Is this a Virus or Spyware?

Question

mauconline 0 Junior Poster

14 Years Ago

Hello,

Please pardon me if I've made this post in the wrong forum and kindly direct me to the right forum, if need be.

My problem is as follows:

I noticed recently that when I type in a wrong URL instead of going to the default page not found page in my browser (Firefox) I'm redirected to a strange 'Yahoo!' like URL starting like this:

http://www wp.find-assist.com/search?qo=www.....

Please has anyone experienced same?

Does anyone know whether this is a virus/spyware?

How can I get things back to normal?

I'll appreciate any and all responses. Thanks.

windows-virus

5 Contributors
36 Replies
511 Views
2 Years Discussion Span
Latest Post 12 Years Ago Latest Post by crunchie

All 36 Replies

crunchie 990 Most Valuable Poster

14 Years Ago

Download the HostsXpert.
Run it and press "Restore M$ Hosts File" and press "OK". Exit Program.
Note that if you have a custom host file, this will remove it.

Have you checked the Hosts file to see if anything has established a re-direction?

Been there, done that.

kaninelupus 275 Practically a Posting Shark

14 Years Ago

It would be interesting to start with a clean install and actually track exactly where the problem starts.... would be nice to identify the culprit once and for all.

crunchie 990 Most Valuable Poster

14 Years Ago

I believe he means the Operating System.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 1 · 2009-05-25T13:01:34+00:00

Please download GooredFix from one of the locations below and save it to your Desktop Download
Mirror #1 Download
Mirror #2

Double-click GooredFix.exe to run it.
Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: Do not run Option #2 yet.

mauconline 0 Junior Poster · Answer 2 · 2009-05-25T21:23:27+00:00

Hi Crunchie,

Thanks for your kind response. I followed the steps above (I haven't run option #2 yet) and this is the result I got in the GooredLog.txt file:

GooredFix v1.92 by jpshortstuff
Log created at 16:16 on 25/05/2009 running Option #1 (Ademola)
Firefox version 3.0.10 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

Please, what should I do next? Thanks.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 3 · 2009-05-26T02:34:04+00:00

Ok, nothing there.

Download HijackThis Executable from here. Save it to your desktop.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and then go to the format Tab and make sure that wordwrap is unchecked. Copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

mauconline 0 Junior Poster · Answer 4 · 2009-05-26T09:44:56+00:00

Hi Crunchie,

Thanks for your assistance thus far.

I followed your instructions and this is the content of the file as requested (find it below). Please what do I do next? Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:37:29, on 26/05/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Novatel Wireless\MobiLink\Lite.exe
C:\Program Files\Novatel Wireless\Mobilink\Phoenix.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ALaunch] C:\Acer\ALaunch\AlaunchClient.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [Acer Tour] C:\Acer\AcerTour\AcerTour.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MobiLink Lite] C:\Program Files\Novatel Wireless\MobiLink\Lite.exe
O4 - HKCU\..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\366\g2mstart.exe "/Trigger RunAtLogon"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E4AAD72-32E8-479D-B26F-83A51E087A2E}: NameServer = 198.6.1.1 80.255.35.180
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: eNetHook.dll
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8388 bytes

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 5 · 2009-05-26T10:20:39+00:00

That log is clean.

Download the HostsXpert.
Run it and press "Restore M$ Hosts File" and press "OK". Exit Program.
Note that if you have a custom host file, this will remove it.

==

Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.

You will need to use Internet Explorer to complete this scan.
You will need to temporarily Disable your current Anti-virus program.
Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

NOTE: If you are unable to complete the ESET scan, please try another from the list below:

• Kaspersky Online Scanner • Panda Active Scan • Trend Micro HouseCall • F-Secure Online Virus Scanner

Salem 5,138 Posting Sage · Answer 6 · 2009-05-26T11:41:20+00:00

> I'm redirected to a strange 'Yahoo!' like URL starting like this:
Did you click "yes" to try out the Yahoo toolbar when you updated Java?

IIRC, one of the things it grabs is the "page not found" and redirects you to some search engine.

It's a reasonably well behaved plugin, so if you have it, try turning it off for a while and re-test.

Or perhaps try running "Firefox (Safe Mode)" and see if that also has the same problem. If firefox-SM is showing the same problem, then it seems very likely that something else is going on.

There are probably some other plugins which also have the same behaviour.

But please keep up with crunchie's excellent advice in any event.

mauconline 0 Junior Poster · Answer 7 · 2009-05-27T23:03:16+00:00

@salem: Thanks for your input and I'll keep following crunchie's advice, as you suggested.

@crunchie: Thanks for your continued support. I've decided to give you a detailed report of how I followed your instructions, incase it would be of any help.

Initially out of nervousness, I opened IE to start the ESET online scanner. But it seemed to be taking a bit long and moreover since I'd not used IE for quite some time - neither was it updated during this time - and since my antivirus was temporarily disabled, I decided to start the process from Firefox.

Fortunately the ESET scanner allowed me to download the program unto my system and do it from there. Mid way through the scanning process, I wasn't sure if I'd obeyed your instructions to make sure the "Scan unwanted applications is Checked". So I stopped to make sure.

Then I started the scanning process again. I completed the process and was not asked for IE. Here is the result below:

ESETSmartInstaller@High as downloader log:
all ok
# version=6
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=f37cf0b49911044eb225e5f4343c5579
# end=stopped
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-05-27 02:47:03
# local_time=2009-05-27 03:47:03 (+0100, W. Central Africa Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=3586 62 60 14 87921886542488
# compatibility_mode=5889 61 66 100 427073045512543
# scanned=9929
# found=0
# cleaned=0
# scan_time=490
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=6
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=f37cf0b49911044eb225e5f4343c5579
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-05-27 04:38:21
# local_time=2009-05-27 05:38:21 (+0100, W. Central Africa Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=3586 62 60 14 87988667883443
# compatibility_mode=5889 61 66 100 427139826853498
# scanned=114508
# found=0
# cleaned=0
# scan_time=6307

Also, just for the records: before I made opened this thread on the daniweb forum I did a google search for:

I discovered this post:

http://support.mozilla.com/tiki-view_forum_thread.php?forumId=1&comments_threshold=0&comments_parentId=184175&comments_offset=20&comments_per_page=20&thread_style=commentStyle_plain

and followed the step given by the final person. I was not able to save the file as he had instructed. Thereafter I came to Daniweb for help.

I've decided to write about this just incase this information might be of any use.

Thanks again for your kind support. I really appreciate it. What do I do next?

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 8 · 2009-05-28T02:28:29+00:00

Please download ComboFix by sUBs from HERE or HERE

You must download it to and run it from your Desktop
Physically disconnect from the internet.
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

mauconline 0 Junior Poster · Answer 9 · 2009-05-28T18:40:26+00:00

Hi Crunchie,

Thanks for your response.

Followed the steps for the ComboFix and HijackThis. I noticed that after running ComboFix it changed my desktop wallpaper to the default wallpaper that came with my system.

I also noticed that when I tried to run HJT it brought an alert dialogue box saying the:"For some reasons windows has denied write access..." (sorry I couldn't get the entire message down, but it mentioned something about me having the do the scan manually).

All the same it ran the scan and produced a log file which I've also copied below.

*******************START OF COMBOFIX LOG FILE RESULT***************************

ComboFix 09-05-26.05 - Ademola 28/05/2009 12:58.1 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.44.1033.18.765.251 [GMT 1:00]
Running from: c:\users\Ademola\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-28 )))))))))))))))))))))))))))))))
.

2009-05-28 10:38 . 2009-03-16 08:00 89104 ----a-w c:\programdata\Symantec\Definitions\VirusDefs\20090527.049\NAVENG.SYS
2009-05-28 10:38 . 2009-03-16 08:00 876144 ----a-w c:\programdata\Symantec\Definitions\VirusDefs\20090527.049\NAVEX15.SYS
2009-05-28 10:38 . 2009-03-16 08:00 371248 ----a-w c:\programdata\Symantec\Definitions\VirusDefs\20090527.049\EECTRL.SYS
2009-05-28 10:38 . 2009-03-16 08:00 2414128 ----a-w c:\programdata\Symantec\Definitions\VirusDefs\20090527.049\CCERASER.DLL
2009-05-28 10:38 . 2009-03-16 08:00 177520 ----a-w c:\programdata\Symantec\Definitions\VirusDefs\20090527.049\NAVENG32.DLL
2009-05-28 10:38 . 2009-03-16 08:00 1181040 ----a-w c:\programdata\Symantec\Definitions\VirusDefs\20090527.049\NAVEX32A.DLL
2009-05-28 10:38 . 2009-03-16 08:00 101936 ----a-w c:\programdata\Symantec\Definitions\VirusDefs\20090527.049\ERASER.SYS
2009-05-28 10:38 . 2009-01-14 10:16 259368 ----a-w c:\programdata\Symantec\Definitions\VirusDefs\20090527.049\ECMSVR32.DLL
2009-05-27 16:18 . 2009-03-16 08:00 876144 ----a-w c:\programdata\Symantec\Definitions\VirusDefs\20090526.041\NAVEX15.SYS
2009-05-27 16:18 . 2009-03-16 08:00 177520 ----a-w c:\programdata\Symantec\Definitions\VirusDefs\20090526.041\NAVENG32.DLL
2009-05-27 16:18 . 2009-03-16 08:00 1181040 ----a-w c:\programdata\Symantec\Definitions\VirusDefs\20090526.041\NAVEX32A.DLL
2009-05-27 16:18 . 2009-03-16 08:00 89104 ----a-w c:\programdata\Symantec\Definitions\VirusDefs\20090526.041\NAVENG.SYS
2009-05-27 16:18 . 2009-03-16 08:00 371248 ----a-w c:\programdata\Symantec\Definitions\VirusDefs\20090526.041\EECTRL.SYS
2009-05-27 16:18 . 2009-03-16 08:00 2414128 ----a-w c:\programdata\Symantec\Definitions\VirusDefs\20090526.041\CCERASER.DLL
2009-05-27 16:18 . 2009-03-16 08:00 101936 ----a-w c:\programdata\Symantec\Definitions\VirusDefs\20090526.041\ERASER.SYS
2009-05-27 16:18 . 2009-01-14 10:16 259368 ----a-w c:\programdata\Symantec\Definitions\VirusDefs\20090526.041\ECMSVR32.DLL
2009-05-27 14:21 . 2009-05-27 14:21 -------- d-----w c:\program files\ESET
2009-05-26 11:50 . 2009-05-28 10:19 -------- d-----w c:\users\Ademola\AppData\Roaming\skypePM
2009-05-26 03:34 . 2009-05-26 03:34 -------- d-----w c:\program files\Trend Micro
2009-05-21 17:08 . 2009-03-06 17:25 439672 ----a-w c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20090519.005\Scxpx86.dll
2009-05-21 17:08 . 2009-02-09 22:59 272432 ----a-w c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20090519.005\IDSvix86.sys
2009-05-21 17:08 . 2009-02-09 22:59 251768 ----a-w c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20090519.005\SymIDSCo.sys
2009-05-21 17:08 . 2009-02-09 22:59 685432 ----a-w c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20090519.005\IDSxpx86.dll
2009-05-21 17:08 . 2009-02-09 22:59 173432 ----a-w c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20090519.005\SymIDSI.dll
2009-05-21 17:08 . 2009-02-09 22:59 370224 ----a-w c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20090519.005\IDSviA64.sys
2009-05-21 17:08 . 2009-02-05 22:21 157120 ----a-w c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20090519.005\IDS9xx86.dll
2009-05-20 16:42 . 2009-05-20 16:42 -------- d-sh--w C:\found.002
2009-05-08 19:38 . 2009-03-06 17:25 439672 ----a-w c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20090506.001\Scxpx86.dll
2009-05-08 19:38 . 2009-02-09 22:59 272432 ----a-w c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20090506.001\IDSvix86.sys
2009-05-08 19:38 . 2009-02-09 22:59 251768 ----a-w c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20090506.001\SymIDSCo.sys
2009-05-08 19:38 . 2009-02-09 22:59 685432 ----a-w c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20090506.001\IDSxpx86.dll
2009-05-08 19:38 . 2009-02-09 22:59 173432 ----a-w c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20090506.001\SymIDSI.dll
2009-05-08 19:38 . 2009-02-09 22:59 370224 ----a-w c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20090506.001\IDSviA64.sys
2009-05-08 19:38 . 2009-02-05 22:21 157120 ----a-w c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20090506.001\IDS9xx86.dll
2009-05-01 03:38 . 2009-05-01 03:38 -------- d-----w c:\program files\Common Files\Skype
2009-05-01 03:38 . 2009-05-01 03:38 -------- d-----r c:\program files\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-26 13:51 . 2009-03-05 20:22 -------- d-----w c:\users\Ademola\AppData\Roaming\Skype
2009-05-14 17:47 . 2007-05-15 22:21 12 ----a-w c:\windows\bthservsdp.dat
2009-05-14 17:47 . 2007-02-28 05:05 -------- d-----w c:\programdata\Microsoft Help
2009-05-13 17:11 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-05-11 07:52 . 2007-02-28 05:18 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-01 03:38 . 2009-03-05 20:18 -------- d-----w c:\programdata\Skype
2009-04-26 02:15 . 2009-04-26 02:15 -------- d-----w c:\programdata\WindowsSearch
2009-04-21 10:54 . 2009-04-22 03:15 1282 ----a-w c:\programdata\Symantec\Definitions\VirusDefs\tmp3eea.tmp\cur.scr
2009-04-19 08:44 . 2009-04-20 03:35 1289 ----a-w c:\programdata\Symantec\Definitions\VirusDefs\tmp26a2.tmp\cur.scr
2009-04-15 00:55 . 2009-04-15 14:26 1320 ----a-w c:\programdata\Symantec\Definitions\VirusDefs\tmp6b8.tmp\cur.scr
2009-04-09 17:26 . 2009-02-14 20:24 -------- d-----w c:\program files\Norton Internet Security
2009-03-31 21:46 . 2008-02-07 04:04 9584 ----a-w c:\programdata\Symantec\LiveUpdate\LuRegManifests\Static\NCO20.dll
2009-03-24 17:45 . 2009-03-25 14:03 1295 ----a-w c:\programdata\Symantec\Definitions\VirusDefs\tmp18f3.tmp\cur.scr
2009-03-17 03:38 . 2009-04-15 18:21 13824 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-15 18:21 24064 ----a-w c:\windows\system32\amxread.dll
2009-03-06 17:25 . 2009-03-06 17:25 439672 ----a-w c:\programdata\Symantec\Definitions\SymcData\ipsdefs\BinHub\scxpx86.dll
2009-03-05 20:30 . 2009-03-05 20:30 56 ---ha-w c:\programdata\ezsidmv.dat
2009-03-03 04:46 . 2009-04-15 18:43 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-15 18:43 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:40 . 2009-04-15 19:04 827392 ----a-w c:\windows\system32\wininet.dll
2009-03-03 04:39 . 2009-04-15 18:43 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-15 18:43 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-15 18:43 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-15 19:04 78336 ----a-w c:\windows\system32\ieencode.dll
2009-03-03 04:37 . 2009-04-15 18:43 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-15 18:43 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 04:37 . 2009-04-15 18:43 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 03:04 . 2009-04-15 18:43 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-15 18:43 17408 ----a-w c:\windows\system32\iashost.exe
2009-03-03 02:28 . 2009-04-15 19:04 26624 ----a-w c:\windows\system32\ieUnatt.exe
2009-03-31 21:47 . 2009-02-14 21:40 324976 ----a-w c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"MobiLink Lite"="c:\program files\Novatel Wireless\MobiLink\Lite.exe" [2008-01-11 401480]
"GoToMeeting"="c:\program files\Citrix\GoToMeeting\366\g2mstart.exe" [2009-03-05 31552]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ALaunch"="c:\acer\ALaunch\AlaunchClient.exe" [2007-01-26 598016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 815104]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-14 52832]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-02-07 464168]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-12-08 614400]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALuNotify.exe" [2008-02-10 152952]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2006-12-01 4186112]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-4 703280]
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-2-28 528384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\eNetHook.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{74AA616B-6D96-4419-86DC-B5F0D2E32CD0}"= UDP:c:\program files\CyberLink\PowerDVD\PowerDVD.exe:CyberLink PowerDVD
"{2F167436-BE2C-405E-BA7A-30CF5E43843D}"= TCP:c:\program files\CyberLink\PowerDVD\PowerDVD.exe:CyberLink PowerDVD
"{D6980E99-D965-48D4-86A6-7C5A65DD0730}"= UDP:c:\program files\CyberLink\PowerDVD\OLRSubmission\OLRSubmission.exe:OLRSubmission
"{A7EB9069-CDC7-4012-84D0-10301205F8E5}"= TCP:c:\program files\CyberLink\PowerDVD\OLRSubmission\OLRSubmission.exe:OLRSubmission
"{1E83B266-358B-44F5-A9A0-B949EFBC484B}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{164AF172-10C9-4819-91C3-FFF7FC6ED0CC}c:\\windows\\system32\\ftp.exe"= Disabled:UDP:c:\windows\system32\ftp.exe:File Transfer Program
"UDP Query User{66625D9B-FC0D-47D8-9260-C6ABA125D525}c:\\windows\\system32\\ftp.exe"= Disabled:TCP:c:\windows\system32\ftp.exe:File Transfer Program
"{8E3CD07C-92C8-4CE0-B0EA-E678E16304E6}"= c:\program files\Skype\Phone\Skype.exe:Skype

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090519.005\IDSvix86.sys [21/05/2009 18:08 272432]
R2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [28/02/2007 06:28 50688]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [11/01/2008 17:50 30312]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [21/05/2009 18:06 101936]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\System32\drivers\nwusbser2.sys [12/10/2007 16:04 99200]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [19/02/2009 11:31 41008]
S3 COH_Mon;COH_Mon;c:\windows\System32\drivers\COH_Mon.sys [13/01/2008 03:32 23888]
S3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\System32\drivers\smscirda.sys [28/02/2007 03:40 31232]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {35BDA760-4905-19AA-54A0-C118ABB5BF0C} /qb
.
Contents of the 'Scheduled Tasks' folder

2009-05-25 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Ademola.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 14:05]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Acer Tour - c:\acer\AcerTour\AcerTour.exe
HKLM-Run-eRecoveryService - (no file)
SafeBoot-procexp90.Sys

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.ng/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Ademola\AppData\Roaming\Mozilla\Firefox\Profiles\yr5biz1s.default\
FF - prefs.js: browser.search.selectedEngine - Google
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-28 13:03
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\windows\system32\eNetHook.dll

- - - - - - - > 'lsass.exe'(660)
c:\windows\system32\eNetHook.dll

- - - - - - - > 'Explorer.exe'(4276)
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\BatchCrypto.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\keyManager.dll
c:\acer\Empowering Technology\EPOWER\SysHook.dll
.
Completion time: 2009-05-28 13:06
ComboFix-quarantined-files.txt 2009-05-28 12:06

Pre-Run: 40,036,237,312 bytes free
Post-Run: 40,140,050,432 bytes free

224 --- E O F --- 2009-05-14 17:47

***********END OF COMBOFIX LOGFILE RESULT**************************************

************START OF HJT LOGFILE RESULT*****************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:37:29, on 26/05/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Novatel Wireless\MobiLink\Lite.exe
C:\Program Files\Novatel Wireless\Mobilink\Phoenix.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ALaunch] C:\Acer\ALaunch\AlaunchClient.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [Acer Tour] C:\Acer\AcerTour\AcerTour.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MobiLink Lite] C:\Program Files\Novatel Wireless\MobiLink\Lite.exe
O4 - HKCU\..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\366\g2mstart.exe "/Trigger RunAtLogon"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E4AAD72-32E8-479D-B26F-83A51E087A2E}: NameServer = 198.6.1.1 80.255.35.180
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: eNetHook.dll
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8388 bytes

************END OF HJT LOGFILE RESULT******************************

I tried to type in a wrong URL and noticed that the problem still persists!
Please what do I do next?

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 10 · 2009-05-28T18:53:08+00:00

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /, it needs to be there.

====

Run hijackthis and go to the "Open the Misc Tools Section." Click on "Open Process Manager" then place a check in the box that says " Show DLL's."
Click on the left of the two icons to the left of that box and that will save the list to the clipboard.
Post the results here by pasting into your reply.

mauconline 0 Junior Poster · Answer 11 · 2009-06-07T22:47:29+00:00

Hi crunchie,

sorry I've not been around to follow up with your kind assistance. I've been facing some faulty hardware issues with my system that has kept me offline for some days now.

Once I get this sorted out, I'll get back to you. Thanks for your kind cooperation and look forward to same when I've sorted out these issues at my end.

mauconline 0 Junior Poster · Answer 12 · 2009-08-08T15:35:01+00:00

Hi Crunchie,

Sorry for the long silence and thanks for your assistance. Unfortunately my laptop that had the problem eventually got completely spoilt!

This was mainly as a result of the poor power supply in my country (even though I use a UPS, Stabilizer & Surge Protector), poor aftersales service and non-availability of genuine spare parts.

Now, guess what? Another desktop and laptop have developed the same problem!! Someone suggested the problem's from my ISP! Could that be possible?

kaninelupus 275 Practically a Posting Shark · Answer 13 · 2009-08-08T16:11:05+00:00

OK - am surprised Crunchie missed this one. If using Firefox 3.0+ (I did note your reluctance to use IE, so am assuming is not your browser of choice), the URL bar also has built-in search facilities. Now normally this gets handed over to Google, but it sounds like somewhere along the line, yours has been switched to WordPress (a major Blog platform), or another site claiming WordPress affiliation.

Type in the URL bar about:config and hit enter, click OK on the warning prompt. In the config manager's search bar, enter keyword.URL.

The default value should like like the following:
http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q= If you have a different value, right-click and select reset.

Should correct the problem. My guess is one of your plug-ins are changing the value, or a locally installed application.

mauconline 0 Junior Poster · Answer 14 · 2009-08-08T16:28:55+00:00

Hi Kaninelupus, thanks for your suggestion.

The laptop I'm using now has IE installed whilst the desktop is using Firefox and they're both having the same problem!!

So right now I have no reluctance to using either! So any assistance to either getting it fixed on either browser would be highly welcomed. Or do I have to learn to live with same?

kaninelupus 275 Practically a Posting Shark · Answer 15 · 2009-08-08T16:36:33+00:00

Have you checked the Hosts file to see if anything has established a re-direction? It doesn't sound like an ISP issue, as is usually a locally-handled re-direct. Would be more inclined to look at either software common to both machines, or sites used by both machines. As I said, the search redirect looks like a WordPress link... do you either make use of particular Blog sites of applications?

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 16 · 2009-08-08T16:37:42+00:00

OK - am surprised Crunchie missed this one.

Didn't miss it, just do not know anything about FF other than that it is rubbish compared to Opera.

mauconline 0 Junior Poster · Answer 17 · 2009-08-08T16:47:01+00:00

@kaninelupus: yes, thanks. I do quite often use both systems to work on a wordpress blog and both systems have similar software installed on them.

@crunchie: hi, nice to have you back. your comparism about FF and Opera really got me laughing out loud. I've never been opportuned to try Opera but this your endorsement of same has got me interested.

Thanks guys. I'm really learning a lot from you all. I feel highly honored and priviledged.

kaninelupus 275 Practically a Posting Shark · Answer 18 · 2009-08-08T17:52:06+00:00

Been there, done that.

Didn't miss that, but given the behaviour has re-appeared on two other machines, is worth re-visiting, as trying to establish whether a common plug-in or application is altering the hosts file.

Didn't miss it, just do not know anything about FF other than that it is rubbish compared to Opera.

That's your opinion and you're entitled to it... even though the vast majority would disagree with you ;) Also, wouldn't be surprised if the the url search behaviour has an equivalent in Opera, or other browsers.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 19 · 2009-08-08T18:27:30+00:00

In the years I have been helping with spyware etc., I have yet to see Opera to be re-directed.
IMO so many ppl like FF because it is so basic. Everything that Opera has, FF needs to have it added later.

mauconline 0 Junior Poster · Answer 20 · 2009-08-08T18:29:34+00:00

@kaninelupus: the thought of the url seach behavious having an equivalent in Opera, or other browsers is frightening to me.
I sincerely hope not!

@crunchie: Please in case I want to try Opera, is there any special 'requirements' I need to be aware of? Is it easy to download and install? What are the pros and cons? Is it for newbies or pro users? Where can I start or download same? Kindly point me in the right direction.

kaninelupus 275 Practically a Posting Shark · Answer 21 · 2009-08-09T03:22:57+00:00

@kaninelupus: the thought of the url seach behavious having an equivalent in Opera, or other browsers is frightening to me.
I sincerely hope not!

Am not all that sure why it is a feature that frightens you, but I know IE 8 does have it to some degree.

To explain, I'll give an example. Entering Amazon Three Days Grace into IE8's url bar gives me a Bing search result. Entering the same in FF takes me to the most relevant page in Amazon.

My only concern in your case was that an app or plugin hijacked the default search provider.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 22 · 2009-08-09T07:17:15+00:00

There is a link in my signature to donwload Opera. There are no requirements to run Opera.

mauconline 0 Junior Poster · Answer 23 · 2009-08-09T09:55:04+00:00

Thanks guys, I appreciate your feedback.

@Kaninelupus: The fact that 'something' hijacked my default search provider - for whatever reason - is what frightens me. Who knows what that 'something' will highkack next? Also that it affected 3 different machines.

@crunchie: Thanks. I saw the link right after I wrote my last post. I'll do same and report back to you. I hope Opera will not have any conflict being run on the same machine with either IE/FF - or do I uninstall the others first?

Lastly, which of these options do you guys suggest I take:

1) Start the steps all over again on both systems and report same back to you guys
2) Remove FF/IE and replace same with Opera on all machines
3) Just learn to live with that 'thing' on my machines, since it's not raising any red flags - for now - on any of my antivirus softwares (NIS & McAfee)?

Thanks again guys.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 24 · 2009-08-09T10:05:50+00:00

crunchie 990 Most Valuable Poster

14 Years Ago

1) Yes
2) No need to uninstall any other browsers
3) ??

mauconline 0 Junior Poster · Answer 25 · 2009-08-09T10:19:23+00:00

Hi crunchie. OK, I'll do same and get back to you asap. Thanks

I'll inform you first (before I start), so you can guide me through the process again from the start.

mauconline 0 Junior Poster · Answer 26 · 2009-08-09T17:13:29+00:00

Hi Kaninelupus, please clarify: start with a clean install of what?

Is this a Virus or Spyware?

Recommended Answers Collapse Answers

All 36 Replies

Recommended Answers