix 08-03-14.4 - Barry Grimmell 2008-03-15 23:09:57.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.385 [GMT -4:00]
Running from: C:\Users\Barry Grimmell\Desktop\ComboFix.exe
Command switches used :: /KillAll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

K:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-02-16 to 2008-03-16 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-14 02:53 401,720 ----a-w C:\Users\Barry Grimmell\HiJackThis.exe
2008-03-13 22:19 --------- d-----w C:\Program Files\Windows Live
2008-03-13 04:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-12 12:56 --------- d-----w C:\Program Files\Google
2008-03-09 00:21 --------- d-----w C:\ProgramData\CA
2008-03-09 00:21 --------- d-----w C:\Program Files\Common Files\Scanner
2008-03-09 00:21 --------- d-----w C:\Program Files\CA
2008-03-07 07:11 --------- d-----w C:\Program Files\SearchVideo
2008-03-04 15:43 --------- d-----w C:\Users\Caitlynn Grimmell\AppData\Roaming\GTek
2008-03-01 04:44 --------- d-----w C:\Users\Barry Grimmell\AppData\Roaming\Creative
2008-02-28 03:43 --------- d-----w C:\ProgramData\Dell
2008-02-25 13:08 --------- d-----w C:\Program Files\LimeWire
2008-02-25 13:07 --------- d-----w C:\Users\Barry Grimmell\AppData\Roaming\LimeWire
2008-02-23 23:05 --------- d-----w C:\Users\Aidan Grimmell\AppData\Roaming\GTek
2008-02-23 22:42 --------- d-----w C:\Program Files\Creative
2008-02-23 22:42 --------- d-----w C:\Program Files\Audible
2008-02-23 22:36 --------- d--h--w C:\Program Files\Creative Installation Information
2008-02-23 22:34 --------- d-----w C:\Program Files\Common Files\Creative
2008-02-23 22:24 --------- d-----w C:\ProgramData\Creative
2008-02-22 22:19 --------- d-----w C:\Users\Barry Grimmell\AppData\Roaming\Windows Live Writer
2008-02-22 00:48 --------- d-----w C:\Users\Richard Mustico\AppData\Roaming\GTek
2008-02-13 08:11 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-02-13 08:11 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-02-13 08:05 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-13 08:05 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-02-13 08:05 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-02-13 08:05 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-02-13 08:05 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-02-13 08:05 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-02-13 08:05 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-02-13 08:05 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-02-13 08:04 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 08:04 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 08:04 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-13 08:04 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 08:04 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 08:04 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-02-13 08:02 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-02-13 08:02 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-13 08:02 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-13 08:02 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-10 07:30 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-10 07:01 --------- d-----w C:\Users\Barry Grimmell\AppData\Roaming\AdobeUM
2008-02-10 05:02 --------- d-----w C:\Program Files\Windows Mail
2008-02-10 05:02 --------- d-----w C:\Program Files\Windows Calendar
2008-02-10 04:47 --------- d-----w C:\ProgramData\WLInstaller
2008-02-10 04:45 --------- d-----w C:\Users\Patty Grimmell\AppData\Roaming\GTek
2008-02-10 04:32 86,016 ----a-w C:\Windows\System32\icfupgd.dll
2008-02-10 04:32 63,488 ----a-w C:\Windows\system32\drivers\mpsdrv.sys
2008-02-10 04:32 61,952 ----a-w C:\Windows\System32\cmifw.dll
2008-02-10 04:32 396,800 ----a-w C:\Windows\System32\MPSSVC.dll
2008-02-10 04:32 392,192 ----a-w C:\Windows\System32\FirewallAPI.dll
2008-02-10 04:32 23,040 ----a-w C:\Windows\system32\drivers\tunnel.sys
2008-02-10 04:32 178,688 ----a-w C:\Windows\System32\iphlpsvc.dll
2008-02-10 04:32 16,896 ----a-w C:\Windows\System32\wfapigp.dll
2008-02-10 04:32 15,360 ----a-w C:\Windows\system32\drivers\TUNMP.SYS
2008-02-10 04:28 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-10 04:27 --------- d-----w C:\Program Files\Microsoft.NET
2008-02-10 04:05 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-02-10 03:39 174 --sha-w C:\Program Files\desktop.ini
2008-02-10 03:36 --------- d-----w C:\Program Files\Windows Sidebar
2008-02-10 03:30 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-10 03:12 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2008-02-10 03:12 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2008-02-10 03:12 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-02-10 03:11 76,288 ----a-w C:\Windows\System32\dmqsf.exe
2008-02-10 03:11 76,288 ----a-w C:\Windows\System32\dmnij.exe
2008-02-10 03:11 76,288 ----a-w C:\Windows\System32\dmdvv.exe
2008-02-10 03:11 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2008-02-10 03:11 542,720 ----a-w C:\Windows\System32\sysmain.dll
2008-02-10 03:11 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2008-02-10 03:11 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2008-02-10 03:11 297,984 ----a-w C:\Windows\System32\wlansec.dll
2008-02-10 03:11 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2008-02-10 03:11 258,232 ----a-w C:\Windows\system32\drivers\acpi.sys
2008-02-10 03:11 2,923,520 ----a-w C:\Windows\explorer.exe
2008-02-10 03:09 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2008-02-10 03:09 7,680 ----a-w C:\Windows\System32\spwmp.dll
2008-02-10 03:09 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2008-02-10 03:09 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
2008-02-10 03:04 1,191,936 ----a-w C:\Windows\System32\msxml3.dll
2008-02-10 03:03 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2008-02-10 03:02 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2008-02-10 03:02 57,856 ----a-w C:\Windows\System32\SLUINotify.dll
2008-02-10 03:02 566,784 ----a-w C:\Windows\System32\SLCommDlg.dll
2008-02-10 03:02 39,936 ----a-w C:\Windows\System32\slcinst.dll
2008-02-10 03:02 351,232 ----a-w C:\Windows\System32\SLUI.exe
2008-02-10 03:02 33,280 ----a-w C:\Windows\System32\slwmi.dll
2008-02-10 03:02 268,288 ----a-w C:\Windows\System32\mcbuilder.exe
2008-02-10 03:02 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2008-02-10 03:02 223,232 ----a-w C:\Windows\System32\SLC.dll
2008-02-10 03:02 2,605,568 ----a-w C:\Windows\System32\SLsvc.exe
2008-02-10 03:02 186,368 ----a-w C:\Windows\System32\SLLUA.exe
2008-02-10 03:01 1,335,296 ----a-w C:\Windows\System32\msxml6.dll
2008-02-10 02:59 84,480 ----a-w C:\Windows\System32\INETRES.dll
2008-02-10 02:59 737,792 ----a-w C:\Windows\System32\inetcomm.dll
2008-02-10 02:59 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-02-10 02:59 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-02-10 02:59 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-02-10 02:57 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 08:34 2159104 C:\Windows\System32\oobefldr.dll]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2006-11-12 03:19 446976]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 11:06 700416]
"dmobx.tmp"="C:\Windows\system32\dmobx.tmp" [ ]
"dmmfy.tmp"="C:\Windows\system32\dmmfy.tmp" [ ]
"dmewh.tmp"="C:\Windows\system32\dmewh.tmp" [ ]
"dmslh.tmp"="C:\Windows\system32\dmslh.tmp" [ ]
"dmgwa.tmp"="C:\Windows\system32\dmgwa.tmp" [ ]
"dmtzk.tmp"="C:\Windows\system32\dmtzk.tmp" [ ]
"dmxgj.tmp"="C:\Windows\system32\dmxgj.tmp" [ ]
"dmbrj.tmp"="C:\Windows\system32\dmbrj.tmp" [ ]
"dmsqu.tmp"="C:\Windows\system32\dmsqu.tmp" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-08-26 15:06 1006264]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2006-12-08 00:25 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2006-12-08 00:25 7766016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2006-12-08 00:25 81920]
"SigmatelSysTrayApp"="sttray.exe" [2007-02-08 01:16 303104 C:\Windows\sttray.exe]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 12:37 81920]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-03-16 06:20 17920]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-26 07:34 1862144]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-16 23:25 177416]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 14:42 230664]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"dmdvv.exe"="C:\Windows\system32\dmdvv.exe" [2008-02-09 23:11 76288]

C:\Users\Barry Grimmell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Get 2 FREE Audiobooks.lnk - C:\Users\Barry Grimmell\AppData\Local\Temp\HelpInstaller_StartUp.exe [2008-02-23 18:42:04 9031680]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{8CCEAB22-AF65-4242-9B3B-79BE35AEAF93}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{283BB589-8949-48A9-BAE5-AF25CA8D56CA}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{224D9E0D-5385-4CAB-9ECD-4F3189CCC74D}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{F7CA302E-C3BD-47C2-A0D9-D140435A5932}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{8023554F-E414-4294-A351-435E7128A53B}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 20:39]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 03:36]
S4 nvrd32;NVIDIA nForce RAID Driver;C:\Windows\system32\drivers\nvrd32.sys [2007-05-01 08:26]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{14173447-53c5-11dc-ae3f-806e6f6e6963}]
\shell\AutoRun\command - E:\CTRun\Start.EXE

.
Contents of the 'Scheduled Tasks' folder
"2008-03-09 03:05:59 C:\Windows\Tasks\CAAntiSpywareScan_Daily as Barry Grimmell at 7 21 PM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-15 23:16:55
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Windows\system32\CTsvcCDA.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\\?\C:\Windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2008-03-15 23:20:50 - machine was rebooted [Barry Grimmell]
ComboFix-quarantined-files.txt 2008-03-16 03:20:36
.
2008-03-05 13:32:59 --- E O F ---

Here is thye hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:47 PM, on 3/15/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Windows\sttray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Users\Barry Grimmell\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dmdvv.exe] C:\Windows\system32\dmdvv.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [dmobx.tmp] C:\Windows\system32\dmobx.tmp
O4 - HKCU\..\Run: [dmmfy.tmp] C:\Windows\system32\dmmfy.tmp
O4 - HKCU\..\Run: [dmewh.tmp] C:\Windows\system32\dmewh.tmp
O4 - HKCU\..\Run: [dmslh.tmp] C:\Windows\system32\dmslh.tmp
O4 - HKCU\..\Run: [dmgwa.tmp] C:\Windows\system32\dmgwa.tmp
O4 - HKCU\..\Run: [dmtzk.tmp] C:\Windows\system32\dmtzk.tmp
O4 - HKCU\..\Run: [dmxgj.tmp] C:\Windows\system32\dmxgj.tmp
O4 - HKCU\..\Run: [dmbrj.tmp] C:\Windows\system32\dmbrj.tmp
O4 - HKCU\..\Run: [dmsqu.tmp] C:\Windows\system32\dmsqu.tmp
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Get 2 FREE Audiobooks.lnk = C:\Users\Barry Grimmell\AppData\Local\Temp\HelpInstaller_StartUp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolba...lerControl.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A98FC1D4-B1CE-4CC8-BF4A-58AE61F23683}: NameServer = 85.255.115.237,85.255.112.78
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.237 85.255.112.78
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.237 85.255.112.78
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.237 85.255.112.78
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8538 bytes

thanks
Reply With Quote Quick reply to this message  
Join Date: Feb 2004
Posts: 9,982
Reputation: crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold 
Solved Threads: 754
Moderator
Featured Poster
crunchie's Avatar
crunchie crunchie is offline Offline
Spyware Killer

Re: IE Explorer/Search Engine problems! (fake/redirect search results;dysfunctional sites

 
0
  #6
Mar 16th, 2008
Can you please do the following.

===============

Can you disable Windows Defender as it may interfere with the removal process. Please leave it disabled until your PC has been given the all clear.
  • Open Windows Defender
  • Click Tools
  • Click General Settings
  • Scroll down to Real Time Protection Options
  • Uncheck Turn on Real Time Protection (recommended)
  • After you uncheck this, click on the Save button
  • Close Windows Defender


===============

Scan with HijackThis and then place a check next to all the following, if present:


R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O4 - HKLM\..\Run: [dmdvv.exe] C:\Windows\system32\dmdvv.exe
O4 - HKCU\..\Run: [dmobx.tmp] C:\Windows\system32\dmobx.tmp
O4 - HKCU\..\Run: [dmmfy.tmp] C:\Windows\system32\dmmfy.tmp
O4 - HKCU\..\Run: [dmewh.tmp] C:\Windows\system32\dmewh.tmp
O4 - HKCU\..\Run: [dmslh.tmp] C:\Windows\system32\dmslh.tmp
O4 - HKCU\..\Run: [dmgwa.tmp] C:\Windows\system32\dmgwa.tmp
O4 - HKCU\..\Run: [dmtzk.tmp] C:\Windows\system32\dmtzk.tmp
O4 - HKCU\..\Run: [dmxgj.tmp] C:\Windows\system32\dmxgj.tmp
O4 - HKCU\..\Run: [dmbrj.tmp] C:\Windows\system32\dmbrj.tmp
O4 - HKCU\..\Run: [dmsqu.tmp] C:\Windows\system32\dmsqu.tmp

O13 - Gopher Prefix:

O17 - HKLM\System\CCS\Services\Tcpip\..\{A98FC1D4-B1CE-4CC8-BF4A-58AE61F23683}: NameServer = 85.255.115.237,85.255.112.78
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.237 85.255.112.78
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.237 85.255.112.78
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.237 85.255.112.78


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Reply With Quote Quick reply to this message  
Join Date: Mar 2008
Posts: 4
Reputation: grimmers is an unknown quantity at this point 
Solved Threads: 0
grimmers grimmers is offline Offline
Newbie Poster

Re: IE Explorer/Search Engine problems! (fake/redirect search results;dysfunctional sites

 
0
  #7
Mar 16th, 2008
Crunchie

You are a genius. Everything working perfectly. No more redirects from my search engine.

The latest hijackthis log is attached

thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:45:17 PM, on 3/16/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\sttray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Users\Barry Grimmell\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Get 2 FREE Audiobooks.lnk = C:\Users\Barry Grimmell\AppData\Local\Temp\HelpInstaller_StartUp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolba...lerControl.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7747 bytes
Reply With Quote Quick reply to this message  
Reply

Quick Reply to Thread
This thread is more than three months old.
Perhaps start a new thread instead?
Message:



Similar Threads
Other Threads in the Viruses, Spyware and other Nasties Forum
Thread Tools Search this Thread



adware anti-malware anti-virussitesaccessissue antivirus apple attack avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial conficker connect control cyber cybercrime cyberwarfare ddos education email europe exam exploit facebook fake fancheckvirus gaming gtaiv gumblar halloween hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus samhain sans scareware search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista war warning windows worm yahoo zeroday
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC