 |  |  |  |  |  |  |  |
search engine redirects to a different IE page
 |
anytime I use a search engine such as google to look up something, when I click the desired link in the search results I am always redirected to a different website. The websites are typically search engines (I don't know whether real or fake) and sometimes they have the same name as the word I am searching for.
this is my HijackThis logfile can someone help?
Logfile of HijackThis v1.99.1
Scan saved at 11:58:48 PM, on 1/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hpnra.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\system32\hpnra.exe
O4 - HKLM\..\Run: [Cpqset] "C:\Program Files\HPQ\Default Settings\cpqset.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Cu...ataManager.CAB
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/e...rInstaller.exe
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/S...dObjSigned.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175...rix/wficat.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1137985442078
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124237128984
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2630B416-A518-4BDB-B190-5D1B1E47261A}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{8543C3D6-3471-4A1E-B878-B3F6EA1FDFEA}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8CCAA54-A7DA-4179-A67E-1ADD59A5CA38}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{F451F064-8B7F-4900-BC46-082AFA82A1DE}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4C3B19A-7D4E-4E0A-8A9F-05112DEF4DBA}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.107 85.255.112.121
O17 - HKLM\System\CS1\Services\Tcpip\..\{2630B416-A518-4BDB-B190-5D1B1E47261A}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.107 85.255.112.121
O18 - Protocol: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - C:\Program Files\Invitrogen\Vector NTI Advance 10\Ncbi.dll
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - c:\WINDOWS\Downloaded Program Files\mimectl.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\\lic98rmt.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
this is my HijackThis logfile can someone help?
Logfile of HijackThis v1.99.1
Scan saved at 11:58:48 PM, on 1/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hpnra.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\system32\hpnra.exe
O4 - HKLM\..\Run: [Cpqset] "C:\Program Files\HPQ\Default Settings\cpqset.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Cu...ataManager.CAB
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/e...rInstaller.exe
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/S...dObjSigned.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175...rix/wficat.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1137985442078
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124237128984
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2630B416-A518-4BDB-B190-5D1B1E47261A}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{8543C3D6-3471-4A1E-B878-B3F6EA1FDFEA}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8CCAA54-A7DA-4179-A67E-1ADD59A5CA38}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{F451F064-8B7F-4900-BC46-082AFA82A1DE}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4C3B19A-7D4E-4E0A-8A9F-05112DEF4DBA}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.107 85.255.112.121
O17 - HKLM\System\CS1\Services\Tcpip\..\{2630B416-A518-4BDB-B190-5D1B1E47261A}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.107 85.255.112.121
O18 - Protocol: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - C:\Program Files\Invitrogen\Vector NTI Advance 10\Ncbi.dll
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - c:\WINDOWS\Downloaded Program Files\mimectl.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\\lic98rmt.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Hi gjeha,
You have what look to be a couple of the nastier baddies that are making the rounds. We'll try to get the bulk of them in one pass (though one baddie replaces legit files with malware and we'll have to reconstitute to good files to their proper locations - Hopefully the AVG run will delete the bad ones...).
***Please DISABLE SpybotSD's "Tea Timer" before doing the steps below!!!! Frankly, I would suggest uninstalling SpyBotSD completeley since you already have Spy Sweeper and Windows Defender in play.
If you are concerned about the "immunize" freature of Spybot, you'd be better off with Spyware Blaster....
Anyhoo, off we go . . .
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe
Save it to your desktop and run it.
Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal. When your system reboots, follow the prompts. Afterwards, HijackThis will launch (If Hijackthis does not launch then please start it yourself).
Please Scan with HJT, and check the boxes for the following items:
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{2630B416-A518-4BDB-B190-5D1B1E47261A}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{8543C3D6-3471-4A1E-B878-B3F6EA1FDFEA}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8CCAA54-A7DA-4179-A67E-1ADD59A5CA38}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{F451F064-8B7F-4900-BC46-082AFA82A1DE}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4C3B19A-7D4E-4E0A-8A9F-05112DEF4DBA}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.107 85.255.112.121
O17 - HKLM\System\CS1\Services\Tcpip\..\{2630B416-A518-4BDB-B190-5D1B1E47261A}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.107 85.255.112.121
Be sure All Browser Windows are Closed and then Click Fix Checked.
NEXT:
Click Start > Run > type CMD > Enter
Type or Copy&Paste: ipconfig /flushdns > Press Enter
(Be sure to leave the space between the g and the / )
THEN:
Please Download ATF-Cleaner.exe by Atribune to your Desktop.
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option (if you don’t want it to clean cookies, set it accordingly)
-- Click Empty Selected > OK > EXIT
This will flush TEMP files, etc... as well as clean the Java Cache.
NEXT:
-- Please download and Install AVG Anti-Spyware v7.5
THEN:
RightClick the AVG Anti-Spy Icon in your system tray and do the following:
-- Uncheck Resident Shield
-- Uncheck Automatic Updates
-- Uncheck Start with Windows
* You can reset the above to their defaults AFTER your machine has been deemed “clean,” if you so desire. For now, we need them disabled.
Click Run online update and allow it to run until you see the Update Successful message. If you are unable to do this, please let me know.
NOW, run a full scan:
-- Click on the Scanner button and choose the Settings Tab.
---> Under How to act?, click on Recommended action and choose Quarantine to set default action for detected malware.
--->Under Reports make sure Automatically generate report after every scan is selected and UNCHECK the Only if threats were found box.
-- Leave everything else at their default settings and Select the Scan tab and CLICK Complete System Scan to scan your machine.
-- Upon completion of the scan, Click Apply all actions to place any detected baddies in Quarantine.
-- AFTER clicking Apply all actions, Click on Save Report and select Save the report to your Desktop where you can find it easily.
Again, be sure to Apply All Actions Before saving the Log!!!!! So few people pay attention to this step that it is extremely frustrating!
THEN:
Please download FindAWF by noahdfear and save it to your Desktop.
-- Double click FindAWF.exe and follow the instructions.
-- When the tool has finished scanning, the results will be saved as awf.txt on your Desktop.
-- Please submit that log for me.
LASTLY: Please locate c:\fixwareout\report.txt and post it here along with awf.txt and the AVG Anti-Spyware Log and we'll go from there.
Best Luck
PP
You have what look to be a couple of the nastier baddies that are making the rounds. We'll try to get the bulk of them in one pass (though one baddie replaces legit files with malware and we'll have to reconstitute to good files to their proper locations - Hopefully the AVG run will delete the bad ones...).
***Please DISABLE SpybotSD's "Tea Timer" before doing the steps below!!!! Frankly, I would suggest uninstalling SpyBotSD completeley since you already have Spy Sweeper and Windows Defender in play.
If you are concerned about the "immunize" freature of Spybot, you'd be better off with Spyware Blaster....
Anyhoo, off we go . . .
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe
Save it to your desktop and run it.
Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal. When your system reboots, follow the prompts. Afterwards, HijackThis will launch (If Hijackthis does not launch then please start it yourself).
Please Scan with HJT, and check the boxes for the following items:
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{2630B416-A518-4BDB-B190-5D1B1E47261A}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{8543C3D6-3471-4A1E-B878-B3F6EA1FDFEA}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8CCAA54-A7DA-4179-A67E-1ADD59A5CA38}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{F451F064-8B7F-4900-BC46-082AFA82A1DE}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4C3B19A-7D4E-4E0A-8A9F-05112DEF4DBA}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.107 85.255.112.121
O17 - HKLM\System\CS1\Services\Tcpip\..\{2630B416-A518-4BDB-B190-5D1B1E47261A}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.107 85.255.112.121
Be sure All Browser Windows are Closed and then Click Fix Checked.
NEXT:
Click Start > Run > type CMD > Enter
Type or Copy&Paste: ipconfig /flushdns > Press Enter
(Be sure to leave the space between the g and the / )
THEN:
Please Download ATF-Cleaner.exe by Atribune to your Desktop.
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option (if you don’t want it to clean cookies, set it accordingly)
-- Click Empty Selected > OK > EXIT
This will flush TEMP files, etc... as well as clean the Java Cache.
NEXT:
-- Please download and Install AVG Anti-Spyware v7.5
THEN:
RightClick the AVG Anti-Spy Icon in your system tray and do the following:
-- Uncheck Resident Shield
-- Uncheck Automatic Updates
-- Uncheck Start with Windows
* You can reset the above to their defaults AFTER your machine has been deemed “clean,” if you so desire. For now, we need them disabled.
Click Run online update and allow it to run until you see the Update Successful message. If you are unable to do this, please let me know.
NOW, run a full scan:
-- Click on the Scanner button and choose the Settings Tab.
---> Under How to act?, click on Recommended action and choose Quarantine to set default action for detected malware.
--->Under Reports make sure Automatically generate report after every scan is selected and UNCHECK the Only if threats were found box.
-- Leave everything else at their default settings and Select the Scan tab and CLICK Complete System Scan to scan your machine.
-- Upon completion of the scan, Click Apply all actions to place any detected baddies in Quarantine.
-- AFTER clicking Apply all actions, Click on Save Report and select Save the report to your Desktop where you can find it easily.
Again, be sure to Apply All Actions Before saving the Log!!!!! So few people pay attention to this step that it is extremely frustrating!
THEN:
Please download FindAWF by noahdfear and save it to your Desktop.
-- Double click FindAWF.exe and follow the instructions.
-- When the tool has finished scanning, the results will be saved as awf.txt on your Desktop.
-- Please submit that log for me.
LASTLY: Please locate c:\fixwareout\report.txt and post it here along with awf.txt and the AVG Anti-Spyware Log and we'll go from there.
Best Luck
PP
Last edited by PhilliePhan; Jan 18th, 2007 at 5:10 am. Reason: the usual . . . .
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer
ASAP
~ J. Robert Oppenheimer
ASAP
quote=PhilliePhan;302927]Hi gjeha,
You have what look to be a couple of the nastier baddies that are making the rounds. We'll try to get the bulk of them in one pass (though one baddie replaces legit files with malware and we'll have to reconstitute to good files to their proper locations - Hopefully the AVG run will delete the bad ones...).
***Please DISABLE SpybotSD's "Tea Timer" before doing the steps below!!!! Frankly, I would suggest uninstalling SpyBotSD completeley since you already have Spy Sweeper and Windows Defender in play.
If you are concerned about the "immunize" freature of Spybot, you'd be better off with Spyware Blaster....
Anyhoo, off we go . . .
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe
Save it to your desktop and run it.
Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal. When your system reboots, follow the prompts. Afterwards, HijackThis will launch (If Hijackthis does not launch then please start it yourself).
Please Scan with HJT, and check the boxes for the following items:
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{2630B416-A518-4BDB-B190-5D1B1E47261A}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{8543C3D6-3471-4A1E-B878-B3F6EA1FDFEA}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8CCAA54-A7DA-4179-A67E-1ADD59A5CA38}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{F451F064-8B7F-4900-BC46-082AFA82A1DE}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4C3B19A-7D4E-4E0A-8A9F-05112DEF4DBA}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.107 85.255.112.121
O17 - HKLM\System\CS1\Services\Tcpip\..\{2630B416-A518-4BDB-B190-5D1B1E47261A}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.107 85.255.112.121
Be sure All Browser Windows are Closed and then Click Fix Checked.
NEXT:
Click Start > Run > type CMD > Enter
Type or Copy&Paste: ipconfig /flushdns > Press Enter
(Be sure to leave the space between the g and the / )
THEN:
Please Download ATF-Cleaner.exe by Atribune to your Desktop.
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option (if you don’t want it to clean cookies, set it accordingly)
-- Click Empty Selected > OK > EXIT
This will flush TEMP files, etc... as well as clean the Java Cache.
NEXT:
-- Please download and Install AVG Anti-Spyware v7.5
THEN:
RightClick the AVG Anti-Spy Icon in your system tray and do the following:
-- Uncheck Resident Shield
-- Uncheck Automatic Updates
-- Uncheck Start with Windows
* You can reset the above to their defaults AFTER your machine has been deemed “clean,” if you so desire. For now, we need them disabled.
Click Run online update and allow it to run until you see the Update Successful message. If you are unable to do this, please let me know.
NOW, run a full scan:
-- Click on the Scanner button and choose the Settings Tab.
---> Under How to act?, click on Recommended action and choose Quarantine to set default action for detected malware.
--->Under Reports make sure Automatically generate report after every scan is selected and UNCHECK the Only if threats were found box.
-- Leave everything else at their default settings and Select the Scan tab and CLICK Complete System Scan to scan your machine.
-- Upon completion of the scan, Click Apply all actions to place any detected baddies in Quarantine.
-- AFTER clicking Apply all actions, Click on Save Report and select Save the report to your Desktop where you can find it easily.
Again, be sure to Apply All Actions Before saving the Log!!!!! So few people pay attention to this step that it is extremely frustrating!
THEN:
Please download FindAWF by noahdfear and save it to your Desktop.
-- Double click FindAWF.exe and follow the instructions.
-- When the tool has finished scanning, the results will be saved as awf.txt on your Desktop.
-- Please submit that log for me.
LASTLY: Please locate c:\fixwareout\report.txt and post it here along with awf.txt and the AVG Anti-Spyware Log and we'll go from there.
Best Luck
PP[/quote]
I have done what you suggested and things went well. I am including all the logs that you asked for.
awf.txt
Report-Scan-20070118-234537.txt
report.txt
Fixwareout
Last edited 1/14/2006
Post this report in the forums please
...
Prerun check
»»»»» HKLM run and Winlogon System values
C:\WINDOWS\system32\kdogr.exe will be moved to C:\WINDOWS\temp\kdogr.ren at reboot.
»»»»» System restarted
...
Reg Entries that were deleted
...
Random Runs removed from HKLM
...
PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»» Searching by size/names...
»»»»»
Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
Other suspects.
»»»»» Misc files.
»»»»» Checking for older varients covered by the Rem3 tool.
»»»»» Postrun check
»»»»» HKLM run
»»»»» Winlogon System value
"system"=""
»»»»»
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:45:37 PM 1/18/2007
+ Scan result:
HKU\S-1-5-21-467969744-263838244-3134824780-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{44D22A64-2399-4EDF-8B32-F2C729C1E8A7} -> Adware.HQVideoCodec : Cleaned with backup (quarantined).
HKU\S-1-5-21-467969744-263838244-3134824780-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44D22A64-2399-4EDF-8B32-F2C729C1E8A7} -> Adware.HQVideoCodec : Cleaned with backup (quarantined).
C:\Documents and Settings\George Jeha\Cookies\george_jeha@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\George Jeha\Cookies\george_jeha@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\George Jeha\Cookies\george_jeha@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\George Jeha\Cookies\george_jeha@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
::Report end
Find AWF report by noahdfear ©2006
21504 byte files found
~~~~~~~~~~~~~
21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~
25600 byte files found
~~~~~~~~~~~~~
25600 "C:\WINDOWS\Internet Logs\xDB15.tmp"
25600 "C:\WINDOWS\Internet Logs\xDB5D.tmp"
25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~
26450 byte files found
~~~~~~~~~~~~~
26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~
I hope this did it. Please let me know if I need to do anything else and thanks for your help.
George
You have what look to be a couple of the nastier baddies that are making the rounds. We'll try to get the bulk of them in one pass (though one baddie replaces legit files with malware and we'll have to reconstitute to good files to their proper locations - Hopefully the AVG run will delete the bad ones...).
***Please DISABLE SpybotSD's "Tea Timer" before doing the steps below!!!! Frankly, I would suggest uninstalling SpyBotSD completeley since you already have Spy Sweeper and Windows Defender in play.
If you are concerned about the "immunize" freature of Spybot, you'd be better off with Spyware Blaster....
Anyhoo, off we go . . .
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe
Save it to your desktop and run it.
Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal. When your system reboots, follow the prompts. Afterwards, HijackThis will launch (If Hijackthis does not launch then please start it yourself).
Please Scan with HJT, and check the boxes for the following items:
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{2630B416-A518-4BDB-B190-5D1B1E47261A}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{8543C3D6-3471-4A1E-B878-B3F6EA1FDFEA}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8CCAA54-A7DA-4179-A67E-1ADD59A5CA38}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{F451F064-8B7F-4900-BC46-082AFA82A1DE}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4C3B19A-7D4E-4E0A-8A9F-05112DEF4DBA}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.107 85.255.112.121
O17 - HKLM\System\CS1\Services\Tcpip\..\{2630B416-A518-4BDB-B190-5D1B1E47261A}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.107 85.255.112.121
Be sure All Browser Windows are Closed and then Click Fix Checked.
NEXT:
Click Start > Run > type CMD > Enter
Type or Copy&Paste: ipconfig /flushdns > Press Enter
(Be sure to leave the space between the g and the / )
THEN:
Please Download ATF-Cleaner.exe by Atribune to your Desktop.
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option (if you don’t want it to clean cookies, set it accordingly)
-- Click Empty Selected > OK > EXIT
This will flush TEMP files, etc... as well as clean the Java Cache.
NEXT:
-- Please download and Install AVG Anti-Spyware v7.5
THEN:
RightClick the AVG Anti-Spy Icon in your system tray and do the following:
-- Uncheck Resident Shield
-- Uncheck Automatic Updates
-- Uncheck Start with Windows
* You can reset the above to their defaults AFTER your machine has been deemed “clean,” if you so desire. For now, we need them disabled.
Click Run online update and allow it to run until you see the Update Successful message. If you are unable to do this, please let me know.
NOW, run a full scan:
-- Click on the Scanner button and choose the Settings Tab.
---> Under How to act?, click on Recommended action and choose Quarantine to set default action for detected malware.
--->Under Reports make sure Automatically generate report after every scan is selected and UNCHECK the Only if threats were found box.
-- Leave everything else at their default settings and Select the Scan tab and CLICK Complete System Scan to scan your machine.
-- Upon completion of the scan, Click Apply all actions to place any detected baddies in Quarantine.
-- AFTER clicking Apply all actions, Click on Save Report and select Save the report to your Desktop where you can find it easily.
Again, be sure to Apply All Actions Before saving the Log!!!!! So few people pay attention to this step that it is extremely frustrating!
THEN:
Please download FindAWF by noahdfear and save it to your Desktop.
-- Double click FindAWF.exe and follow the instructions.
-- When the tool has finished scanning, the results will be saved as awf.txt on your Desktop.
-- Please submit that log for me.
LASTLY: Please locate c:\fixwareout\report.txt and post it here along with awf.txt and the AVG Anti-Spyware Log and we'll go from there.
Best Luck
PP[/quote]
I have done what you suggested and things went well. I am including all the logs that you asked for.
awf.txt
Report-Scan-20070118-234537.txt
report.txt
Fixwareout
Last edited 1/14/2006
Post this report in the forums please
...
Prerun check
»»»»» HKLM run and Winlogon System values
C:\WINDOWS\system32\kdogr.exe will be moved to C:\WINDOWS\temp\kdogr.ren at reboot.
»»»»» System restarted
...
Reg Entries that were deleted
...
Random Runs removed from HKLM
...
PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»» Searching by size/names...
»»»»»
Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
Other suspects.
»»»»» Misc files.
»»»»» Checking for older varients covered by the Rem3 tool.
»»»»» Postrun check
»»»»» HKLM run
»»»»» Winlogon System value
"system"=""
»»»»»
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:45:37 PM 1/18/2007
+ Scan result:
HKU\S-1-5-21-467969744-263838244-3134824780-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{44D22A64-2399-4EDF-8B32-F2C729C1E8A7} -> Adware.HQVideoCodec : Cleaned with backup (quarantined).
HKU\S-1-5-21-467969744-263838244-3134824780-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44D22A64-2399-4EDF-8B32-F2C729C1E8A7} -> Adware.HQVideoCodec : Cleaned with backup (quarantined).
C:\Documents and Settings\George Jeha\Cookies\george_jeha@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\George Jeha\Cookies\george_jeha@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\George Jeha\Cookies\george_jeha@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\George Jeha\Cookies\george_jeha@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
::Report end
Find AWF report by noahdfear ©2006
21504 byte files found
~~~~~~~~~~~~~
21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~
25600 byte files found
~~~~~~~~~~~~~
25600 "C:\WINDOWS\Internet Logs\xDB15.tmp"
25600 "C:\WINDOWS\Internet Logs\xDB5D.tmp"
25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~
26450 byte files found
~~~~~~~~~~~~~
26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~
I hope this did it. Please let me know if I need to do anything else and thanks for your help.
George
Hi George,
Things look OK.
I do not see the downloader AWF that I thought might be present - That saves a lot of hassle!
-- How are things running now?
-- How about posting a Fresh HJT log just to double-check?
I'll be back tomorrow.
Best
PP
Things look OK.
I do not see the downloader AWF that I thought might be present - That saves a lot of hassle!
-- How are things running now?
-- How about posting a Fresh HJT log just to double-check?
I'll be back tomorrow.
Best
PP
Last edited by PhilliePhan; Jan 19th, 2007 at 2:19 am.
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer
ASAP
~ J. Robert Oppenheimer
ASAP
Things are much better back to normal thanks to you.
I am inclusing a copy of a HJK log done after fixing. I did download the AWF and included the log in my previous reply. I am not sure whether I know what you asked for.
Thanks again
I am inclusing a copy of a HJK log done after fixing. I did download the AWF and included the log in my previous reply. I am not sure whether I know what you asked for.
Thanks again
•
•
•
•
Originally Posted by gjeha 
Things are much better back to normal thanks to you.
I am inclusing a copy of a HJK log done after fixing. I did download the AWF and included the log in my previous reply. I am not sure whether I know what you asked for.
Thanks again
Everything looks good
--- Sorry for the confusion. What I meant was that I did not see any trace of the AWF downloader in those (FindAWF) logs.....
-- You can remove that AVG Anti-Spy if you like since you have both Spy Sweeper and Windows Defender on board. The AVG "Guard" feature will be disabled after a month, anyway. 'Course, you could keep it on hand as an "on demand" scanner - you can always get definitions updates for it....
Best
PP
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer
ASAP
~ J. Robert Oppenheimer
ASAP
|
Similar Threads
- Main Page Description Change, how often does Google update its search engine. (Search Engine Optimization)
- All you need for Search Engine Optimization (SEO) (Search Engine Optimization)
- IE- persistant and subtle Search engine problem (Viruses, Spyware and other Nasties)
- IE Explorer/Search Engine problems! (fake/redirect search results;dysfunctional sites (Viruses, Spyware and other Nasties)
- Search Engine Optimization (SEO) / Link Building / PPC Management / SEM Services (Post your Resume)
- Build Your Search Engine Optimization Around Your Content (Search Engine Optimization)
- a few search engine optimization questions (Search Engine Optimization)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: sytem restore trouble
- Next Thread: Desktop
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet censorship china commercials conficker connect control crosssitescripting cyber cyberwarfare ddos domains e-mafia education email europe facebook fake fancheckvirus gaming gtaiv gumblar halloween hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police president privacy pro problem redirect redirecting reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses war warning windows worm yahoo zeroday
