Jump to content


Photo

Search engine redirect/hijack


  • Please log in to reply
16 replies to this topic

#1 Blix86

Blix86

    Member

  • Members
  • PipPip
  • 13 posts

Posted 07 February 2007 - 07:46 AM

Lavasoft,

I'm a new forum member. I've been using Ad-Aware SE Personal for a few years now and it's worked out great. But this issue is strange. I've read through some other posts concerning this search engine redirect issue. I feel like user Ai Tak knows what it is but I don't know how to fix it myself. Is this the correct forum for posting scan logs? I have an Ad-Aware log and HijackThis log ready for anyone who would be kind enough to help me.

Thanks,

Blix

#2 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 07 February 2007 - 09:06 AM

Hello,Blix86 & Welcome

Please show me both logfiles.

Gogo ;)
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#3 Blix86

Blix86

    Member

  • Members
  • PipPip
  • 13 posts

Posted 07 February 2007 - 07:46 PM

Gogo,

Thanks for your help. Here's Ad-Aware first:

Ad-Aware SE Build 1.06r1
Logfile Created on:Wednesday, February 07, 2007 1:22:24 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R150 06.02.2007
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):16 total references
Tracking Cookie(TAC index:3):31 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R150 06.02.2007
Internal build : 188
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 979344 Bytes
Total size : 3197605 Bytes
Signature data size : 3180780 Bytes
Reference data size : 16313 Bytes
Signatures total : 83548
CSI Fingerprints total : 5801
CSI data size : 276023 Bytes
Target categories : 15
Target families : 1037


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:29 %
Total physical memory:522736 kb
Available physical memory:147788 kb
Total page file size:885992 kb
Available on page file:457808 kb
Total virtual memory:2097024 kb
Available virtual memory:2029520 kb
OS:Microsoft Windows XP Professional Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


2-7-2007 1:22:24 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\Administrator\Application

Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : C:\Documents and Settings\Administrator\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-329068152-1085031214-725345543-500\software\microsoft\internet

explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-329068152-1085031214-725345543-500\software\microsoft\internet

explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-329068152-1085031214-725345543-500\software\microsoft\microsoft

management console\recent file list
Description : list of recent snap-ins used in the microsoft management console


MRU List Object Recognized!
Location: : S-1-5-21-329068152-1085031214-725345543-500\software\microsoft\search

assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: :

S-1-5-21-329068152-1085031214-725345543-500\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor


MRU List Object Recognized!
Location: :

S-1-5-21-329068152-1085031214-725345543-500\software\microsoft\windows\currentversion\explorer\comdlg32\

lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: :

S-1-5-21-329068152-1085031214-725345543-500\software\microsoft\windows\currentversion\explorer\comdlg32\

opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: :

S-1-5-21-329068152-1085031214-725345543-500\software\microsoft\windows\currentversion\explorer\recentdoc

s
Description : list of recent documents opened


MRU List Object Recognized!
Location: :

S-1-5-21-329068152-1085031214-725345543-500\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : software\musicmatch\musicmatch jukebox\4.0\mmradio
Description : information on the last station listened to using musicmatch radio


MRU List Object Recognized!
Location: : S-1-5-21-329068152-1085031214-725345543-500\software\microsoft\windows

media\wmsdk\general
Description : windows media sdk


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 564
ThreadCreationTime : 2-2-2007 4:02:02 AM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 612
ThreadCreationTime : 2-2-2007 4:02:08 AM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 640
ThreadCreationTime : 2-2-2007 4:02:12 AM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 684
ThreadCreationTime : 2-2-2007 4:02:14 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 696
ThreadCreationTime : 2-2-2007 4:02:15 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [ati2evxx.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 892
ThreadCreationTime : 2-2-2007 4:02:18 AM
BasePriority : Normal
FileVersion : 6.14.10.4131
ProductVersion : 6.14.10.4131.01
ProductName : ATI External Event Utility for WindowsNT and Windows9X
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 924
ThreadCreationTime : 2-2-2007 4:02:18 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1000
ThreadCreationTime : 2-2-2007 4:02:18 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1096
ThreadCreationTime : 2-2-2007 4:02:19 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1164
ThreadCreationTime : 2-2-2007 4:02:19 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1300
ThreadCreationTime : 2-2-2007 4:02:20 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:12 [ccsvchst.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1416
ThreadCreationTime : 2-2-2007 4:02:21 AM
BasePriority : Normal
FileVersion : 106.1.3.3
ProductVersion : 106.1.3.3
ProductName : Symantec Security Technologies
CompanyName : Symantec Corporation
FileDescription : Symantec Service Framework
InternalName : ccSvcHst
LegalCopyright : Copyright © 2000-2006 Symantec Corporation. All rights reserved.
OriginalFilename : ccSvcHst.exe

#:13 [appsvc32.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\AppCore\
ProcessID : 1564
ThreadCreationTime : 2-2-2007 4:02:24 AM
BasePriority : Normal
FileVersion : 1.0.00.101
ProductVersion : 1.0
ProductName : Symantec Application Core
CompanyName : Symantec Corporation
FileDescription : Symantec Application Core Service
InternalName : AppSvc32
LegalCopyright : Copyright © 1997-2006 Symantec Corporation
OriginalFilename : AppSvc32.exe

#:14 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1676
ThreadCreationTime : 2-2-2007 4:02:25 AM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:15 [aluschedulersvc.exe]
FilePath : C:\Program Files\Symantec\LiveUpdate\
ProcessID : 964
ThreadCreationTime : 2-2-2007 4:02:32 AM
BasePriority : Normal
FileVersion : 3.1.0.99
ProductVersion : 3.1.0.99
ProductName : LiveUpdate
CompanyName : Symantec Corporation
FileDescription : Automatic LiveUpdate Scheduler Service
InternalName : Automatic LiveUpdate Scheduler Service
LegalCopyright : Copyright © 1996-2006 Symantec Corporation
OriginalFilename : ALUSchedulerSvc.exe

#:16 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 408
ThreadCreationTime : 2-2-2007 4:02:40 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:17 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 688
ThreadCreationTime : 2-2-2007 5:29:19 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:18 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2036
ThreadCreationTime : 2-2-2007 7:53:20 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:19 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\
ProcessID : 2696
ThreadCreationTime : 2-2-2007 8:36:35 AM
BasePriority : Normal
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : mdm.exe

#:20 [symlcsvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\
ProcessID : 3672
ThreadCreationTime : 2-2-2007 10:11:46 AM
BasePriority : Normal
FileVersion : 1.9.1.1034
ProductVersion : 1.9.1.1034
ProductName : Symantec Core Component
CompanyName : Symantec Corporation
FileDescription : Symantec Core Component
InternalName : symlcsvc
LegalCopyright : Copyright © 2003
OriginalFilename : symlcsvc.exe

#:21 [ati2evxx.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2792
ThreadCreationTime : 2-5-2007 9:04:14 PM
BasePriority : Normal
FileVersion : 6.14.10.4131
ProductVersion : 6.14.10.4131.01
ProductName : ATI External Event Utility for WindowsNT and Windows9X
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE

#:22 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 3376
ThreadCreationTime : 2-5-2007 9:04:17 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:23 [tgcmd.exe]
FilePath : C:\Program Files\support.com\bin\
ProcessID : 2088
ThreadCreationTime : 2-5-2007 9:04:34 PM
BasePriority : Normal
FileVersion : 5,5,402,0
ProductVersion : 5,5,402,0
ProductName : Support.com Scheduler and Command Dispatcher
CompanyName : Support.com, Inc.
FileDescription : Support.com Scheduler and Command Dispatcher
InternalName : TGCMD
LegalCopyright : Copyright 1997-2069 Support.com
OriginalFilename : TGCMD.EXE

#:24 [jusched.exe]
FilePath : C:\Program Files\Java\jre1.5.0_10\bin\
ProcessID : 3908
ThreadCreationTime : 2-5-2007 9:04:36 PM
BasePriority : Normal


#:25 [point32.exe]
FilePath : C:\Program Files\Microsoft IntelliPoint\
ProcessID : 2988
ThreadCreationTime : 2-5-2007 9:04:39 PM
BasePriority : Normal


#:26 [hpztsb09.exe]
FilePath : C:\WINDOWS\system32\spool\drivers\w32x86\3\
ProcessID : 1064
ThreadCreationTime : 2-5-2007 9:04:40 PM
BasePriority : Normal
FileVersion : 2.236.4.0
ProductVersion : 2.236.4.0
ProductName : HP DeskJet
CompanyName : HP
LegalCopyright : Copyright © Hewlett-Packard Company 1999-2003

#:27 [hpwuschd2.exe]
FilePath : C:\Program Files\Hewlett-Packard\HP Software Update\
ProcessID : 1888
ThreadCreationTime : 2-5-2007 9:04:43 PM
BasePriority : Normal
FileVersion : 50.0.146.000
ProductVersion : 050.000.146.000
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : Hewlett-Packard Product Assistant
InternalName : hpwuSchd2
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2004
OriginalFilename : hpwuSchd2.exe
Comments : Hewlett-Packard Product Assistant

#:28 [mim.exe]
FilePath : C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\
ProcessID : 600
ThreadCreationTime : 2-5-2007 9:04:47 PM
BasePriority : Normal
FileVersion : 10.10.0093
ProductVersion : 10.10.0093
ProductName : Musicmatch Jukebox
CompanyName : Musicmatch, Inc.
FileDescription : mim
InternalName : mim
LegalCopyright : Copyright © Musicmatch 1998-2004
LegalTrademarks :
OriginalFilename : mim.exe

#:29 [mmdiag.exe]
FilePath : C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\
ProcessID : 3920
ThreadCreationTime : 2-5-2007 9:04:48 PM
BasePriority : Normal
FileVersion : 10.10.0093
ProductVersion : 10.10.0093
ProductName : Musicmatch Jukebox
CompanyName : Musicmatch, Inc.
FileDescription : Logging and tracing manager
InternalName : MMTraceExe
LegalCopyright : Copyright © Musicmatch 1998-2004
LegalTrademarks :
OriginalFilename : MMTraceExe.EXE

#:30 [hpcmpmgr.exe]
FilePath : C:\Program Files\HP\hpcoretech\
ProcessID : 2444
ThreadCreationTime : 2-5-2007 9:04:48 PM
BasePriority : Normal
FileVersion : 1.7.1.0
ProductVersion : 1.7.1.0
ProductName : hp coretech (COmponent REuse TECHnology)
CompanyName : Hewlett-Packard Company
FileDescription : HP Framework Component Manager Service
InternalName : HPComponentManagerService module
LegalCopyright : Copyright © Hewlett-Packard. 2002-2003
OriginalFilename : HPCmpMgr.exe

#:31 [hpotdd01.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\bin\
ProcessID : 556
ThreadCreationTime : 2-5-2007 9:04:57 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : Hewlett-Packard hpotdd01
CompanyName : Hewlett-Packard
FileDescription : hpotdd01
InternalName : hpotdd01
LegalCopyright : Copyright © 2002
OriginalFilename : hpotdd01.exe

#:32 [atidtct.exe]
FilePath : C:\Program Files\ATI Multimedia\main\
ProcessID : 1720
ThreadCreationTime : 2-5-2007 9:04:59 PM
BasePriority : Normal
FileVersion : 9.01.002
ProductVersion : 9.01
ProductName : ATI Multimedia Center
CompanyName : ATI Technologies Inc.
FileDescription : ATI Device Detection Application
InternalName : AtiDtct
LegalCopyright : Copyright © 2003 ATI Technologies Inc.
OriginalFilename : AtiDtct.EXE

#:33 [cli.exe]
FilePath : C:\Program Files\ATI Technologies\ATI.ACE\
ProcessID : 3736
ThreadCreationTime : 2-5-2007 9:05:01 PM
BasePriority : Normal


#:34 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 3072
ThreadCreationTime : 2-5-2007 9:05:08 PM
BasePriority : Normal
FileVersion : 106.1.3.3
ProductVersion : 106.1.3.3
ProductName : Symantec Security Technologies
CompanyName : Symantec Corporation
FileDescription : Symantec User Session
InternalName : ccApp
LegalCopyright : Copyright © 2000-2006 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe

#:35 [dsagnt.exe]
FilePath : C:\PROGRA~1\DELLSU~1\
ProcessID : 1428
ThreadCreationTime : 2-5-2007 9:05:40 PM
BasePriority : Below Normal
FileVersion : 1, 1, 0, 73
ProductVersion : 1, 1, 0, 73
ProductName : Dell Support
CompanyName : Gteko Ltd.
FileDescription : Dell Support
InternalName : AUAgent
LegalCopyright : Copyright © 2000 - 2004 Gteko Ltd.
OriginalFilename : AUAgent.exe

#:36 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3484
ThreadCreationTime : 2-5-2007 9:05:47 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:37 [atirw.exe]
FilePath : C:\Program Files\ATI Multimedia\RemCtrl\
ProcessID : 3368
ThreadCreationTime : 2-5-2007 9:05:59 PM
BasePriority : Normal
FileVersion : 2.5.0.0
ProductVersion : 2.5.0.0
ProductName : ATI Remote Wonder
CompanyName : ATI Technologies Inc.
FileDescription : ATI Remote Wonder
LegalCopyright : Copyright © 2002-2004 ATI Technologies Inc.
OriginalFilename : ATIRW.EXE

#:38 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3828
ThreadCreationTime : 2-5-2007 9:06:33 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE

#:39 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ProcessID : 2412
ThreadCreationTime : 2-5-2007 9:07:22 PM
BasePriority : Normal
FileVersion : 4.7.3001
ProductVersion : Version 4.7.3001
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Windows Messenger
InternalName : msmsgs
LegalCopyright : Copyright © Microsoft Corporation 2004
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S.

and/or other countries.
OriginalFilename : msmsgs.exe

#:40 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 528
ThreadCreationTime : 2-7-2007 6:21:36 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 16


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 16


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 16


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@atdmt[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:administrator@atdmt.com/
Expires : 2-4-2012 7:00:00 PM
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@media.fastclick[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:administrator@media.fastclick.net/
Expires : 2-7-2007 2:19:20 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@clickbank[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:administrator@clickbank.net/
Expires : 8-6-2007 1:16:02 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@ehg-dig.hitbox[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:37
Value : Cookie:administrator@ehg-dig.hitbox.com/
Expires : 2-7-2008 12:11:24 PM
LastSync : Hits:37
UseCount : 0
Hits : 37

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@uk.sitestat[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:administrator@uk.sitestat.com/riskwaters/risk/
Expires : 2-6-2012 12:01:08 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@incisivemedia.112.2o7[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:administrator@incisivemedia.112.2o7.net/
Expires : 2-6-2012 12:01:10 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@statse.webtrendslive[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:8
Value : Cookie:administrator@statse.webtrendslive.com/
Expires : 2-4-2017 12:44:02 AM
LastSync : Hits:8
UseCount : 0
Hits : 8

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@revsci[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:administrator@revsci.net/
Expires : 2-2-2027 11:33:14 AM
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@msnportal.112.2o7[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:administrator@msnportal.112.2o7.net/
Expires : 2-5-2012 7:49:18 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@data.coremetrics[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:administrator@data.coremetrics.com/
Expires : 2-6-2022 11:57:54 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@2o7[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:38
Value : Cookie:administrator@2o7.net/
Expires : 2-6-2012 1:14:36 PM
LastSync : Hits:38
UseCount : 0
Hits : 38

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@tribalfusion[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:administrator@tribalfusion.com/
Expires : 2-6-2008 7:28:46 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@pro-market[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:6
Value : Cookie:administrator@pro-market.net/
Expires : 5-31-2030 7:00:00 PM
LastSync : Hits:6
UseCount : 0
Hits : 6

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@ads.addynamix[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:administrator@ads.addynamix.com/
Expires : 2-6-2012 12:11:28 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@live365[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:administrator@live365.com/
Expires : 2-11-2012 3:44:22 AM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@doubleclick[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:6
Value : Cookie:administrator@doubleclick.net/
Expires : 2-5-2010 4:08:24 PM
LastSync : Hits:6
UseCount : 0
Hits : 6

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@questionmarket[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:administrator@questionmarket.com/
Expires : 3-30-2008 4:05:32 AM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@clickz[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:administrator@clickz.com/
Expires : 1-17-2038 7:00:00 PM
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@server.iad.liveperson[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:administrator@server.iad.liveperson.net/
Expires : 2-6-2008 7:51:14 PM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@server.iad.liveperson[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:administrator@server.iad.liveperson.net/hc/80503492
Expires : 2-6-2008 7:51:18 PM
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@adlegend[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:administrator@adlegend.com/
Expires : 2-6-2017 11:59:14 PM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@fastclick[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:administrator@fastclick.net/
Expires : 2-6-2009 1:16:42 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@mediaplex[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:administrator@mediaplex.com/
Expires : 6-21-2009 7:00:00 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@advertising[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:12
Value : Cookie:administrator@advertising.com/
Expires : 2-6-2012 12:14:58 PM
LastSync : Hits:12
UseCount : 0
Hits : 12

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@www.stopzilla[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:administrator@www.stopzilla.com/
Expires : 2-6-2008 7:50:46 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@zedo[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:15
Value : Cookie:administrator@zedo.com/
Expires : 2-4-2017 11:48:32 AM
LastSync : Hits:15
UseCount : 0
Hits : 15

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@goclick[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:administrator@goclick.com/
Expires : 12-31-2009 7:00:00 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@uk.sitestat[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:administrator@uk.sitestat.com/riskwaters/
Expires : 2-6-2012 12:01:08 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@247realmedia[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:administrator@247realmedia.com/
Expires : 12-31-2020 7:00:00 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@tacoda[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:66
Value : Cookie:administrator@tacoda.net/
Expires : 2-2-2008 1:07:14 PM
LastSync : Hits:66
UseCount : 0
Hits : 66

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@hitbox[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:19
Value : Cookie:administrator@hitbox.com/
Expires : 2-7-2008 12:11:24 PM
LastSync : Hits:19
UseCount : 0
Hits : 19

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 31
Objects found so far: 47



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 47


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 47




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 47

1:53:14 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:30:50.266
Objects scanned:190265
Objects identified:31
Objects ignored:0
New critical objects:31

#4 Blix86

Blix86

    Member

  • Members
  • PipPip
  • 13 posts

Posted 07 February 2007 - 07:50 PM

And now HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:54:40 PM, on 2/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\DELLSU~1\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://cgi.verizon.n...mp;bm=ho_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented

by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec

Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common

Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [WebDriveTray] C:\Program Files\WebDrive\webdrive.exe /trayicon
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe

Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader

8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader

8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file

missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/

(file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file

missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

%windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) -

https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) -

http://www.vzwpix.co...loadControl.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) -

http://simcity.ea.co...ty4PatcherX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{59394607-DADB-48AB-A4D4-E3FF804DACF8}: NameServer =

85.255.116.23,85.255.112.74
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.23 85.255.112.74
O17 - HKLM\System\CS1\Services\Tcpip\..\{59394607-DADB-48AB-A4D4-E3FF804DACF8}: NameServer =

85.255.116.23,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.23 85.255.112.74
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program

Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common

Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common

Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program

Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\VAScanner\comHost.exe
O23 - Service: hpdj - HP - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hpdj.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program

Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program

Files\WebDrive\wdservice.exe


Gogo, Do you think it may be the "fake codec installer" thing?

Thanks,
Blix

#5 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 07 February 2007 - 08:27 PM

Hi,Blix

First may i ask that you don't change the look or feel of the logfile


Run HijackThis
Scan and when it finishes, put a check mark only next to these following items : (if present)

O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file
missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
(file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file
missing)

O17 - HKLM\System\CCS\Services\Tcpip\..\{59394607-DADB-48AB-A4D4-E3FF804DACF8}: NameServer =
85.255.116.23,85.255.112.74
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.23 85.255.112.74
O17 - HKLM\System\CS1\Services\Tcpip\..\{59394607-DADB-48AB-A4D4-E3FF804DACF8}: NameServer =
85.255.116.23,85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.23 85.255.112.74

Close all browsers and any open Windows, making sure that only HijackThis is open
Click Fix Checked
Close HijackThis

-------------------

Download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://www.bleepingc.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) together with the results from look.txt, present on your desktop and a new Hijackthis log.

Note: ONLY if you have connection problems afterwards - go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.

-------------------

Then come back here with a new HijackThis logfile and the Fixwareout report.txt

Gogo :D
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#6 Blix86

Blix86

    Member

  • Members
  • PipPip
  • 13 posts

Posted 07 February 2007 - 09:01 PM

Gogo,

Here is file: report.txt. I had windows perform a search, but I couldn't find file: look.txt that you referred to in your last post. :D I will post new HijackThis log next. I've copied and pasted the text directly from the logs. I'm sorry if this changes the look or feel of the logs in any way; I don't know any other way to do it.

-Blix

Fixwareout
Last edited 1/30/2007
Post this report in the forums please
...
Prerun check
»»»»» HKLM run and Winlogon System values
C:\WINDOWS\System32\kdele.exe will be moved to C:\WINDOWS\temp\kdele.ren at reboot.

»»»»» System restarted
Reg Entries that were deleted
...
Random Runs removed from HKLM
...

»»»»» Misc files.

»»»»» Checking for older varients.

»»»»» Postrun check
»»»»» HKLM run
»»»»» Winlogon System value
"system"=""
»»»»»

PLEASE NOTE, There CAN be LEGITIMATE FILES LISTED IN THIS SECTION.

This WILL/CAN also list Legit Files, Submit them at Virustotal
Search five digit cs, dm kd and jb files.
»»»»»
»»»»» Current runs

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WebDriveTray"="C:\\Program Files\\WebDrive\\webdrive.exe /trayicon"
"tgcmd"="\"C:\\Program Files\\support.com\\bin\\tgcmd.exe\" /server"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mimboot.exe"
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb09.exe"
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"DeviceDiscovery"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"
"ATI DeviceDetect"="C:\\Program Files\\ATI Multimedia\\main\\ATIDtct.EXE"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"DellSupport"="\"C:\\PROGRA~1\\DELLSU~1\\DSAgnt.exe\" /startup"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"ATI Remote Control"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIRW.exe"

Hosts file was reset, If you use a custom hosts file please replace it

#7 Blix86

Blix86

    Member

  • Members
  • PipPip
  • 13 posts

Posted 07 February 2007 - 09:05 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:05:24 PM, on 2/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\WebDrive\wdservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\WebDrive\webdrive.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\DELLSU~1\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\PdeSrv2.exe
C:\Program Files\HijackThis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://cgi.verizon.n...mp;bm=ho_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented

by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec

Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common

Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [WebDriveTray] C:\Program Files\WebDrive\webdrive.exe /trayicon
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe

Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader

8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader

8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) -

https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) -

http://www.vzwpix.co...loadControl.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) -

http://simcity.ea.co...ty4PatcherX.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program

Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common

Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common

Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program

Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\VAScanner\comHost.exe
O23 - Service: hpdj - HP - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hpdj.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program

Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program

Files\WebDrive\wdservice.exe

#8 Blix86

Blix86

    Member

  • Members
  • PipPip
  • 13 posts

Posted 07 February 2007 - 09:14 PM

Also,

I just tried linking to a site from my search engine and I didn't get redirected. Pages seem to load a lot faster now also. :) So, unless you recognize any problems in the new logs I've posted, I think you've solved my problem! What can I do in the future to avoid this?

Thanks again for your help. You're the MAN/WOMAN. :D

-Blix

#9 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 07 February 2007 - 09:37 PM

Hey,Blix86

Try this

uncheck "word wrap" in Format menu of the Notepad

--------------

Open notepad and copy and paste next bold in it:

regedit /e peek1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg"

regedit /e peek2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder"

type peek1.txt >> startup.txt

type peek2.txt >> startup.txt

del peek*.txt

start notepad startup.txt


post the startup.txt file and new HijackThis logfile

and is the PC any better now

Gogo :D
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#10 Blix86

Blix86

    Member

  • Members
  • PipPip
  • 13 posts

Posted 07 February 2007 - 11:19 PM

Gogo,

Please excuse my inexperience. I've pasted the bold lines into notepad, but I don't know what to name the file or what to do with it. Also, I can't find file: startup.txt on my computer (windows search returned nothing).

Here is new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:05:24 PM, on 2/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\WebDrive\wdservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\WebDrive\webdrive.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\DELLSU~1\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\PdeSrv2.exe
C:\Program Files\HijackThis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.n...mp;bm=ho_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [WebDriveTray] C:\Program Files\WebDrive\webdrive.exe /trayicon
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.co...ty4PatcherX.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: hpdj - HP - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hpdj.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\WebDrive\wdservice.exe

#11 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 08 February 2007 - 12:04 AM

Hi,Blix86

It's me try it like this please


Open notepad and copy and paste next bold in it:

regedit /e peek1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg"

regedit /e peek2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder"

type peek1.txt >> startup.txt

type peek2.txt >> startup.txt

del peek*.txt

start notepad startup.txt


Save this as lookdisable.bat , choose to save as *all files and place it on your desktop.

This is how the batch must look after you created it:bat.JPG

Doubleclick on lookdisable.bat and post the contents of it here.


Gogo ;)
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#12 Blix86

Blix86

    Member

  • Members
  • PipPip
  • 13 posts

Posted 08 February 2007 - 01:49 AM

Gogo,

Here is the .bat:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ATI Launchpad]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BCMSMMSG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BCMSMMSG"
"hkey"="HKLM"
"command"="BCMSMMSG.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\igfxtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Intel system tool]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="svehost"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\svehost.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SFP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="vzSFPWin"
"hkey"="HKCU"
"command"="C:\\Program Files\\Common Files\\Verizon Online\\SFP\\vzSFPWin.EXE /s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\stats1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="stats1"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\stats1.exe"
"inimapping"="0"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

#13 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 08 February 2007 - 02:42 AM

Hi,Blix86


The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.

Backup the Registry:

Navigate to Start | Run and paste the following:

regedit /e c:\registrybackup.reg

Now click OK
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

------------------

Open Notepad and copy and paste the following quotebox into a new text document. (Don't forget to copy and paste REGEDIT4!)
NOTE: do not copy the word quote

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Intel system tool]


Save this as fix.reg Choose to save as *all files and place it on your Desktop.
It should look like this:reg.gif
Double-click on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.

------------------

Download The Avenger Copyright © Swandog46
You must extract avenger.exe to your desktop, before you run it.

CLOSE ALL WINDOWS (even this one) AND PROGRAMS!!!!


Copy all the text contained in the code box below to your Clipboard.
NOTE: don't copy the word quote

Files to delete:
C:\Windows\System32\svehost.exe


The above script is for this user only, if you need help please start your own thread.

Start the Avenger.
Under "Script file to execute" choose "Input Script Manually".
Click on the Magnifying Glass icon which will open a new window titled "View/edit script".
Paste the entire text in into this window.
Click done, now click on the Green Light
Answer "Yes" twice when prompted.
Your computer shoud reboot, and briefly open a black command window on your desktop, this is normal.

After the restart, it will create a log file that should open.
This log file will be located at C:\avenger.txt

Paste the contents of C:\avenger.txt into your reply along with a fresh HijackThis! log.

Also: Avenger has made backups of all the files, etc., that you asked it to delete, located at C:\avenger\backup.zip.


-----------------

Then come back here so we may do are last steps here.


Gogo ;)
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#14 Ai_Tak

Ai_Tak

    Advanced Member

  • Members
  • PipPipPip
  • 1372 posts

Posted 08 February 2007 - 07:34 AM

I'm a new forum member. I've been using Ad-Aware SE Personal for a few years now and it's worked out great. But this issue is strange. I've read through some other posts concerning this search engine redirect issue. I feel like user Ai_Tak knows what it is but I don't know how to fix it myself. Is this the correct forum for posting scan logs? I have an Ad-Aware log and HijackThis log ready for anyone who would be kind enough to help me.

Yes, you were correct, you were infected with the fake codec trojan (aka wareout, aka zlob, aka trojan.flush, aka kedr) that I have been focusing on recently.

The other helpers around here are now fully aware of this trojan and have got you going on the right track.

Do you remember how/when/where you got infected? Also, skim over the fake codec trojan page (ignore anything that is too technical) and see if any of it seems familiar.

#15 Blix86

Blix86

    Member

  • Members
  • PipPip
  • 13 posts

Posted 08 February 2007 - 10:35 PM

Gogo,

Here is the Avenger log. I think it couldn't find file: svehost.exe because I may have deleted it manually yesterday ^_^ (I've been going through msconfig and regedit myself trying to delete viruses/spyware/other unecessary crap, etc.). But here it is anyway, next post is new HijackThis:



Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\fsjksvld

*******************

Script file located at: \??\C:\WINDOWS\wftcicbc.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\Windows\System32\svehost.exe not found!
Deletion of file C:\Windows\System32\svehost.exe failed!

Could not process line:
C:\Windows\System32\svehost.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

#16 Blix86

Blix86

    Member

  • Members
  • PipPip
  • 13 posts

Posted 08 February 2007 - 10:36 PM

And new HijackThis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 4:44:50 PM, on 2/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\WebDrive\wdservice.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\PROGRA~1\DELLSU~1\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\PdeSrv2.exe
C:\Program Files\HijackThis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.n...mp;bm=ho_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [WebDriveTray] C:\Program Files\WebDrive\webdrive.exe /trayicon
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [stats1] C:\WINDOWS\system32\stats1.exe
O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\system32\svehost.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.co...ty4PatcherX.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: hpdj - HP - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hpdj.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\WebDrive\wdservice.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

#17 Blix86

Blix86

    Member

  • Members
  • PipPip
  • 13 posts

Posted 08 February 2007 - 10:43 PM

Yes, you were correct, you were infected with the fake codec trojan (aka wareout, aka zlob, aka trojan.flush, aka kedr) that I have been focusing on recently.

The other helpers around here are now fully aware of this trojan and have got you going on the right track.

Do you remember how/when/where you got infected? Also, skim over the fake codec trojan page (ignore anything that is too technical) and see if any of it seems familiar.


Ai_Tak,

Glad you could weigh in on this issue. Unfortunately, I'm not the only person to use this computer, so I can't be absolutely certain when it got infected. I noticed it about a week ago. At first, I thought it was just bad links/websites but after a while I noticed a pattern and that even legit sites were doing it. Also, I think it caused my browser to be unable to load certain websites that I regularly travel to (is this called "DoS"?). Sorry I can't give you more specific details.

Gogo has been extremely helpful and I'm no longer experiencing this problem. I'll read over the fake codec trojan page and if I notice anything I'll post here.

Thanks,
Blix




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users