|
|
|
Keep Getting redirected when searching Yahoo Google ect.
|
|
|
karns
Newbie
|
26. May 2008 @ 22:47 |
Link to this message
|
Hello
I keep getting redirected to different sites when I click on links when on any search engine. I can't for the life of me figure out what is wrong.
Here is the Hijack this file
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:51 PM, on 5/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: wbsys.dll,avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Zune Bus Enumerator (ZuneBusEnum) - Unknown owner - c:\WINDOWS\system32\ZuneBusEnum.exe (file missing)
--
End of file - 2552 bytes
and the Fixwareout file
Username "Owner" - 05/26/2008 22:19:26 [Fixwareout edited 9/01/2007]
~~~~~ Prerun check
Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.
~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe /startup"
"AVG8_TRAY"="C:\\PROGRA~1\\AVG\\AVG8\\avgtray.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM2_Monitor"="\"C:\\Program Files\\OLYMPUS\\OLYMPUS Master 2\\MMonitor.exe\" -NoStart"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
Any help would be appreciated
|
|
Advertisement
|
|
|
|
|
karns
Newbie
|
27. May 2008 @ 08:20 |
Link to this message
|
|
anybody have any ideas what it could be?
|
Senior Member
|
27. May 2008 @ 08:47 |
Link to this message
|
Hi karns
As for your problem, I would have pointed out a hosts file problem, but apparently fixwareout has reset the hosts file, so it shouldn't be a problem anymore. But if it still is, perhaps it isn't a hosts file problem. However, I cannot spot any trouble within your hijack this log, and as there are many malware which can redirect sites, there is absolutely no way to immediately pinpoint the problem.
Can you possibly rule out a DNS/ISP problem? Have you tried with another computer connected to the same DNS/ISP?
Also, I don't know if you want to take the trouble, but as I wouldn't recommend AVG as a good antivirus, could you download Antivir Free v8 and scan with that? Or, as the case might be, spyware could be the culprit, and possibly A-squared can be useful for that. If you do not want to download these files, it is fine, and we can work around AVG if possible.
There is a variant of Vundo which avoids hijack this as a process, so I would also recommend changing the name of your hijack this scanner to something like "scannerhjt" or something. Scan with the renamed hijack this file in safe mode, and also do a AVG (or any other scanner) scan in safe mode as well.
Best Regards :D
Edit: Also download a rootkit scanner (I recommend GMER) and scan with it. (If you use GMER, scan only for hidden files, registry keys, and processes)
This message has been edited since posting. Last time this message was edited on 27. May 2008 @ 08:54
|
|
karns
Newbie
|
28. May 2008 @ 21:31 |
Link to this message
|
ok so I renamed my Hijack this file and ran it in safe mode and I also used the GMER while in safe mode
MER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-05-28 21:21:40
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.14 ----
Code E17B1B5E ZwQueryDirectoryFile
Code E17B1B5D NtQueryDirectoryFile
---- Kernel code sections - GMER 1.0.14 ----
PAGE ntoskrnl.exe!NtQueryDirectoryFile 80573515 5 Bytes JMP E17B1B62
---- User code sections - GMER 1.0.14 ----
? C:\WINDOWS\system32\svchost.exe[576] image checksum mismatch; number of sections mismatch; time/date stamp mismatch; unknown module: baserom32.dll
.text C:\WINDOWS\system32\svchost.exe[576] ntdll.dll!LdrLoadDll 7C9161CA 10 Bytes JMP 00403B1D C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
---- User IAT/EAT - GMER 1.0.14 ----
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] FBFEF5D9
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] BFE6EFFD
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] E6FCD2BF
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] E7FCFAF2
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] E0F2B8E1
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] 000000FC
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!GetTokenInformation] ECE0F4F2
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!OpenProcessToken] A6F3F5EA
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!OpenThreadToken] 00EEF2EC
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 696B6B74
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] 66783268
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegCloseKey] 0000007A
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] F4F8EAC3
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] ECF8FAE8
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] C5C3D9C3
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrlenW] 0000D4CA
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LocalFree] F1EAECC1
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentProcess] A4FCE9E3
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentThread] EAE2EEC6
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetProcAddress] 00AAE7FA
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] B7B1B1B7
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LCMapStringW] C6DFD5C8
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!FreeLibrary] D9F89489
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrcpyW] D6D5D1CD
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 908993DA
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrcmpiW] A1E9E08F
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!ExitProcess] A7B5A9AC
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCommandLineW] A6ABA1B3
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] 83EDF7AE
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetProcessHeap] F294999C
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!SetErrorMode] E6E5FAE6
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] B38EF8EC
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] A9B2B8B5
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] DAD8C0AC
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] 000000CA
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] 898893FA
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetTickCount] CFD1F08E
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] ADEEEED3
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] D39C9489
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 000000CA
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!TerminateProcess] A3D6C4C7
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] 000000AB
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LocalAlloc] 62656467
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrcmpW] 613A3B29
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] 7D376F60
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtQuerySecurityObject] 4D420E7A
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlFreeHeap] 00000B4E
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] 642ECDCD
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!wcscat] 0000667A
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!wcscpy] 5870467F
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlAllocateHeap] 0052455A
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] FEF5E4E1
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlInitUnicodeString] FAF19AFF
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlInitializeSid] 000000FB
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] 7A62552B
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 48796F7F
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] 00006261
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] E1E4F0C7
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] F7DEEBFD
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] 0000A0F0
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlGetAce] 0A03053C
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlImageNtHeader] 00020700
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!wcslen] 00000000
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] F7EADCD1
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlCopySid] E6E7E1F8
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] F2F2F2FA
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] F9CCC2F8
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] E9E6F6F2
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] DAD2E5F9
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerListen] D8C5CFDB
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] C4C1C1EE
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] E7DFDDC3
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] FBEBC2D0
IAT C:\WINDOWS\system32\svchost.exe[576] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] CECFD4D6
---- Modules - GMER 1.0.14 ----
Module \??\globalroot\systemroot\system32\drivers\clbdriver.sys (*** hidden *** ) F896B000-F896E000 (12288 bytes)
---- Processes - GMER 1.0.14 ----
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [212] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [456] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [540] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [608] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1012] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Trend Micro\HijackThis\HijackThis.exe [1268] 0x76FD0000
---- Services - GMER 1.0.14 ----
Service C:\WINDOWS\System32\drivers\afd.sys (*** hidden *** ) [SYSTEM] AFD <-- ROOTKIT !!!
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\AFD@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\AFD@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\AFD@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\AFD@ImagePath \SystemRoot\System32\drivers\afd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\AFD@DisplayName AFD Networking Support Environment
Reg HKLM\SYSTEM\CurrentControlSet\Services\AFD@Group TDI
Reg HKLM\SYSTEM\CurrentControlSet\Services\AFD@Description AFD Networking Support Environment
Reg HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\AFD\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\AFD\Security@Security 0x01 0x00 0x14 0x80 ...
---- Files - GMER 1.0.14 ----
File C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll 110080 bytes
File C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll 498688 bytes
File C:\WINDOWS\system32\clb.dll 10752 bytes
File C:\WINDOWS\system32\clbcatex.dll 110080 bytes
File C:\WINDOWS\system32\clbcatq.dll 498688 bytes
File C:\WINDOWS\system32\clbdll.dll 45056 bytes
File C:\WINDOWS\system32\clbinit.dll 1695 bytes
File C:\WINDOWS\system32\dllcache\clb.dll 10752 bytes
File C:\WINDOWS\system32\drivers\clbdriver.sys 5632 bytes
File C:\WINDOWS\$NtServicePackUninstall$\clbcatex.dll 110080 bytes
File C:\WINDOWS\$NtServicePackUninstall$\clbcatq.dll 499712 bytes
File C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll 100864 bytes
File C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll 468480 bytes
File C:\WINDOWS\ServicePackFiles\i386\clbcatex.dll 110080 bytes
File C:\WINDOWS\ServicePackFiles\i386\clbcatq.dll 501248 bytes
File C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll 110080 bytes
File C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll 501248 bytes
---- EOF - GMER 1.0.14 ----
|
|
karns
Newbie
|
28. May 2008 @ 21:36 |
Link to this message
|
and here is the Hijack this report
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:34:44 PM, on 5/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Safe mode
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: wbsys.dll,avgrsstx.dll
--
End of file - 2112 bytes
|
|
karns
Newbie
|
28. May 2008 @ 21:39 |
Link to this message
|
|
Oh BTW thanks for your help so far
|
Senior Member
|
29. May 2008 @ 09:55 |
Link to this message
|
I'm terribly sorry that I said to run Hijack This in safe mode. I was wrong. You should rename the file(I see that you did not rename it from its original name of "HijackThis.exe"), then run it in normal mode. And no, your GMER log does not show any unusual activity or rootkit. This may require more analysis.
Have you scanned with scanners such as Spybot, A-squared, and Antivir? If not, I recommend you do so, but with A-squared, do not remove what it detects, but rather, post the log here.
Best Regards :D
|
|
karns
Newbie
|
29. May 2008 @ 20:47 |
Link to this message
|
Thank you very much
here is the hijack this run in normal mode
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:49 PM, on 5/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\xxHijackThisxx.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: wbsys.dll,avgrsstx.dll
--
End of file - 2324 bytes
|
|
karns
Newbie
|
30. May 2008 @ 07:24 |
Link to this message
|
and here is the a-squared report
this is the deep scan report
a-squared Anti-Malware - Version 3.5
Last update: 5/29/2008 9:09:50 PM
Scan settings:
Objects: Memory, Traces, Cookies, C:\, D:\
Scan archives: On
Heuristics: On
ADS Scan: On
Scan start: 5/30/2008 12:18:55 AM
c:\windows\system32\swrt01.dll detected: Trace.File.AdDestroyer
Value: HKEY_USERS\S-1-5-21-1395713349-4222255101-3498602251-1003\Software\Illysoft\SNM\Settings --> IEProtection detected: Trace.Registry.SpyNoMore
Value: HKEY_USERS\S-1-5-21-1395713349-4222255101-3498602251-1003\Software\Illysoft\SNM\Settings --> ProcProtection detected: Trace.Registry.SpyNoMore
Value: HKEY_USERS\S-1-5-21-1395713349-4222255101-3498602251-1003\Software\Illysoft\SNM\Settings --> RegProtection detected: Trace.Registry.SpyNoMore
c:\program files\advanceddvdplayer detected: Trace.Directory.AdvancedDVDPlayer
c:\program files\advanceddvdplayer\~myplaylist~ detected: Trace.File.AdvancedDVDPlayer
c:\program files\advanceddvdplayer\advanceddvdplayer.exe detected: Trace.File.AdvancedDVDPlayer
c:\program files\advanceddvdplayer\default playlist.m3u detected: Trace.File.AdvancedDVDPlayer
Value: HKEY_USERS\S-1-5-21-1395713349-4222255101-3498602251-1003\Software\AdvancedDVDPlayer\Directory --> CurrentPath detected: Trace.Registry.AdvancedDVDPlayer
Value: HKEY_USERS\S-1-5-21-1395713349-4222255101-3498602251-1003\Software\AdvancedDVDPlayer\Directory --> TempPath detected: Trace.Registry.AdvancedDVDPlayer
C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@bluestreak[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@media.adrevolver[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Desktop\SDFix.exe/Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\betvnft7.default\Cache\EEA4540Ed01 detected: Adware.Win32.Agent.zk
C:\hp\bin\KillWind.exe detected: Riskware.RiskTool.Win32.PsKill.p
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080507-200703-537.dll detected: Adware.Win32.E404.an
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe detected: Adware.BackWeb.a
C:\SDFix\apps\Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\SDFix\backups\backups.zip/~.exe detected: Trojan.Win32.SubSys.dr
C:\SDFix\backups_old\backups.zip/527631.dll detected: Adware.Win32.E404.an
C:\SDFix\backups_old\backups.zip/zfe1.exe detected: Hoax.Win32.Renos.cdh
C:\SDFix.exe/Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP672\A0089273.dll detected: Adware.Win32.E404.an
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP672\A0089277.dll detected: Adware.Win32.E404.an
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP672\A0089281.exe detected: Hoax.Win32.Renos.cdh
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP679\A0089713.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP681\A0090057.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP681\A0090111.exe detected: Trojan.Win32.SubSys.dr
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP681\A0090118.exe detected: Trojan.Win32.SubSys.dr
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP692\A0092892.exe detected: Trojan.Win32.Agent.duu
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP692\A0092893.EXE detected: Trojan.Win32.Agent.duu
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP692\A0092894.EXE detected: Trojan.Win32.Agent.duu
C:\WINDOWS\system32\rtmipr.dll detected: Hoax.Win32.Agent.ct
C:\WINDOWS\system32\SWRT01.dll detected: Adware.Win32.VirtualBouncer.g
Scanned
Files: 223958
Traces: 406297
Cookies: 315
Processes: 21
Found
Files: 22
Traces: 10
Cookies: 7
Processes: 0
Registry keys: 0
Scan end: 5/30/2008 2:09:07 AM
Scan time: 1:50:12
once again thanks a lot for your help so far
|
Senior Member
|
31. May 2008 @ 04:52 |
Link to this message
|
Hi karns!
Aha!!! I thought I smelled a rat. Here are some files you can remove within A-squared safely.
c:\windows\system32\swrt01.dll detected: Trace.File.AdDestroyer
C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@bluestreak[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@media.adrevolver[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\betvnft7.default\Cache\EEA4540Ed01 detected: Adware.Win32.Agent.zk
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080507-200703-537.dll detected: Adware.Win32.E404.an
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP672\A0089273.dll detected: Adware.Win32.E404.an
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP672\A0089277.dll detected: Adware.Win32.E404.an
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP672\A0089281.exe detected: Hoax.Win32.Renos.cdh
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP679\A0089713.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP681\A0090057.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP681\A0090111.exe detected: Trojan.Win32.SubSys.dr
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP681\A0090118.exe detected: Trojan.Win32.SubSys.dr
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP692\A0092892.exe detected: Trojan.Win32.Agent.duu
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP692\A0092893.EXE detected: Trojan.Win32.Agent.duu
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP692\A0092894.EXE detected: Trojan.Win32.Agent.duu
C:\WINDOWS\system32\rtmipr.dll detected: Hoax.Win32.Agent.ct
C:\WINDOWS\system32\SWRT01.dll detected: Adware.Win32.VirtualBouncer.g
Do you recognize Spynomore and Advanced Dvd Player as being installed on your system with your consent? If so, you can ignore these entries. If you do not recognize them as legitimate, you can remove them.
Value: HKEY_USERS\S-1-5-21-1395713349-4222255101-3498602251-1003\Software\Illysoft\SNM\Settings --> IEProtection detected: Trace.Registry.SpyNoMore
Value: HKEY_USERS\S-1-5-21-1395713349-4222255101-3498602251-1003\Software\Illysoft\SNM\Settings --> ProcProtection detected: Trace.Registry.SpyNoMore
Value: HKEY_USERS\S-1-5-21-1395713349-4222255101-3498602251-1003\Software\Illysoft\SNM\Settings --> RegProtection detected: Trace.Registry.SpyNoMore
c:\program files\advanceddvdplayer detected: Trace.Directory.AdvancedDVDPlayer
c:\program files\advanceddvdplayer\~myplaylist~ detected: Trace.File.AdvancedDVDPlayer
c:\program files\advanceddvdplayer\advanceddvdplayer.exe detected: Trace.File.AdvancedDVDPlayer
c:\program files\advanceddvdplayer\default playlist.m3u detected: Trace.File.AdvancedDVDPlayer
Value: HKEY_USERS\S-1-5-21-1395713349-4222255101-3498602251-1003\Software\AdvancedDVDPlayer\Directory --> CurrentPath detected: Trace.Registry.AdvancedDVDPlayer
Value: HKEY_USERS\S-1-5-21-1395713349-4222255101-3498602251-1003\Software\AdvancedDVDPlayer\Directory --> TempPath detected: Trace.Registry.AdvancedDVDPlayer
Can you confirm that you have ran SDFIx on your computer, and have files located in C:\SDFix and C:\Documents and Settings\Owner\Desktop\SDFix.exe? If you have ran SDFix and have it located on your desktop, you can ignore these following entries. If not, you can remove these entries.
C:\Documents and Settings\Owner\Desktop\SDFix.exe/Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\SDFix\apps\Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\SDFix\backups\backups.zip/~.exe detected: Trojan.Win32.SubSys.dr
C:\SDFix\backups_old\backups.zip/527631.dll detected: Adware.Win32.E404.an
C:\SDFix\backups_old\backups.zip/zfe1.exe detected: Hoax.Win32.Renos.cdh
C:\SDFix.exe/Process.exe detected: Riskware.RiskTool.Win32.Processor.20
Also, please do not remove these entries as they are part of HP, and are detected as riskware because of their functions.
C:\hp\bin\KillWind.exe detected: Riskware.RiskTool.Win32.PsKill.p
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe detected: Adware.BackWeb.a
Remove all the entries above which I have told you to remove, restart, then scan again. If they are still present in your system or are undeletable, you may have to run it in safe mode.
Also, running Spybot and Antivir may confirm more malware on your system.
Best Regards :D
This message has been edited since posting. Last time this message was edited on 31. May 2008 @ 04:54
|
|
karns
Newbie
|
4. June 2008 @ 22:09 |
Link to this message
|
Sorry I was out of town for a couple of days.
I thought I got it but it still redirects me also I now have no sound on my computer at all so I used this website http://www.kellys-korner-xp.com/xp_tweaks.htm which installed some of the registries.
anyways here are my new logs
Hijack this:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:33:23 PM, on 6/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
--
End of file - 2129 bytes
and A2
a-squared Anti-Malware - Version 3.5
Last update: 6/4/2008 7:36:38 PM
Scan settings:
Objects: Memory, Traces, Cookies, C:\, D:\
Scan archives: On
Heuristics: On
ADS Scan: On
Scan start: 6/4/2008 7:37:14 PM
C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@com[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@counter13.sextracker[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@counter6.sextracker[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@findwhat[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@media.adrevolver[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@sextracker[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@specificclick[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Owner\Desktop\SDFix.exe/Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\hp\bin\KillWind.exe detected: Riskware.RiskTool.Win32.PsKill.p
C:\SDFix\apps\Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\SDFix.exe/Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP672\A0089273.dll detected: Adware.Win32.E404.an
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP672\A0089277.dll detected: Adware.Win32.E404.an
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP672\A0089281.exe detected: Hoax.Win32.Renos.cdh
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP679\A0089713.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP681\A0090057.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP681\A0090111.exe detected: Trojan.Win32.SubSys.dr
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP681\A0090118.exe detected: Trojan.Win32.SubSys.dr
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP690\A0091833.sys detected: Rootkit.Win32.Agent.aol
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP692\A0092892.exe detected: Trojan.Win32.Agent.duu
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP692\A0092893.EXE detected: Trojan.Win32.Agent.duu
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP692\A0092894.EXE detected: Trojan.Win32.Agent.duu
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP694\A0094943.dll detected: Adware.Win32.VirtualBouncer.g
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP694\A0095940.dll detected: Hoax.Win32.Agent.ct
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP694\A0095941.exe detected: Adware.BackWeb.a
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP694\A0095942.dll detected: Adware.Win32.E404.an
Scanned
Files: 220100
Traces: 408349
Cookies: 353
Processes: 17
Found
Files: 19
Traces: 0
Cookies: 10
Processes: 0
Registry keys: 0
Scan end: 6/4/2008 9:48:24 PM
Scan time: 2:11:10
|
Senior Member
|
8. June 2008 @ 09:57 |
Link to this message
|
Hey karns.
I see that your problem came back again. Sounds a whole lot like vundo. Please download both vundofix and virtumundebegone. Run both of them and see how it goes.
As for your lack of sound, perhaps your sound driver is damaged. You can reinstall your driver by downloading it from your computer's manufacturer site or somewhere else.
Best Regards :D
|
|
karns
Newbie
|
10. June 2008 @ 00:13 |
Link to this message
|
Thanks
I downloaded the vundofix however it didn't find anything. I ran smitfraudfix and here is the log
SmitFraudFix v2.323
Scan done at 23:42:45.75, Mon 06/09/2008
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: NVIDIA nForce MCP Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 65.24.7.10
DNS Server Search Order: 65.24.7.11
HKLM\SYSTEM\CCS\Services\Tcpip\..\{B8E8917C-11E3-4CF2-915D-D9923917E4F7}: DhcpNameServer=65.24.7.10 65.24.7.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B8E8917C-11E3-4CF2-915D-D9923917E4F7}: DhcpNameServer=65.24.7.10 65.24.7.11
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B8E8917C-11E3-4CF2-915D-D9923917E4F7}: DhcpNameServer=65.24.7.10 65.24.7.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.10 65.24.7.11
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.10 65.24.7.11
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.10 65.24.7.11
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Here is a new Hijackthis scan
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:47 AM, on 6/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\helloserv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
O4 - HKCU\..\Run: [helloserv] C:\WINDOWS\helloserv.exe
O4 - HKUS\S-1-5-18\..\Run: [Firewall auto setup] C:\WINDOWS\TEMP\winlogon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Firewall auto setup] C:\WINDOWS\TEMP\winlogon.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
--
End of file - 1463 bytes
I am still getting redirected however it is now in a popup instead of the window that I am searching on. So when I click a link a popup comes up with something totally irellevant to what I clicked on while the main page stays the same. I also noticed that I have 3 winlogons. 2 of which were created on 2003 and 2004. The third is in my windows temp folder with a create date of June 6, 2008. Could this be something?
Thanks again for all your help
|
|
Advertisement
|
|
|
Senior Member
|
10. June 2008 @ 09:44 |
Link to this message
|
Hey karns.
Sorry for this bitter and possibly cruel piece of advice, but I would actually suggest a format. The choice is yours, and you are free to decide.
However, if you decide to fight, I will be here. Firstly, please download Autoruns from Sysinternals, and take a screenshot of everything under the tabs Explorer and Winlogon. Also, using HijackThis Tools, please create a startup list log and post it here.
Something has changed in your hijackthis log. Do you recognize the file C:\WINDOWS\helloserv.exe? If you do not, and have done nothing to invite any more malware, I suspect a trojan downloader in your case. Those can be hard to take care of, as they download more and more malware. Please look here: http://www.trendmicro.com/vinfo/virusenc...ATI.BHA&VSect=T for more information on your helloserv.exe file.
As for your many winlogon problems, HijackThis does not detect a thing. It may be the problem, as there are not supposed to be multiple winlogon files, only one in the C:\Windows\system32. You may quarantine these files by isolating them into another folder on your drive and renaming them and their file extensions. This may also be another sympton of your downloader malware. Also, this can be a reason to promote the idea of formatting, as those hidden settings which downloaders make to be able to download malware may never be reversed, thus never fixing your computer.
Have you run Virtumundebegone? If not, please download it from here: http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
I may be throwing pebbles at a wall, but Antivir Spybot might be worth a try. It digs deep, and is pretty good at downloaders.
Best Regards :D
PS: One more thing. Go to your C:\Windows\system32, and arrange all your files by date. Scroll down to the latest, and look for random-named dll or exe files. Post those files here.
|
|
