0

Have followed instructions in the main threads with regards to AVG anti spyware and Hijackthis but still appear to have the same problems.

I'm being redirected to various websites through IE and have had a whole array of pop ups.

Would appreciate any help anyone could give me.

The AVG scan did originally show a Trojan virus which it fixed, butit isnt on the log because i closed the programme without saving the log so had to run a new scan.
Removing the virus didnt resolve the problems.

Scan logs:

Hijackthis


Logfile of HijackThis v1.99.1
Scan saved at 18:44:18, on 07/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [inside 64] C:\DOCUME~1\SARAH~1.SAR\APPLIC~1\PROXYL~1\atom okay.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{76B4F42D-817E-4CDE-A535-D3BE1975A3EA}: NameServer = 85.255.114.90 85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE30C0AC-01F2-4E05-977D-9DA7EAFCF049}: NameServer = 85.255.114.90,85.255.112.92
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.90 85.255.112.92
O17 - HKLM\System\CS1\Services\Tcpip\..\{76B4F42D-817E-4CDE-A535-D3BE1975A3EA}: NameServer = 85.255.114.90 85.255.112.92
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.90 85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.90 85.255.112.92
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

---

AVG

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 18:36:05 07/02/2007
+ Scan result:

C:\Documents and Settings\Sarah.SARAHS-PC\Cookies\sarah@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : No action taken.
C:\Documents and Settings\Sarah.SARAHS-PC\Cookies\sarah@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : No action taken.
C:\Documents and Settings\Sarah.SARAHS-PC\Cookies\sarah@atdmt[1].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Sarah.SARAHS-PC\Cookies\sarah@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\Sarah.SARAHS-PC\Cookies\sarah@cpvfeed[3].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\Sarah.SARAHS-PC\Cookies\sarah@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Sarah.SARAHS-PC\Cookies\sarah@doubleclick[2].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Sarah.SARAHS-PC\Cookies\sarah@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Sarah.SARAHS-PC\Cookies\sarah@mediaplex[2].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Sarah.SARAHS-PC\Cookies\sarah@overture[2].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Sarah.SARAHS-PC\Cookies\sarah@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : No action taken.
C:\Documents and Settings\Sarah.SARAHS-PC\Cookies\sarah@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Sarah.SARAHS-PC\Cookies\sarah@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Sarah.SARAHS-PC\Cookies\sarah@nsads.valuead[2].txt -> TrackingCookie.Valuead : No action taken.
C:\Documents and Settings\Sarah.SARAHS-PC\Cookies\sarah@nsads.valuead[3].txt -> TrackingCookie.Valuead : No action taken.

::Report end


Please Help!

2
Contributors
16
Replies
17
Views
10 Years
Discussion Span
Last Post by PhilliePhan
0

Also, i did take action on the AVG results but i saved the log before i accidently closed the programme again *rolls eyes*

0

Just one more thing ...

I ve been having look through all the other posts for this subject and it appears it could also be something to do with the DNS servers?
I changed it back to automatic DNS but it doesnt seem to have done much.
There is alot of stuff i didnt quite understand in the info provided.

This is what was posted:

To all who is having this JUPK.COM DNS redirect problem. I have found an explanation for this problem from a IT security web site: PLEASE READ!!! Summary: ============ The Internet community has recently been observing a new attack against Microsoft Windows systems running Internet Explorer 6 (MSIE6) and IE7 in the form of a JavaScript triggered worm. The current release of Microsoft Internet Explorer contains an un-patched vulnerability within its ObjectData handling method(s). The currently detected worm carries out a range of actions upon successfully exploiting a victim, most notable of which is the alteration of the systems DNS settings. The result is that instead of attempting DNS resolution via previously configured servers, the victim host now uses an alternate set of DNS servers. This allows the attacker to control where users are browsing by redirecting their web browsing and other Internet activities to alternate addresses. A possible scenario might be that the attacker alters the victim's DNS settings and the user attempts to browse Amazon.com. When their system does a DNS lookup instead of sending the user to the correct page the alternate DNS server may send the user to a page pretending to be Amazon. As a result when the user enters their credit card details to purchase a book they may in-fact be giving them to the attacker instead. (This example is hypothetical in nature and not based on any observed reality.) When the vulnerability within the ObjectData handling method(s) is exploited by the now active Trojan, MSIE6 executes a contained ActiveX object within a piece of JavaScript. MSIE6 is programmed to check whether this ActiveX code is 'safe' and during this process MSIE6 determines that the ActiveX code is, in fact, simple HTML/Jscript. As a result it does not prompt the user to save the data to disk, but instead remembers it as HyperText Application (HTA) content and invokes the MSHTA.EXE process to execute the 'simple HTML/Jscript' code. This code is x[1].hta which creates and executes AOLFIX.EXE. AOLFIX.EXE is downloaded in to the victim systems \temp directory, executed and deleted. The final result is the user's system settings being altered and DNS settings changed. Who is Affected: ============ All users who have Microsoft Internet Explorer version 6 are likely vulnerable to this attack. This issue has been proven to work on Microsoft Window ME, Windows NT, Windows 2000, and Windows XP. It is also considered likely to work on Microsoft Windows 9x and Windows Server 2003. Symptoms if Exploited or Targeted: ================ Users that have been affected by this Trojan will notice a series of changes to their system, and changes in system behaviour when attempting to access certain web sites or domain names. Behavioural changes will most likely manifest themselves as pages not resolving, or not appearing correct. Directories Created: -------------------- %systemdrive%:\bdtemp %systemdrive%:\bdtemp\temp Files Created: -------------- AOLFIX.EXE - Deleted immediately upon execution. %systemdrive%:\%systemroot%\winlog - Contains the letter 'A' %systemdrive%:\%systemroot%\help\hosts - Contains static DNS mappings to many IP addresses of popular search engines. See 'Details' section below for list of addresses mapped. Registry Entries: ----------------- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Inter faces\windows] "r0x"="your s0x" "NameServer"="69.57.146.14" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Inter faces\{45F95E82-B443-428B-9EB7-4C65CDCD9006}] "NameServer"="69.57.146.14" HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters "DataBasePath"="%SystemRoot%\help" Actions: ============ Disabling ActiveX functions withing the MSIE6 browser will not provide any level of protection against this vulnerability. Mitigation: ----------- - Disable Active Scripting within the MSIE6 (& Outlook) application(s). This will prevent execution of the pages delivering the exploit. - Ensure firewalls (perimeter defences) are configured to block unauthorised outbound traffic as well as inbound traffic. This will prevent users from using unauthorised DNS servers. As such victim systems will reveal themselves very quickly as they fail to look up Internet domain names. - Configure host firewalls (personal firewalls) that can control application level access to the network (such as ZoneAlarm) to deny access to the network for MSHTA.EXE. - Disable HTA MIME types from within the Windows System Registry. To do this remove the entry "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\ContentType\application/hta". This can be restored later, once a patch is available and applied. - Configure IDS (intrusion detection systems) to monitor for suspicious traffic that may alert the administrator to the attack or victim systems. A sample rule set for Snort might be: snort.conf: var MAL_DNS [216.127.92.38/32,69.57.146.14/32,69.57.147.175/32] dns.rules: alert tcp any any $MAL_DNS 53 (msg:"Malicious DNS Traffic"; sid:900027; rev:1;) alert udp any any $MAL_DNS 53 (msg:"Malicious DNS Traffic"; sid:900027; rev:1;) Fix: ---- No patch is currently available for this issue. The patch MS03-032 does not address this issue.

Can anyone tell me if this IS actually causing the problem and if so what else cn i do besides changing the DNS back to automatic?

0

Can anyone tell me if this IS actually causing the problem and if so what else cn i do besides changing the DNS back to automatic?

I did not read that quote, but I can tell you that you have what is referred to as a Wareout infection.

Give me a few minutes and I'll post some steps for you.


Do you know what this is:
C:\DOCUME~1\SARAH~1.SAR\APPLIC~1\PROXYL~1\atom okay.exe ??
Let me know so I can add it to the fix.....

It looks a bit like LOP....

PP :)

0

Hi Zeon,

I’ve got to run, so we’ll operate under the premise that C:\DOCUME~1\SARAH~1.SAR\APPLIC~1\PROXYL~1\atom okay.exe is a baddie.


You may want to print out these instructions for reference, since you will have to restart your computer during the fix. Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it.
Click Next, then Install, make sure "Run fixit" is checked and click Finish.

The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
When your system reboots, follow the prompts.
Afterwards, HijackThis will launch (If Hijackthis does not launch then please start it yourself).

Please Scan with HJT, and check the boxes for the following items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKCU\..\Run: [inside 64] C:\DOCUME~1\SARAH~1.SAR\APPLIC~1\PROXYL~1\atom okay.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{76B4F42D-817E-4CDE-A535-D3BE1975A3EA}: NameServer = 85.255.114.90 85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE30C0AC-01F2-4E05-977D-9DA7EAFCF049}: NameServer = 85.255.114.90,85.255.112.92
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.90 85.255.112.92
O17 - HKLM\System\CS1\Services\Tcpip\..\{76B4F42D-817E-4CDE-A535-D3BE1975A3EA}: NameServer = 85.255.114.90 85.255.112.92
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.90 85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.90 85.255.112.92
Be sure All Browser Windows are Closed and then Click Fix Checked.


THEN:
Please Boot to Safe Mode.
Use Windows Explorer to navigate to and DELETE

C:\DOCUMENTS AND SETTINGS\SARAH~1.SAR\APPLICATION DATA\PROXYL~1\atom okay.exe
* You’ll need to figure the exact path yourself.
Let me know what the full name of the PROXYL~1 folder is and what is in it...

NEXT:
Click Start > Run > type CMD > Enter
Type or Copy&Paste: ipconfig /flushdns > Press Enter
(Be sure to leave the space between the g and the / )


THEN:
Download ATF-Cleaner.exe by Atribune to your Desktop.
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option (if you don’t want it to clean cookies, set it accordingly)
-- Click Empty Selected > OK > EXIT
This will flush TEMP files, etc... as well as clean the Java Cache.


NOW, run a full scan with your AVG Anti-Spyware:
FIRST:
-- Click Run online update and allow it to run until you see the Update Successful message.
THEN:
-- Click on the Scanner button and choose the Settings Tab.
---> Under How to act?, click on Recommended action and choose Quarantine to set default action for detected malware.
--->Under Reports make sure Automatically generate report after every scan is selected and UNCHECK the Only if threats were found box.
-- Leave everything else at their default settings and Select the Scan tab and CLICK Complete System Scan to scan your machine.
-- Upon completion of the scan, Click Apply all actions to place any detected baddies in Quarantine.
-- AFTER clicking Apply all actions, Click on Save Report and select Save the report to your Desktop where you can find it easily.


LASTLY: Please locate c:\fixwareout\report.txt and post it here along with Fresh HijackThis Scanlog and the AVG Anti-Spyware Log and we'll go from there.

Best Luck :)
PP

0

Thanks so much for the help :mrgreen:

I did not read that quote, but I can tell you that you have what is referred to as a Wareout infection.

Sorry it wasnt quoted in the bit i posted, it was just quite a few people in that thread had said that changing the DNS back to automatic had worked for them.


Do you know what this is:
C:\DOCUME~1\SARAH~1.SAR\APPLIC~1\PROXYL~1\atom okay.exe ??
Let me know so I can add it to the fix.....

It looks a bit like LOP....

I have no idea what that is, but the full extension was 'PROXY LICENSE' and the only thing in the file was 'atom okay.exe'
I deleted it as instructed.

Not sure why but 2 of the items you said to delete from the HJT scan were not there:

O17 - HKLM\System\CCS\Services\Tcpip\..\{76B4F42D-817E-4CDE-A535-D3BE1975A3EA}: NameServer = 85.255.114.90 85.255.112.92

O17 - HKLM\System\CS1\Services\Tcpip\..\{76B4F42D-817E-4CDE-A535-D3BE1975A3EA}: NameServer = 85.255.114.90 85.255.112.92

Here are my scan logs:

Logfile of HijackThis v1.99.1
Scan saved at 15:43:04, on 08/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{76B4F42D-817E-4CDE-A535-D3BE1975A3EA}: NameServer = 212.139.132.6 212.139.132.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{76B4F42D-817E-4CDE-A535-D3BE1975A3EA}: NameServer = 212.139.132.6 212.139.132.7
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 15:38:55 08/02/2007
+ Scan result:

Nothing found.

::Report end


Fixwareout
Last edited 1/30/2007
Post this report in the forums please
...
Prerun check
»»»»» HKLM run and Winlogon System values
C:\WINDOWS\System32\kdrli.exe will be moved to C:\WINDOWS\temp\kdrli.ren at reboot.
»»»»» System restarted
Reg Entries that were deleted
...
Random Runs removed from HKLM
...

»»»»» Misc files.

»»»»» Checking for older varients.

»»»»» Postrun check
»»»»» HKLM run
»»»»» Winlogon System value
"system"=""
»»»»»

PLEASE NOTE, There CAN be LEGITIMATE FILES LISTED IN THIS SECTION.

This WILL/CAN also list Legit Files, Submit them at Virustotal
Search five digit cs, dm kd and jb files.
»»»»»
»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SoundMan"="SOUNDMAN.EXE"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\CLIStart.exe\""
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"igndlm.exe"="C:\\Program Files\\IGN\\Download Manager\\DLM.exe /windowsstart /startifwork"
"inside 64"="C:\\DOCUME~1\\SARAH~1.SAR\\APPLIC~1\\PROXYL~1\\atom okay.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
Hosts file was reset, If you use a custom hosts file please replace it


---


Since i turned on the computer today the pop ups and redirects seem to have gotten worse, and now my Norton keeps notifying me of various Trojan Virus's it is trying to block. Not sure why as it didnt notify me of them before now even though the AVG scan had picked a few up.

Also, might seem like a silly question but i assume its not safe to use my online banking facilities? And could they have already been compromised by these Troan virus's?

Thanks again for the help ;)

0

hmm seems my last post has messed itself up and all the spaces have vanished :-|
Heres the details again, hope they work:


Thanks so much for the help :mrgreen:

The DNS thing wasnt quoted in the bit i posted, it was just quite a few people in that thread had said that changing the DNS back to automatic had worked for them.


I have no idea what the file was, but the full extension was 'PROXY LICENSE' and the only thing in the file was 'atom okay.exe'
I deleted it as instructed.

Not sure why but 2 of the items you said to delete from the HJT scan were not there:

O17 - HKLM\System\CCS\Services\Tcpip\..\{76B4F42D-817E-4CDE-A535-D3BE1975A3EA}: NameServer = 85.255.114.90 85.255.112.92

O17 - HKLM\System\CS1\Services\Tcpip\..\{76B4F42D-817E-4CDE-A535-D3BE1975A3EA}: NameServer = 85.255.114.90 85.255.112.92

Here are my scan logs:

Logfile of HijackThis v1.99.1
Scan saved at 15:43:04, on 08/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{76B4F42D-817E-4CDE-A535-D3BE1975A3EA}: NameServer = 212.139.132.6 212.139.132.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{76B4F42D-817E-4CDE-A535-D3BE1975A3EA}: NameServer = 212.139.132.6 212.139.132.7
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 15:38:55 08/02/2007
+ Scan result:

Nothing found.

::Report end


Fixwareout
Last edited 1/30/2007
Post this report in the forums please
...
Prerun check
»»»»» HKLM run and Winlogon System values
C:\WINDOWS\System32\kdrli.exe will be moved to C:\WINDOWS\temp\kdrli.ren at reboot.
»»»»» System restarted
Reg Entries that were deleted
...
Random Runs removed from HKLM
...

»»»»» Misc files.

»»»»» Checking for older varients.

»»»»» Postrun check
»»»»» HKLM run
»»»»» Winlogon System value
"system"=""
»»»»»

PLEASE NOTE, There CAN be LEGITIMATE FILES LISTED IN THIS SECTION.

This WILL/CAN also list Legit Files, Submit them at Virustotal
Search five digit cs, dm kd and jb files.
»»»»»
»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SoundMan"="SOUNDMAN.EXE"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\CLIStart.exe\""
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"igndlm.exe"="C:\\Program Files\\IGN\\Download Manager\\DLM.exe /windowsstart /startifwork"
"inside 64"="C:\\DOCUME~1\\SARAH~1.SAR\\APPLIC~1\\PROXYL~1\\atom okay.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
Hosts file was reset, If you use a custom hosts file please replace it


---


Since i turned on the computer today the pop ups and redirects seem to have gotten worse, and now my Norton keeps notifying me of various Trojan Virus's it is trying to block. Not sure why as it didnt notify me of them before now even though the AVG scan had picked a few up.

Also, might seem like a silly question but i assume its not safe to use my online banking facilities? And could they have already been compromised by these Troan virus's?

Thanks again for the help ;)

0

The DNS thing wasnt quoted in the bit i posted, it was just quite a few people in that thread had said that changing the DNS back to automatic had worked for them.

That's just part of the solution to this problem - one should do that after the steps we just did, if it is needed.


I assume this is your ISP?

inetnum: 212.139.0.0 - 212.139.255.255
org: ORG-TUL3-RIPE
netname: UK-TELINCO-990326
descr: Tiscali UK Ltd
country: GB
admin-c: TU935-RIPE
tech-c: TU935-RIPE
status: ALLOCATED PA
notify: **********@uk.tiscali.com
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: TU935-RIPE-MNT
mnt-routes: TU935-RIPE-MNT
changed: **********@ripe.net 19990326
changed: **********@ripe.net 20040121
changed: **********@ripe.net 20051104
source: RIPE

organisation: ORG-TUL3-RIPE
org-name: Tiscali UK Limited
org-type: LIR
address: 20 Broadwick Street
address: W1F 8HT
address: London
address: United Kingdom



I'd like to see a fresh HJT log and a ComboFix log.

1. Download this file :
http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. DoubleClick combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Please submit that for me.

Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall...

Since i turned on the computer today the pop ups and redirects seem to have gotten worse, and now my Norton keeps notifying me of various Trojan Virus's it is trying to block. Not sure why as it didnt notify me of them before now even though the AVG scan had picked a few up.

Also, might seem like a silly question but i assume its not safe to use my online banking facilities? And could they have already been compromised by these Troan virus's?

Thanks again for the help

Happy to try to help! :)

It is possible that your sensitive information has been compromised.
Always best to assume the worst....
Once we see what other baddies are on your compy, Ill be able to tell you whether that have the ability to steal your info...

-- What is the message from Norton? Can you copy& paste the log and/or the message?
-- How many different User Accounts are on this machine?
-- What exactly is this folder? --> SARAH~1.SAR

Please get me the fresh scanlogs and I'll go over them when I get home tonight (EST)

Best :)
PP

0

Yes that is my ISP. I did aready change my DNS back to automatic but i do think there is a problem with my IP.
Earlier today i disconnected my pc from the internet and connected my laptop thats what im on now) so i could safely change my online banking passwords ... However, i seem to have the same redirecting problem on my laptop now aswell!
Could this be beacuse i connected through the same modem and internet source?
Should i post AVG and HJT logs for my laptop aswell ... and have i managed to mess my laptop up now aswell?!! :sad:

The messages from Norton vary but they are always some sort of Trojan. I'm not on that pc now though so im not getting the pop ups to copy and paste.

There should only be 2 users, Sarah and Admin however at some point in the past an ex of mine decided he would mess around with my pc so i'm not entirely sure.

That folder appears to lead to a LOCAL folder and then into various Realtek files which i think is to do with my audio?

Here are the logs for my pc:

"Sarah" - 07-02-08 21:44:13 Service Pack 2
ComboFix 07-02-07 - Running from: "C:\Documents and Settings\Sarah.SARAHS-PC\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2007-01-08 to 2007-02-08 ))))))))))))))))))))))))))))))))))


2007-02-08 14:28 524,288 --ah----- C:\DOCUME~1\ADMINI~1.SAR\NTUSER.DAT
2007-02-08 13:58 <DIR> d-------- C:\fixwareout
2007-02-08 13:48 767,308 ---hs---- C:\WINDOWS\system32\mnnmp.bak2
2007-02-08 13:48 178,408 --a------ C:\WINDOWS\system32\muweb.dll
2007-02-08 02:03 497,496 --a------ C:\WINDOWS\system32\XceedZip.dll
2007-02-07 22:58 753,157 ---hs---- C:\WINDOWS\system32\mnnmp.ini2
2007-02-07 22:43 65,536 --a------ C:\WINDOWS\system32\Schedule.dll
2007-02-07 22:42 512,688 --a------ C:\WINDOWS\system32\XceedCry.dll
2007-02-07 22:42 423,784 --a------ C:\WINDOWS\system32\XceedBkp.dll
2007-02-07 22:42 118,784 --a------ C:\WINDOWS\system32\msstdfmt.dll
2007-02-07 22:42 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2007-02-07 20:53 <DIR> d-------- C:\Program Files\RegCure
2007-02-07 15:24 <DIR> d-------- C:\HijackThis
2007-02-07 14:31 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-02-07 14:31 <DIR> d-------- C:\Program Files\Grisoft
2007-02-07 14:13 <DIR> d-------- C:\Program Files\CCleaner
2007-02-07 13:59 <DIR> d-------- C:\DOCUME~1\SARAH~1.SAR\Application Data\Google
2007-02-07 13:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\Google
2007-02-07 13:58 <DIR> d-------- C:\Program Files\Google
2007-02-07 13:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\Google Updater
2007-02-07 02:22 734,404 ---hs---- C:\WINDOWS\system32\mnnmp.bak1
2007-02-07 02:22 277,184 ---hs---- C:\WINDOWS\system32\pmnnm.dll
2007-02-07 02:16 22,757 ---hs---- C:\WINDOWS\system32\gebayyy.dll
2007-02-07 01:03 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-02-06 17:42 <DIR> d-------- C:\DOCUME~1\SARAH~1.SAR\Application Data\TrojanHunter
2007-02-06 00:19 4,096 --a------ C:\WINDOWS\d3dx.dat
2007-02-06 00:06 0 -rahs---- C:\MSDOS.SYS
2007-02-06 00:06 0 -rahs---- C:\IO.SYS
2007-02-05 19:13 <DIR> d-------- C:\Program Files\ParetoLogic
2007-02-05 19:13 <DIR> d-------- C:\DOCUME~1\SARAH~1.SAR\Application Data\ParetoLogic
2007-02-05 01:56 <DIR> d-------- C:\Program Files\Encore
2007-02-05 01:40 <DIR> d-------- C:\Program Files\Common Files\Hoyle Poker Online
2007-02-04 16:23 <DIR> d-------- C:\Program Files\ProxyLicense
2007-02-04 01:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\Trymedia
2007-01-29 14:19 0 --a------ C:\WINDOWS\system32\Ultra.dll
2007-01-14 07:17 <DIR> d-------- C:\Program Files\XoftSpy
2007-01-14 07:16 <DIR> d-------- C:\Program Files\7-Zip
2007-01-12 01:16 <DIR> d-------- C:\WINDOWS\ie7updates
2007-01-12 01:16 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-01-10 02:15 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-01-10 02:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\Hewlett-Packard
2007-01-10 02:02 82,432 -ra------ C:\WINDOWS\system32\MSXML4r.dll
2007-01-10 02:02 626,960 -ra------ C:\WINDOWS\system32\hpvaut32.dll
2007-01-10 02:02 487,424 -ra------ C:\WINDOWS\system32\hpvcp70.dll
2007-01-10 02:02 44,544 -ra------ C:\WINDOWS\system32\MSXML4a.dll
2007-01-10 02:02 344,064 -ra------ C:\WINDOWS\system32\hpvcr70.dll
2007-01-10 01:44 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2007-01-10 01:44 65,536 --a------ C:\WINDOWS\system32\HPZipm12.exe
2007-01-10 01:44 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2007-01-10 01:44 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2007-01-10 01:44 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-01-10 01:44 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2007-01-10 01:44 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2007-01-10 01:42 17,176 --------- C:\WINDOWS\hpomdl04.dat
2007-01-10 01:42 104,217 --a------ C:\WINDOWS\hpoins04.dat
2007-01-09 23:38 <DIR> d-------- C:\temp
2007-01-09 23:23 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-02-08 15:18 -------- d-------- C:\Program Files\mozilla firefox
2007-02-08 14:11 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-02-07 23:46 -------- d-------- C:\Program Files\searchrelevant
2007-02-06 02:18 -------- d-------- C:\DOCUME~1\SARAH~1.SAR\Application Data\limewire
2007-02-05 21:59 -------- d--h----- C:\Program Files\installshield installation information
2007-02-05 17:14 -------- d-------- C:\Program Files\winaso
2007-01-29 14:29 -------- d-------- C:\Program Files\quicktime
2007-01-16 10:52 -------- d-------- C:\Program Files\java
2007-01-09 23:39 -------- d---s---- C:\DOCUME~1\SARAH~1.SAR\Application Data\microsoft
2007-01-09 23:39 -------- d-------- C:\Program Files\hp
2007-01-05 19:14 -------- d-------- C:\Program Files\messenger
2007-01-05 19:14 -------- d-------- C:\Program Files\limewire
2007-01-05 19:13 -------- d-------- C:\Program Files\quickpar
2006-12-25 18:42 -------- d-------- C:\DOCUME~1\SARAH~1.SAR\Application Data\apple computer
2006-12-21 23:36 -------- d-------- C:\DOCUME~1\SARAH~1.SAR\Application Data\sony
2006-12-21 23:33 -------- d-------- C:\Program Files\sony
2006-12-20 11:22 48768 --a------ C:\WINDOWS\system32\s32evnt1.dll
2006-12-20 11:22 110952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-12-20 11:22 -------- d-------- C:\Program Files\symantec
2006-12-20 10:34 0 --a------ C:\DOCUME~1\SARAH~1.SAR\Application Data\download.tmp
2006-12-17 19:33 -------- d-------- C:\DOCUME~1\SARAH~1.SAR\Application Data\ign_dlm
2006-12-14 12:54 23600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2006-11-13 21:17 7409 --a------ C:\WINDOWS\extend.dat
2006-11-08 05:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"igndlm.exe"="C:\\Program Files\\IGN\\Download Manager\\DLM.exe /windowsstart /startifwork"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SoundMan"="SOUNDMAN.EXE"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\CLIStart.exe\""
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpcmpmgr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd2"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DLM"
"hkey"="HKCU"
"command"="C:\\Program Files\\IGN\\Download Manager\\DLM.exe /windowsstart /startifwork"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{40CBCC7F-63C3-4D94-B4D6-A0ED77B9EEB7}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebayyy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnm
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ERASERUTILDRV10710

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Sarah.job
C:\WINDOWS\tasks\RegCure.job
C:\WINDOWS\tasks\XoftSpy.job

********************************************************************
catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-02-08 21:52:18


Logfile of HijackThis v1.99.1
Scan saved at 21:59:31, on 08/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Thanks again
Sarah

0

Hi Sarah,

Will have a more thorough look this evening, but a quick glance shows VUNDO.

This hides from HJT unless you rename hijackthis.exe to something such as HJTScanner.exe.

Please run Atribune's VundoFix.exe
as per the instructions in the linky and post the log.

Back in a bit!
PP :)

0

Had a bit of a problem with the vundo scan thing as it would freeze when trying to reboot but i restarted and re-ran the scan and it was clean and the log says it fixed everything:


VundoFix V6.3.5
Checking Java version...
Java version is 1.5.0.8
Java version is 1.5.0.9
Scan started at 23:02:29 08/02/2007
Listing files found while scanning....
C:\WINDOWS\system32\gebayyy.dll
C:\WINDOWS\system32\mnnmp.bak1
C:\WINDOWS\system32\mnnmp.bak2
C:\WINDOWS\system32\mnnmp.ini
C:\WINDOWS\system32\mnnmp.ini2
C:\WINDOWS\system32\mnnmp.tmp
C:\WINDOWS\system32\pmnnm.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\gebayyy.dll
C:\WINDOWS\system32\gebayyy.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\mnnmp.bak1
C:\WINDOWS\system32\mnnmp.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\mnnmp.bak2
C:\WINDOWS\system32\mnnmp.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\mnnmp.ini
C:\WINDOWS\system32\mnnmp.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\mnnmp.ini2
C:\WINDOWS\system32\mnnmp.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\mnnmp.tmp
C:\WINDOWS\system32\mnnmp.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnnm.dll
C:\WINDOWS\system32\pmnnm.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\gebayyy.dll
C:\WINDOWS\system32\gebayyy.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.5
Checking Java version...
Java version is 1.5.0.8
Java version is 1.5.0.9
Scan started at 23:50:04 08/02/2007
Listing files found while scanning....
No infected files were found.


---


Should i do all of these scans and stuff on my laptop now aswell? :confused:

Sarah

0

Should i do all of these scans and stuff on my laptop now aswell? :confused:
Sarah

If you like . . . . But start a new thread for the laptop so we don't get confused.

I still have yet to take a thorough look at the combofix log for this thread. :cool:

For the laptop - a HJT Log, a combofix log and AVG Anti-spy log ought to be enough to get us started.
If you want to have a pass with VundoFix, that's up to you.

Cheers :)
PP

0

Combofix log looks OK.

Can you tell me what this is?
2007-02-04 16:23 <DIR> d-------- C:\Program Files\ProxyLicense

PP :)

0

Sorry should have realised it could get confusing having everything in one thread, silly me :rolleyes:
Will start another for the laptop problems but i understand if you dont have time to look into both for me.

I deleted that folder last night because it was empty ... but im sure that is the same thing i had to delete from windows when i rebooted in safe mode.

Sarah

0

I deleted that folder last night because it was empty ... but im sure that is the same thing i had to delete from windows when i rebooted in safe mode.

Hi Sarah,

I should have time to look at the new thread.

--- What I was wondering is whether you knew what that Program Files/ProxyLicense folder was.... I imagine it was indeed related to the file you deleted --> C:\DOCUME~1\SARAH~1.SAR\APPLIC~1\PROXYL~1\atom okay.exe

I just want to make sure it was not something legit (certainly did not look legit) and needed. Do you/did you need a Proxy?


No wrries, I guess. We'll deal with that if we need to.

PP :)

0

Well if you do have time i thank you in advance :)

I dont know what a proxy is so im not sure if it was needed but i dont ever remember seeing it before i had the problems.

Is there anything else i can be doing or should i just wait for you to look through the logs now?

Sarah

0

I posted some steps for you - pretty much the same as before, as you probably figured...;)

I guess we won't worry about that file we deleted. If it was legit and down the road you find you need it, should be no problem to get another copy....

PP :)

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.