954,135 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Have something to say? Contribute New Article Reply to this Article
5 Years Ago
0

search engine redirects to a different IE page

anytime I use a search engine such as google to look up something, when I click the desired link in the search results I am always redirected to a different website. The websites are typically search engines (I don't know whether real or fake) and sometimes they have the same name as the word I am searching for.

this is my HijackThis logfile can someone help?

Logfile of HijackThis v1.99.1
Scan saved at 11:58:48 PM, on 1/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hpnra.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\system32\hpnra.exe
O4 - HKLM\..\Run: [Cpqset] "C:\Program Files\HPQ\Default Settings\cpqset.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn2004/installers/default/ErrorNukerInstaller.exe
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137985442078
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124237128984
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2630B416-A518-4BDB-B190-5D1B1E47261A}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{8543C3D6-3471-4A1E-B878-B3F6EA1FDFEA}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8CCAA54-A7DA-4179-A67E-1ADD59A5CA38}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{F451F064-8B7F-4900-BC46-082AFA82A1DE}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4C3B19A-7D4E-4E0A-8A9F-05112DEF4DBA}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.107 85.255.112.121
O17 - HKLM\System\CS1\Services\Tcpip\..\{2630B416-A518-4BDB-B190-5D1B1E47261A}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.107 85.255.112.121
O18 - Protocol: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - C:\Program Files\Invitrogen\Vector NTI Advance 10\Ncbi.dll
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - c:\WINDOWS\Downloaded Program Files\mimectl.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\\lic98rmt.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

gjeha
Newbie Poster
4 posts since Jan 2007
Reputation Points: 10
Solved Threads: 0
 
5 Years Ago
0

Hi gjeha,

You have what look to be a couple of the nastier baddies that are making the rounds. We'll try to get the bulk of them in one pass (though one baddie replaces legit files with malware and we'll have to reconstitute to good files to their proper locations - Hopefully the AVG run will delete the bad ones...).


***Please DISABLE SpybotSD's "Tea Timer" before doing the steps below!!!! Frankly, I would suggest uninstalling SpyBotSD completeley since you already have Spy Sweeper and Windows Defender in play.
If you are concerned about the "immunize" freature of Spybot, you'd be better off with Spyware Blaster....


Anyhoo, off we go . . .

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it.
Click Next, then Install, make sure "Run fixit" is checked and click Finish.

The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal. When your system reboots, follow the prompts. Afterwards, HijackThis will launch (If Hijackthis does not launch then please start it yourself).

Please Scan with HJT, and check the boxes for the following items:
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O17 - HKLM\System\CCS\Services\Tcpip\..\{2630B416-A518-4BDB-B190-5D1B1E47261A}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{8543C3D6-3471-4A1E-B878-B3F6EA1FDFEA}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8CCAA54-A7DA-4179-A67E-1ADD59A5CA38}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{F451F064-8B7F-4900-BC46-082AFA82A1DE}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4C3B19A-7D4E-4E0A-8A9F-05112DEF4DBA}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.107 85.255.112.121
O17 - HKLM\System\CS1\Services\Tcpip\..\{2630B416-A518-4BDB-B190-5D1B1E47261A}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.107 85.255.112.121
Be sure All Browser Windows are Closed and then Click Fix Checked.

NEXT:
Click Start > Run > type CMD > Enter
Type or Copy&Paste: ipconfig /flushdns > Press Enter
(Be sure to leave the space between the g and the / )

THEN:
Please Download ATF-Cleaner.exe by Atribune to your Desktop.
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option (if you don’t want it to clean cookies, set it accordingly)
-- Click Empty Selected > OK > EXIT
This will flush TEMP files, etc... as well as clean the Java Cache.

NEXT:
-- Please download and Install AVG Anti-Spyware v7.5

THEN:
RightClick the AVG Anti-Spy Icon in your system tray and do the following:
-- Uncheck Resident Shield
-- Uncheck Automatic Updates
-- Uncheck Start with Windows
* You can reset the above to their defaults AFTER your machine has been deemed “clean,” if you so desire. For now, we need them disabled.

Click Run online update and allow it to run until you see the Update Successful message. If you are unable to do this, please let me know.

NOW, run a full scan:

-- Click on the Scanner button and choose the Settings Tab.
---> Under How to act?, click on Recommended action and choose Quarantine to set default action for detected malware.
--->Under Reports make sure Automatically generate report after every scan is selected and UNCHECK the Only if threats were found box.
-- Leave everything else at their default settings and Select the Scan tab and CLICK Complete System Scan to scan your machine.
-- Upon completion of the scan, Click Apply all actions to place any detected baddies in Quarantine.
-- AFTER clicking Apply all actions, Click on Save Report and select Save the report to your Desktop where you can find it easily.
Again, be sure to Apply All Actions Before saving the Log!!!!! So few people pay attention to this step that it is extremely frustrating!

THEN:
Please download FindAWF by noahdfear and save it to your Desktop.
-- Double click FindAWF.exe and follow the instructions.
-- When the tool has finished scanning, the results will be saved as awf.txt on your Desktop.
-- Please submit that log for me.

LASTLY: Please locate c:\fixwareout\report.txt and post it here along with awf.txt and the AVG Anti-Spyware Log and we'll go from there.


Best Luck :)
PP

PhilliePhan
Central Scrutinizer
Moderator
1,942 posts since Dec 2006
Reputation Points: 184
Solved Threads: 110
 
5 Years Ago
0

quote=PhilliePhan;302927]Hi gjeha,

You have what look to be a couple of the nastier baddies that are making the rounds. We'll try to get the bulk of them in one pass (though one baddie replaces legit files with malware and we'll have to reconstitute to good files to their proper locations - Hopefully the AVG run will delete the bad ones...).


***Please DISABLE SpybotSD's "Tea Timer" before doing the steps below!!!! Frankly, I would suggest uninstalling SpyBotSD completeley since you already have Spy Sweeper and Windows Defender in play.
If you are concerned about the "immunize" freature of Spybot, you'd be better off with Spyware Blaster....


Anyhoo, off we go . . .

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it.
Click Next, then Install, make sure "Run fixit" is checked and click Finish.

The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal. When your system reboots, follow the prompts. Afterwards, HijackThis will launch (If Hijackthis does not launch then please start it yourself).

Please Scan with HJT, and check the boxes for the following items:
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O17 - HKLM\System\CCS\Services\Tcpip\..\{2630B416-A518-4BDB-B190-5D1B1E47261A}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{8543C3D6-3471-4A1E-B878-B3F6EA1FDFEA}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8CCAA54-A7DA-4179-A67E-1ADD59A5CA38}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{F451F064-8B7F-4900-BC46-082AFA82A1DE}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4C3B19A-7D4E-4E0A-8A9F-05112DEF4DBA}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.107 85.255.112.121
O17 - HKLM\System\CS1\Services\Tcpip\..\{2630B416-A518-4BDB-B190-5D1B1E47261A}: NameServer = 85.255.115.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.107 85.255.112.121
Be sure All Browser Windows are Closed and then Click Fix Checked.

NEXT:
Click Start > Run > type CMD > Enter
Type or Copy&Paste: ipconfig /flushdns > Press Enter
(Be sure to leave the space between the g and the / )

THEN:
Please Download ATF-Cleaner.exe by Atribune to your Desktop.
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option (if you don’t want it to clean cookies, set it accordingly)
-- Click Empty Selected > OK > EXIT
This will flush TEMP files, etc... as well as clean the Java Cache.

NEXT:
-- Please download and Install AVG Anti-Spyware v7.5

THEN:
RightClick the AVG Anti-Spy Icon in your system tray and do the following:
-- Uncheck Resident Shield
-- Uncheck Automatic Updates
-- Uncheck Start with Windows
* You can reset the above to their defaults AFTER your machine has been deemed “clean,” if you so desire. For now, we need them disabled.

Click Run online update and allow it to run until you see the Update Successful message. If you are unable to do this, please let me know.

NOW, run a full scan:

-- Click on the Scanner button and choose the Settings Tab.
---> Under How to act?, click on Recommended action and choose Quarantine to set default action for detected malware.
--->Under Reports make sure Automatically generate report after every scan is selected and UNCHECK the Only if threats were found box.
-- Leave everything else at their default settings and Select the Scan tab and CLICK Complete System Scan to scan your machine.
-- Upon completion of the scan, Click Apply all actions to place any detected baddies in Quarantine.
-- AFTER clicking Apply all actions, Click on Save Report and select Save the report to your Desktop where you can find it easily.
Again, be sure to Apply All Actions Before saving the Log!!!!! So few people pay attention to this step that it is extremely frustrating!

THEN:
Please download FindAWF by noahdfear and save it to your Desktop.
-- Double click FindAWF.exe and follow the instructions.
-- When the tool has finished scanning, the results will be saved as awf.txt on your Desktop.
-- Please submit that log for me.




LASTLY: Please locate c:\fixwareout\report.txt and post it here along with awf.txt and the AVG Anti-Spyware Log and we'll go from there.


Best Luck :)
PP[/quote]



I have done what you suggested and things went well. I am including all the logs that you asked for.

awf.txt

Report-Scan-20070118-234537.txt

report.txt




Fixwareout
Last edited 1/14/2006
Post this report in the forums please
...
Prerun check
»»»»» HKLM run and Winlogon System values
C:\WINDOWS\system32\kdogr.exe will be moved to C:\WINDOWS\temp\kdogr.ren at reboot.
»»»»» System restarted
...
Reg Entries that were deleted
...
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

»»»»» Postrun check
»»»»» HKLM run
»»»»» Winlogon System value
"system"=""
»»»»»

AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:45:37 PM 1/18/2007
+ Scan result:

HKU\S-1-5-21-467969744-263838244-3134824780-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{44D22A64-2399-4EDF-8B32-F2C729C1E8A7} -> Adware.HQVideoCodec : Cleaned with backup (quarantined).
HKU\S-1-5-21-467969744-263838244-3134824780-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44D22A64-2399-4EDF-8B32-F2C729C1E8A7} -> Adware.HQVideoCodec : Cleaned with backup (quarantined).
C:\Documents and Settings\George Jeha\Cookies\george_jeha@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\George Jeha\Cookies\george_jeha@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\George Jeha\Cookies\george_jeha@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\George Jeha\Cookies\george_jeha@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.

::Report end

Find AWF report by noahdfear ©2006

21504 byte files found
~~~~~~~~~~~~~

21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~

25600 byte files found
~~~~~~~~~~~~~
25600 "C:\WINDOWS\Internet Logs\xDB15.tmp"
25600 "C:\WINDOWS\Internet Logs\xDB5D.tmp"

25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~

26450 byte files found
~~~~~~~~~~~~~

26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~


I hope this did it. Please let me know if I need to do anything else and thanks for your help.
George

Attachments awf.txt (0.62KB) Report-Scan-20070118-234537.txt (2.15KB) report.txt (0.77KB)
gjeha
Newbie Poster
4 posts since Jan 2007
Reputation Points: 10
Solved Threads: 0
 
5 Years Ago
0

Hi George,

Things look OK.

I do not see the downloader AWF that I thought might be present - That saves a lot of hassle!

-- How are things running now?

-- How about posting a Fresh HJT log just to double-check?


I'll be back tomorrow.

Best :)
PP

PhilliePhan
Central Scrutinizer
Moderator
1,942 posts since Dec 2006
Reputation Points: 184
Solved Threads: 110
 
5 Years Ago
0

Things are much better back to normal thanks to you.
I am inclusing a copy of a HJK log done after fixing. I did download the AWF and included the log in my previous reply. I am not sure whether I know what you asked for.

Thanks again

Attachments hijackthis.txt (11.17KB)
gjeha
Newbie Poster
4 posts since Jan 2007
Reputation Points: 10
Solved Threads: 0
 
5 Years Ago
0
Things are much better back to normal thanks to you.
I am inclusing a copy of a HJK log done after fixing. I did download the AWF and included the log in my previous reply. I am not sure whether I know what you asked for.
Thanks again


You're welcome!

Everything looks good :)

--- Sorry for the confusion. What I meant was that I did not see any trace of the AWF downloader in those (FindAWF) logs.....

-- You can remove that AVG Anti-Spy if you like since you have both Spy Sweeper and Windows Defender on board. The AVG "Guard" feature will be disabled after a month, anyway. 'Course, you could keep it on hand as an "on demand" scanner - you can always get definitions updates for it....

Best :)
PP

PhilliePhan
Central Scrutinizer
Moderator
1,942 posts since Dec 2006
Reputation Points: 184
Solved Threads: 110
 

This article has been dead for over three months

Post: Markdown Syntax: Formatting Help
You
 
© 2012 DaniWeb® LLC
Home | About Us | Contact Us | Terms of Service | Advertising Opportunities
RSS Feed RSS Feed