Avast WEBforum
Other => Viruses and worms => Topic started by: basilbrush on November 18, 2006, 02:27:09 PM
-
This is getting really worrying. When I search for something in google or in the google toolbar, the results show up like always. But when I click on them I get redirected to other search engines rather than the correct page.
I've scanned the local disk with Avast and run boot time scan as well. It looks like I have adware but it is not being picked up. Any ideas anyone?
-
Hi basilbrush,
Sounds like a browser hijacker. You need to run some adware/spyware scans:
Ad-Aware:
http://www.download.com/3000-2144-10045910.html
Spybot Search & Destroy:
http://www.safer-networking.org/
a-Squared:
http://www.emsisoft.com/en/software/free/
Please post a HijackThis! log if none of these works:
http://www.bleepingcomputer.com/tutorials/tutorial42.html
-
Thanx Frank, I'll try that.
As it happens I did run spybot earlier and it showed up some problems in red so I 'fixed' them. But that didn't work so I'll try the other options you suggested.
-
Hello,
Also if you are using a copy of Windows 2000 or XP then I recommend running AVG antispyware (formerly Ewido)
More Info Here (http://free.grisoft.com/doc/avg-anti-spyware-free/lng/us/tpl/v5)
Justin
-
Thanx Justin!
-
I now have AVG, Ad-Aware AND a-squared on my computer as well as Avast.
My google searches STILL get redirected! >:( :'(
-
I now have AVG ... as well as Avast.
AVG antispyware or AVG antivirus? ::)
-
Anti-spyware as Jason reccommended above.
-
sorry that's Justin.
-
Hi basilbrush and welcome to the forum :)
If you have run the antispyware tools and you are still having problems, follow the steps and post the HiJackThis log
* Click here (http://www.thespykiller.co.uk/files/HJTsetup.exe) to download HJTsetup.exe
- Save HJTsetup.exe to your desktop.
- Doubleclick on the HJTsetup.exe icon on your desktop.
- By default it will install to C:\Program Files\Hijack This.
- Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
- Put a check by Create a desktop icon then click Next again.
- Continue to follow the rest of the prompts from there.
- At the final dialogue box click Finish and it will launch Hijack This.
- Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
- Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
- Come back here to this thread and Paste the log in your next reply.
- DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
-
You might also want to check you hosts file C:\Windows\HOSTS, no file extension is displayed, this can be opened with a text editor like notepad. This can be used to redirect lots of different things.
Check for any google url followed by a space and another different url.
-
"You might also want to check you hosts file C:\Windows\HOSTS, no file extension is displayed, this can be opened with a text editor like notepad. This can be used to redirect lots of different things."
Actually its c:\windows\system32\drivers\etc\hosts :o
But you got the right idea (I think thats the path for win98)
Al968
-
Since basilbrush is using AVG anti-spyware, which can't be run under win98 (win2k or winXP only), the win98 path would seem incorrect. :-*
-
Hi I am experiencing the same problem. I've run a HijackThis scan and am posting it here. Any help would be greatly appreciated. Regards.
Logfile of HijackThis v1.99.1
Scan saved at 13:39:45, on 01/12/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SysWOW64\CTsvcCDA.EXE
C:\Program Files (x86)\Photodex\ProShowGold\ScsiAccess.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files (x86)\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Rainlendar\Rainlendar.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files (x86)\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files (x86)\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files (x86)\MSN Messenger\msnmsgr.exe
C:\WINDOWS\SysWOW64\svchost.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.accoona.com/search_assistant/accoona_search_assistant.jsp?&utm_id=400011&utm_content=leftnav&utm_source=wdz1&utm_medium=bund&utm_campaign=wdz0605a
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.accoona.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.accoona.com/search_assistant/accoona_search_assistant.jsp?&utm_id=400011&utm_content=leftnav&utm_source=wdz1&utm_medium=bund&utm_campaign=wdz0605a
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.accoona.com/search?q=%s
F2 - REG:system.ini: UserInit=userinit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - blank (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME (x86)\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
-
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\SysWow64\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\SysWow64\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [OM_Monitor] "C:\Program Files (x86)\OLYMPUS\OLYMPUS Master\FirstStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files (x86)\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files (x86)\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files (x86)\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files (x86)\Rainlendar\Rainlendar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files (x86)\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134297734890
O17 - HKLM\System\CCS\Services\Tcpip\..\{08AE269A-C67C-40EB-8D8A-E95F00DD4E33}: NameServer = 85.255.115.3,85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{35AE4688-BB1A-41C8-8753-F89D88C2A6FD}: NameServer = 85.255.115.3,85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{724971DF-DCDA-4B8B-9D43-08B59F0A0AF0}: NameServer = 85.255.115.3,85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3952F6A-6099-40F0-90AC-C42A51FF1B8B}: NameServer = 85.255.115.3,85.255.112.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.3 85.255.112.10
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.3 85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.3 85.255.112.10
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~2\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: PCI Latency Tool Service (LtcyCfgSvc) - Unknown owner - C:\Program Files\PCI Latency Tool 3\LtcyCfgSvc.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files (x86)\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files (x86)\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: SmartLinkService (SLService) - Unknown owner - slmdmsr.exe (file missing)
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Virtual CD v7 Management Service (VC7SecS) - Unknown owner - C:\Program Files (x86)\HHVcdV7Sys\VC7SecS.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
-
Hi Naimryu,
Follow these instructions to remove the Accoona Search Assistant:
http://www.bleepingcomputer.com/forums/topic42133.html
http://www.bleepingcomputer.com/uninstall/24/Accoona-Search-Assistant.html
Run HijackThis! again, tick the following entries (if still present), click 'fix' and reboot:
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.accoona.com/search?q=%s
O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - blank (file missing)
-
been having this problem for 2 days, not being picked up with any spyware programs. I'll post my hijack this log, only thing i can notice is i have similar entries for nameserver, at 017 and 018 in the log than, Naimryu:
Logfile of HijackThis v1.99.1
Scan saved at 15:32:40, on 01/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Xerox One Touch\OneTouchMon.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\gary\LOCALS~1\Temp\Rar$EX00.171\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneTouch Monitor] "C:\Program Files\Xerox One Touch\OneTouchMon.exe"
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F7EBFBF-1279-4A00-99BF-47E242DA4DD3}: NameServer = 85.255.113.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{70083618-8294-46CE-A7BA-8C068DFC0287}: NameServer = 85.255.113.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B47F678-370A-4E09-A948-9DD2F77B8060}: NameServer = 85.255.113.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{8928F70F-0B41-4127-A5AE-E853E02B2DE1}: NameServer = 85.255.113.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A4B64DB-F54E-46D2-A8B4-E8330D390B6A}: NameServer = 85.255.113.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{981F5B7D-940E-4F71-BBB2-4FC64EAF6CCC}: NameServer = 85.255.113.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D490E13-9FEF-4DF0-9062-E0AC8C1141DA}: NameServer = 85.255.113.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1588797-0DD7-4742-ADB0-7D142F7C40DC}: NameServer = 85.255.113.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{CDD850E7-47AD-4A22-96CC-9C89042DCBC7}: NameServer = 85.255.113.107,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{F63AEC28-8AFA-43C1-B4B8-5BB619C720D6}: NameServer = 85.255.113.107,85.255.112.121
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.107 85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.107 85.255.112.121
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
-
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
-
Hi hoogan,
You have the Wanadoo toolbar installed. I don't know if this might be causing the problem:
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
Try fixing it with HijackThis! and see if that helps.
The 017 entries for yourself and Naimryu seem to be a legitimate DNS server, as far as I can tell, but I don't really know much about these entries.
-
Thanks FreewheelinFrank, thanks for the reply. i got rid of the wanadoo bar but still exactly the same.
Running avg antispyware now and it's picked up a few things like 'Trogan.Killproc.p' 'Downloader.Zlob.aty' and i found a file called dvdaccess1092.exe, believed to be a trojan.
Once i get rid of these virii/trojans i'll post back to say if it's fixed or not. It is not my laptop by the way and it would seem the owner is too shy to admit they were looking up porn ::)
see how easier our cleanup guy jobs would be if people were just honest eh :-\
ps, i noticed on the Hijackthis key that 017 is a slot for Browser hijackers, so i'm guessing the unknown nameservers are related to the downloader maybe? will see in a bit
-
The O17 entry (imhoster.com) indicates a wareout/DNSChanger(Rootkit ability) infection. Google for fixwareout to get a fix for this.... I do not know if it works for Windows2003 systems.....
-
Raman, I cannot stand the off topic... 8)
Welcome back... how do you do on Germany? :)
-
Hi Tech,
as alwayse much work to do and not enough time for malware related things...:( ;)
But it gets off topic. :)
-
Hi basilbrush and welcome to the forum :)
If you have run the antispyware tools and you are still having problems, follow the steps and post the HiJackThis log
* Click here (http://www.thespykiller.co.uk/files/HJTsetup.exe) to download HJTsetup.exe
- Save HJTsetup.exe to your desktop.
- Doubleclick on the HJTsetup.exe icon on your desktop.
- By default it will install to C:\Program Files\Hijack This.
- Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
- Put a check by Create a desktop icon then click Next again.
- Continue to follow the rest of the prompts from there.
- At the final dialogue box click Finish and it will launch Hijack This.
- Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
- Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
- Come back here to this thread and Paste the log in your next reply.
- DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
Thanx so much for the advice but the problem seems to have got worse. Now my browser is getting hijacked so much that I can't even open the link you have given to download Hijack this!
-
If you haven't already got an alternative browser like firefox, http://www.mozilla.com/en-US/, or Opera, which aren't as susceptible to this type of hijacking. Use that and not IE and give yourself a fighting chance to clean up the IE hassles.
-
raman,
Thanks for the info there- it enabled me to track down the real source of the problem!
Naimryu & hoogan,
This is a DNS hijack, as raman suggested.
Internet addresses come in human and computer readable form. The human readable form might be google.com, but the computer readable form will be a set of numbers, example, 216.239.37.99. Your computer must look up the computer address when you enter the human address, and does this via a DNS server.
In the case of a DNS hijack, the address request is sent to the hijacker's DNS server. Instead of directing you to the computer address for Google, this DNS server supplies another address, which is the hijacker's version of the Google page, with additional content added by the hijacker. The hijacker may intercept requests for any web page and supply you with an altered version of that page- they can add advertisements or even malicious content if they choose.
In this case the company claims to be a legimate one, and that they only offer an information page in the case of 404 errors:
http://www.domainserror.com/
As you are complaining of Google being hijacked, I wonder if this is entirely true?
The solution:
The company responsible for this hijack claims to be legitimate and offers a removal utility plus removal instructions. Whether you want to trust this company is up to you. "Spyware" companies do now at least show some pretence of operating within the law- making a removal utility available. However, this utility is flagged as malware by several scanners:
(http://donaldbroatch.users.btopenworld.com/dnschanger.jpg)
http://www.domainserror.com/remove.php
My guess is that the utility may well do what it says it will do and remove the hijack if you click 'uninstall', but I can't guarantee that- my advice would have to be, follow the manual uninstall instructions. There are some screen shots on the page to help you.
I suspect that you will have to contact your ISP provider to obtain the legitimate DNS server addresses for your service so that you can enter them in the appropriate field, or reinstall your ISP software, which may enter these DNS addresses for you.
Here is somebody with the same problem, who received similar advice:
Those are pointing to http://www.domainserror.com/remove.php who assure us they are not spyware. They provide a removal tool on the site but I'm not sure as I'd trust the bastards.
http://www.digitalspy.co.uk/forums/printthread.php?t=470799
Basil Brush,
We haven't seen a HijackThis! log, but I suspect you may be suffering something similar: I suggest you try the instruction in the manual removal guide above.
Good luck to all of you!
-
Thanks for your help!!! This was a really nasty one. Not encountered anything like it before. Nothing worked, I used SBSearch&Destroy, Ad-Aware, Adware-Away,XsoftSpy, Scan & Repair Utilities 2007 and a few others. Seemed to get rid of a lot of stuff but not the main problem.
Anyway, after following your links FreewheelinFrank... I fixed the 017 - HKLM entries with Hijack This. This seems to have done the job!!!
Scan & Repair Utilities 2007 still picks up 'Freeprod/Toolbar888' located in C:/Windows/System32/explorer.exe ... it tries to repair it but it is still located after a reboot. Not sure if this one is serious or not? I'll post my existing HijackThis log file for you.
Many thanks!!! :)
-
Logfile of HijackThis v1.99.1
Scan saved at 15:01:08, on 02/12/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SysWOW64\CTsvcCDA.EXE
C:\Program Files (x86)\Photodex\ProShowGold\ScsiAccess.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files (x86)\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Scan & Repair Utilities 2007\Scan & Repair Utilities 2007 Active Monitor.exe
C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files (x86)\Rainlendar\Rainlendar.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files (x86)\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files (x86)\iPod\bin\iPodService.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Hijackthis\HijackThis.exe
F2 - REG:system.ini: Shell="C:\Program Files (x86)\Scan & Repair Utilities 2007\Scan & Repair Utilities 2007.exe" /scanboot
F2 - REG:system.ini: UserInit=userinit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat
7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME (x86)\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\SysWow64\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\SysWow64\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [OM_Monitor] "C:\Program Files (x86)\OLYMPUS\OLYMPUS Master\FirstStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files (x86)\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files (x86)\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files (x86)\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Scan & Repair Utilities 2007 Active Monitor] "C:\Program Files (x86)\Scan & Repair Utilities 2007\Scan & Repair
Utilities 2007 Active Monitor.exe"
O4 - HKCU\..\Run: [Scan & Repair Utilities 2007] "C:\Program Files (x86)\Scan & Repair Utilities 2007\Scan & Repair Utilities
2007.exe" /s
O4 - Startup: Adobe Gamma.lnk = C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files (x86)\Rainlendar\Rainlendar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files (x86)\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?
LinkID=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134297734890
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~2\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files (x86)\Common Files\Autodesk
Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file
missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: PCI Latency Tool Service (LtcyCfgSvc) - Unknown owner - C:\Program Files\PCI Latency Tool 3\LtcyCfgSvc.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files (x86)\Common Files\Macromedia Shared\Service\Macromedia
Licensing.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files (x86)\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: SmartLinkService (SLService) - Unknown owner - slmdmsr.exe (file missing)
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Virtual CD v7 Management Service (VC7SecS) - Unknown owner - C:\Program Files (x86)\HHVcdV7Sys\VC7SecS.exe (file
missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
-
Scan & Repair Utilities 2007 is listed as a rogue application at Spyware Warrior:
Scan & Repair Utilities 2006 scanandrepair.com false positives work as goad to purchase; inadequate info about company [A: 1-19-06 / U: 1-19-06]
http://www.spywarewarrior.com/rogue_anti-spyware.htm
I recommend you ignore any detections from this program and uninstall it, especially as there is no sign of Toolbar888 in your HijackThis! log.
Does Toolbar888 actually appear in Internet Explorer? Does it appear in Add/Remove? Is there a Toolbar888 directory in Program Files? If yes, you should uninstall the toolbar as described in this link:
http://www.bleepingcomputer.com/uninstall/1411/Toolbar888.html
If no, that's another reason to suspect a false positive from Scan & Repair Utilities 2007. If you want to be 100% sure, enable view hidden files and folders and submit-
C:/Windows/System32/explorer.exe
to VirusTotal:
http://www.virustotal.com/en/indexf.html
http://www.bleepingcomputer.com/tutorials/tutorial62.html
Finally I recommend you switch to a browser which is less prone to these toolbars, such as Firefox or Opera:
http://www.mozilla.com/en-US/firefox/
http://www.opera.com/
-
Hi basilbrush and welcome to the forum :)
If you have run the antispyware tools and you are still having problems, follow the steps and post the HiJackThis log
* Click here (http://www.thespykiller.co.uk/files/HJTsetup.exe) to download HJTsetup.exe
- Save HJTsetup.exe to your desktop.
- Doubleclick on the HJTsetup.exe icon on your desktop.
- By default it will install to C:\Program Files\Hijack This.
- Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
- Put a check by Create a desktop icon then click Next again.
- Continue to follow the rest of the prompts from there.
- At the final dialogue box click Finish and it will launch Hijack This.
- Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
- Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
- Come back here to this thread and Paste the log in your next reply.
- DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
Hey Snowwhite and everyone else. I have followed the instructions above and run a hijackthis log. Here it is:
Logfile of HijackThis v1.99.1
Scan saved at 13:38:12, on 03/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\system32\pmxinit.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ãâ·Ñ¾«²ÊÊÓƵ³¬Á÷³©ÔÚÏß¹Û¿´ - {022C4009-5283-4365-97BF-144054B40E2E} - http://itv.mop.com (file missing)
O9 - Extra 'Tools' menuitem: ²¥°ÔµçÊÓ - {022C4009-5283-4365-97BF-144054B40E2E} - http://itv.mop.com (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125504601536
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134202248265
O16 - DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} (pCastPanel Class) - http://ps.itv.mop.com/dn/files/pCastCtl-1.0.0.94_signed.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F59F332-A6E3-4E60-8E27-9FBFD6F6BDC4}: NameServer = 85.255.115.118,85.255.112.199
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.118 85.255.112.199
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.118 85.255.112.199
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.118 85.255.112.199
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
Pleeeease help me!
-
Your log confirms you do have the DNS hijack. You will either need to follow the removal instructions on the following page, or risk using the company's own uninstaller, as I described in my previous post:
http://www.domainserror.com/remove.php
Before you do that, run HijackThis! again, tick the following items then click 'fix' and reboot:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O9 - Extra button: Ãâ·Ñ¾«²ÊÊÓƵ³¬Á÷³©ÔÚÏß¹Û¿´ - {022C4009-5283-4365-97BF-144054B40E2E} - http://itv.mop.com (file missing)
O9 - Extra 'Tools' menuitem: ²¥°ÔµçÊÓ - {022C4009-5283-4365-97BF-144054B40E2E} - http://itv.mop.com (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} (pCastPanel Class) - http://ps.itv.mop.com/dn/files/pCastCtl-1.0.0.94_signed.cab
O18 - Filter: text/html - (no CLSID) - (no file)
Check your internet connection at IE>tools>internet options>connections tab>settings. The 'Use Proxy' box should be unchecked.
Good luck
-
Thanks as always Frank. Thing is I'm not the best when it comes to fixing computer problems. So what you will hav to do is make a nice little list of steps for me to follow 'cos I don't quite understand it at the mo. :-[
The first thing I am about to do is fix the problems you mentioned above in HijackThis.
-
Hi FreewheelinFrank :)
Why are you asking the user to fix with HiJackThis the 09 entries?
9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
They are legitimate, so i just want to know if you have any particular reason for fixing them ;)
-
Hi SNOWHITE,
The (file missing) tag usually means- in the case of a legitimate application- that the user has uninstalled the application leaving a orphaned entry. These can be removed as a tidy-up operation.
There do seem to be exceptions- as for example in the case of avast! services, where HijackThis! cannot see the file even though the service is running.
The tag can also indicate that a malware file has been deleted by an anti-malware program, again leaving an orphaned entry. These can cause 'file not found' error messages and need fixing.
Hope this helps. :D
FwF
-
Yea i had that problem befor but i can't remember how i fixed it sorry.
-
Thats what i thought, i would suggest to you in future not to list the legitimate entries for fixing with HJT, as you can only trust that the file is missing only in 02, and probably 03 entries, and NOT on others.
There do seem to be exceptions- as for example in the case of avast! services, where HijackThis! cannot see the file even though the service is running.
That is not just for avast! it is also for other services too.
You are doing nice job and i see you really want to help people with their problems, but today many things are rapidly changing in malware fighting, malwares are becoming more and more difficult to detect and delete, the tools that we are using are also changing... I just want to encourage you to sign up in some of the online schools like the school in Geeks to Go, with your knowledge and ability to do the searches, i think that you will fast finish the school and of course you will have open doors to many interesting and helpful tutorials that are not opened in public. And it would be great to have another avast user and malware fighter there, think on many new things that you can learn there, that can help you in furder helping and fight malwares ;D I will post you the link from Geeks to go, in any case that you decide to join the school, it would be great if you decide to join, there are not many avast users only few of us :P http://www.geekstogo.com/forum/forums.html
ps: I hope that i didn't offended you in any way, because that is not my intension ;)
-
If I may just butt in the 85.255.115.118 85.255.112.199
entry suggests a wareout infection which is now starting to come downloaded with a rootkit element. There are a few ways to fix this depending on whether or not the rootkit element is present. The one I would initially recommend is combofix
from here http://download.bleepingcomputer.com/sUBs/zh/BetaB/combofix.exe
1. Download ComboFix.exe
2. Reboot into safe mode
3. Double click on combofix.exe & follow the prompts.
4. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
The unusual characters also indicate a possible chinese infection and again Combofix should work on these
-
Well, the three people with the problem here have complained of a Google Hijack: they haven't mentioned anything about scam anti-spyware warnings, which is what Wareout seems to be. The IP addresses seem to be a DNS hijack- something I suspect Zlob is beginning to do. For Naimryu the advice I posted seems to have worked, and I have no reason to believe it won't for hoogan & basilbrush too.
What's the reason for suspecting Wareout? Could you post some links with details? If I'm missing something here, please let me in on the secret. Thanks.
-
User complaints of popups mentioning WareOut
No they don't.
Some visable lines:
Quote:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=19
O1 - Hosts: localhost 127.0.0.1 This may be the only line visible
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKLM\..\Run: [HCLEAN32.EXE] C:\WINDOWS\HCLEAN32.EXE rarely visible
EDIT: Forgot link: http://temerc.com/phpBB2/viewtopic.php?t=1287&
None of these is visible.
Most common indication is 017 related line in HJT, pointing to one of several known malware hosting IPs.
IP points to a questionable domains error site whose installer is flagged as malware by some scanners but who claim not to be involved in spyware- not convinced.
I think raman was dead right to spot this as a DNS hijack, but wrong to suggest wareout- at least as far as I can see from the evidence. I'm waiting to be convinced.
-
;D The IP address is one of the addresses that wareout is using, very persistent 017 lines too. New variants are using rootkit so they are hiding and you cant see them in a log.
Here is one similar address 85.255.115.27,85.255.112.181 and another 85.255.114.74 85.255.112.61
-
The IP address is one of the addresses that wareout is using
Please post a link.
-
The IP address is one of the addresses that wareout is using
Please post a link.
Sorry, that is not possible because its in hidden forum in the Geeks To Go school, you can have access there only if you are in training in upperclassmen ::) Its in the forum for Spyware Fixes (Special Cases)
-
Any advice I give here I back up with a source for the information I give, so that others can see why I gave that advice and tell me if I'm wrong or learn something if I was right. I have learnt a lot from the advice of others in this way myself.
If you are going to ask me to take what you say on faith then I'm afraid I cannot do that. I believe this should be a forum of equals, not a forum with an elite few whose advice cannot be questioned because their sources are hidden from those not a member of their elite.
If you are going to give advice on this basis, then I am going to stop helping people on this forum and leave you to it.
Good luck.
-
Hi FreewheelinFrank :)
Any advice I give here I back up with a source for the information I give, so that others can see why I gave that advice and tell me if I'm wrong or learn something if I was right. I have learnt a lot from the advice of others in this way myself.
Sometimes you can not give the back up, because the source is not available for public and its something that a lot of experts are working on. As i said in the post right before Essexboy posted, if you read it carefully you will understand why i posted that for you, it's not because i don't trust you, its because i trust you and i like the way your searching and providing the informations, and most important you have a wish to help people. But sometimes this is not enough, it needs higher level of knowledge and that is why this schools are meant to be.
If you are going to ask me to take what you say on faith then I'm afraid I cannot do that. I believe this should be a forum of equals, not a forum with an elite few whose advice cannot be questioned because their sources are hidden from those not a member of their elite.
This is a forum of equals, and if some of us are sacrificing days in learning the fight with malwares that doesn't make us "an elite few" just because i don't want to brake the rules in my schools, to provide you information on something that is working on. By the way i don't make the rules in schools, if something is hidden then there is a reason why it is. If you want to have more opened doors to information then consider to join at least one of the schools, Bleeping and G2G are very similar, SWI is another school where i am too, the only cost that you have to pay is learning.
If you are going to give advice on this basis, then I am going to stop helping people on this forum and leave you to it.
Stoping or not, is your choice, actually you have many choices...
-
I'm afraid I have to agree with Frank when it comes to freely offering advice that isn't available to all it seems like some 'black art.' I know and appreciate why you are doing it, but I don't feel it is the way we have worked in the avast forums for some considerable time, advice backed up by links if needed or asked for.
That can really only work in the restricted forums where you and others are either under training or have completed it and have access to that information, but not to my mind the open forums of avast. This is not to dissimilar to a statement previously made that 'someone' would only give advice it the recipient ignored all other advice.
I mean what is so secret about information pertaining to certain IPs being used by Wareout ?
-
David,
I mean what is so secret about information pertaining to certain IPs being used by Wareout ?
There is nothing secret about this, its just that i don't want to provide informations on something that is not opened for public, as i said i don't make the rules. I will try to gain some information for FreewheelinFrank about the wareout infection, but maybe i will not be able to do that every time when there is a new infection or infection that is evaluating. I will post you the link but i am afraid you will not have access http://www.geekstogo.com/forum/index.php?showtopic=37616&st=30
When i have more time i will post some more info on wareout, maybe today maybe tomorrow, but you have to have on your mind that this informations are changing, as the infections are changing too ::)
BTW i worked hard to gain access to those information
-
There is no need of that information. Goolge gives you everything you need . To see, if it is a wareout infection or not is easy. Check the IP in the "O17" entry. If it is imhoster.com, it is wareout.
Wareout, because in the begining the DNSCHANGER(and downloader) downloaded and installed Wareout(fake AS-Programm) You can easily confirm that by using a rootkitscanner like Blacklight or gmer. The advance of fixwareout is, that it cleans the infection and gives a reliable Logfile.
-
???Will someone please help me? This seems to have turned into a debate. FwF, I requested if you could give me advice as a list of steps to follow so I can get rid of this problem. I posted the HJT log and then got it to fix the things you said.
What next?
-
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
At the end of the fix, you may need to restart your computer again.
Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt
[Credit to: LonnyRJones, Swandog46, and AutoDad.]
-
Thanks raman. much appreciated. please stay online I might need you. (if this thing works that is).
-
Right. the computer is still working thankfully.
Here is the 'report' from fixwareout:
Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please
Reg Entries that were deleted
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...
PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»» Searching by size/names...
»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
Other suspects.
Directory of C:\WINDOWS\system32
»»»»» Misc files.
»»»»» Checking for older varients covered by the Rem3 tool.
Here is the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 18:15, on 06-12-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\system32\pmxinit.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125504601536
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134202248265
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F59F332-A6E3-4E60-8E27-9FBFD6F6BDC4}: NameServer = 85.255.115.118,85.255.112.199
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.118 85.255.112.199
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.118 85.255.112.199
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.118 85.255.112.199
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
-
Youo can use the posting of pskelly from here:
http://forums.spybot.info/archive/index.php/t-6966.html(the rest from 1)) You can also use the ATF Cleaner, if you want. Please post a new Hijackthis log after this, to see, if the "o17" entries changed.
-
sorry what do you mean by 'the rest from 1' ?
-
I mean this!:)
---cut---
Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)
---cut---
-
Hm, an
ipconfig /renew [press enter]
and an
ipconfig /flushdns [press enter]
in the dosbox(cmd) should to the job too.....
[edit: Removed "all" from ipconfig /renewall]
-
I cant find the 'networking' tab goddamit!
-
No Problem. Try
ipconfig /renew [press enter]
and an
ipconfig /flushdns [press enter]
in the dosbox, restart and post a new hijackthis log
-
wait i found TCP/IP and double clicked as said. I ticked obtain DNS servers automatically. It didnt ask me to reboot though....
-
Please reboot, to see, if the trojan is still active and post a new hjt log
-
I did Run>cmd>ipconfig /flushdns>exit
Nothing spectacular happened.
Now I am about to reboot and run HJT. I'll post it here.
I really appreciate u helping me.. this problem has happened to me for the first time and has driven me nuts!
-
You have to do the same with ipconfig /renew
-
I've rebooted and here is the latest HJT log. Problem still seems to be there I guess.
:(
Logfile of HijackThis v1.99.1
Scan saved at 19:23, on 06-12-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\system32\pmxinit.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125504601536
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134202248265
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.118 85.255.112.199
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.118 85.255.112.199
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.118 85.255.112.199
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
-
Yes, it seems so! :(
Okay, please use Blacklight and post the
fsbl log:
http://www.bleepingcomputer.com/tutorials/tutorial124.html
Please do not rename any file, if Blacklight find hidden files
-
So I shouldn't do the ipconfig /renew thing now?
-
Theres a little note on the link saying blacklight may not ba available after june 2006.
-
Yes, you should do that bevor the restart and the new Hijackthis log.
About Blacklight. Here is the new Link for download: http://www.f-secure.com/blacklight
-
I checked the download link and it was still working so sorry about panicking and sending the last post. :-[
I've followed the instructions and right now it is scanning.
I hadnt read your last post so I never did the ipconfig /renew thing in the dosbox.
Shall I just follow the rest of the instructions in the earlier blacklight link u sent me?
-
Blacklight first, if the log show nothing special you shoud do ipconfig /renew and ipconfig /dnsflush, restart and a new hijackthis log.
-
the blacklight scan finished and it came up with 'no hidden items found.'
So now I should just close it right? And do the run>cmd>ipconfig /renew
-
Yes and the /dnsflush, restart and new hijackthis log
-
Sorry to be tedious but do I restart after renew, then do dnsflush. Or do both then restart?
U should get a medal for putting up with me!
-
:)
The important thing is, that these entries have to go away(at least the ip adress)
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.118 85.255.112.199
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.118 85.255.112.199
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.118 85.255.112.199
-
did both renew and dnsflush:
Logfile of HijackThis v1.99.1
Scan saved at 19:58, on 06-12-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\system32\pmxinit.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125504601536
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134202248265
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.118 85.255.112.199
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.118 85.255.112.199
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.118 85.255.112.199
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
you must be running out of ideas now, right?
-
Nopes!:) We can try some other things.
First Combofix: http://download.bleepingcomputer.com/sUBs/combofix.exe
Download it to your desktop and start it. Follow the instructions and and post the Log which will be created. It will take a while...
second download gmer application: http://www.gmer.net/files.php
start it and press scan. After the scan has finished press copy and copy that log too
But the combofix log first.
-
The thing about combofix is that essexboy recommended it yesterday. I've got it on my desktop but he said to start the computer in safe mode. So should I just start combofix now or reboot my computer into safe mode?
-
just follow the steps essexboy provided to you and after that follow raman's advice
-
Safe mode is a good idea. Please do it....
-
OK here goes.
-
Guys I did the combofix scan in safe mode.
Its generated a huge log. How do I post it?
-
Copy and paste the log, in a post, if needed in two separated post, or you can just attach the file to the post
-
You have to use reply (http://forum.avast.com/index.php?action=post;topic=24967.75;num_replies=78) instead of the quickreply to be able to attache files (choose Reply/additional option)
-
Attached. Thanx.
-
OK let me try the Raman way of attching
-
does this work?
-
works perfect. Pleas post the gmer log.
BTW: Do you ever tried to fix the "O17" entries with hijackthis? If not, please do so, restart and see, if the entries reapear.
-
I'm sorry but I don't know what the gmer log is. :-[
I have never tried to fix the 017s with HJT because Snowhite said not to ever fix anything with HJT unless u know what u r doing. What do u suggest? Shall I go after 017s with HJT?
-
Yes, fixing this "O17" entries is not dangerouse. The only thing, what could happen is, that it will reapear after a restart.
Gmer:
second download gmer application: http://www.gmer.net/files.php
start it and press scan. After the scan has finished press copy and copy that log too
-
Right. First I am fixing with HJT. Here goes.
-
I fixed 017 entries with HJT. Got this log after restart. They have gone. Does this mean we win? Or will the buggers come back again?
Logfile of HijackThis v1.99.1
Scan saved at 20:53:56, on 05/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\system32\pmxinit.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125504601536
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134202248265
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
-
Gnarf, it seems, that Avast or Spybot deleted the file allready(possible?) and the "o17" was only the leftover from the infection. If they stay away, you are clean. :)
You could make the gmerlog, but if it is clean you should be too.
You could also make a second scan with drweb Cureit only to get a second opinion http://www.drweb-online.com/en/cure_it.asp?rpid=
It does not install anything it is only the scanner...
-
Gosh I don't know how u figured out that Avast or Spybot did it already.
I'm running gmer scan now and after that I'll probably have dinner. I'm absolutely starving! I'll post the gmer log in a minute when It's done. I'm only scanning the C drive.
-
The scan has finished though it didnt give any message or anything to suggest it. Theres loads of tabs and each one has a lot of stuff under it. What do I do?
-
You said, that Spybot found something and you let it fix it. Spybot reports some of these Wareouts as Pipa.a. If you are able to find the Spybot report you could take a look at it or look under "recovery" to see, what it fixed.
-
If gmer says nothing, it found nothing. Thats okay you can somply close it.
And i will leave for today!
-
gmer says lots of thingsd though under the different tabs. I dont know if they are threats or what.
-
Theres a whole bunch of things under 'processes' 'modules' and all my internet favourites appear under 'rootkits' for some reason.
-
raman I cannot thank you enough for the help today. Thank God good people still exist in this goddamned world!
-
If gmer found something in "Rootkit"(only rootkit is interesting here), please go to "rootkit", press copy and past it here....
-
Here they are. They are just web pages I have put as favourites on the net. Theres also something to do with Windows Media Player
GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2006-12-05 21:25:48
Windows 5.1.2600 Service Pack 2
---- Registry - GMER 1.0.12 ----
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Multimedia\MPlayer2\Extensions\.wvx@?????
---- Files - GMER 1.0.12 ----
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Multimedia\MPlayer2\Extensions\.wvx@?????
ADS C:\Documents and Settings\Siddiqi\Favorites\About a Ball Football Stars.url:favicon
ADS C:\Documents and Settings\Siddiqi\Favorites\Video Forum - RedCafe.net.url:favicon
ADS C:\Documents and Settings\Siddiqi\Favorites\WebCT 4.1 at Imperial College.url:favicon
---- EOF - GMER 1.0.12 ----
-
I do not know why gmer report this, but it is not dangerous. I will ask gmer why it report this.
-
Wow thanks. Ok so am I in the clear? If yes then thanks again and all the best.
-
I would like to point out something here: not only have I been undermined by people claiming that I have missed something while helping people on this thread because I do not have access to secret information, but this claim itself has, as far as I can see, proved to be wrong.
I asked why it was suggested that this might be Wareout, when nobody had complained of the pop-ups typical of Wareout, and was told that it was because of the 017 entries: infomation that I couldn't be given access to. My own research suggested this was a DNS hijack and my advice was to reset the DNS settings following the instructions on the site linked to in the 017 entries.
Check the IP in the "O17" entry. If it is imhoster.com, it is wareout.
I must be missing something here. The 017 entries point to domainserror.com. While I cannot know if, in some secret forum, this site is associated with Wareout, I suggest that it may simply be a DHS hijack operation operating sometimes at least with no association with Wareout.
I was told that Wareout uses a rootkit and cannot be seen. I posted a link that showed that some entries are evident even with a rootkit infection.
Well, where is this evidence of a rootkit infection? I believe WareoutFix is supposed to find a rootkit Wareout infection, but it seems to have found nothing, as did BlackLight and Gmer.
Gnarf, it seems, that Avast or Spybot deleted the file allready(possible?) and the "o17" was only the leftover from the infection.
Maybe there was no Wareout infection. Maybe it was just a DNS hijack like I originally suggested. Maybe some Trojan just reset the DNS server which is why you could fix it by removing the HijackThis! entries, or why the person I advised previously in the thread could fix it by following the instructions to reset the DNS settings in XP.
I don't mind when somebody with more experience than me comes along and offers help on this forum- raman's original help allowed me to spot the DNS hijack. But here three people have undermined the advice I gave and told a user they had an infection which there was really no indication of, and which proved not to be present.
A careful examination of symptoms described, HijackThis! log and information on the web site linked to might have suggested this. If Geek-To-Go are going to jump in every time they see a juicy HijackThis! this log, at least they could read the whole thread carefully without making an instant diagnosis on one 017 entry, underling somebody who's spent a lot of time on the thread already, and claiming expert knowledge the rest of us don't have access to.
EDIT: Typo
-
It seemed that you were on the right track to me Frank.
And while its finding a solution that matters in the end, I think an element of condescension entered into this thread that was completely out of place.
-
If I may just butt in the 85.255.115.118 85.255.112.199
entry suggests a wareout infection which is now starting to come downloaded with a rootkit element.
Confirmation that these 017 entries pointing to domainserror.com need not necessarily be anything to do with Wareout or a rootkit infection here:
Care needs to be taken when cleaning machines infected with this trojan because of the modifications made to the TCPIP interface settings. You need to go to the network setting on your machine (via Control Panel) and revert back your old DNS settings. After doing the required changes, you will be prompted with a message box similar to the following:
When program is run (usually by user executing the file), the file would copy itself to:
%SYSTEMROOT%\SYSTEM32\HGQHP.EXE
and removes itself from the directory it originally existed in. The program would also do some modifications to the Windows Registry (changing DNS entries).
Symptoms:
Presence of the file:
%SYSTEMROOT%\SYSTEM32\HGQHP.EXE
Having DNS entries in any of your network adaptors with the values:
85.255.112.132
85.255.113.13
To do a complete recovery, some modifications are required to the Windows Registry, restoring the keys to their original values. The interface settings modified are within the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Tcpip\Parameters\Interfaces
All this is the result of a Trojan.
http://vil.nai.com/vil/content/v_136602.htm
The McAfee write up states that this DNSChanger Trojan may also download other malware, so it would be wise to suspect other malware might be present, even rootkits, but the presence of these 017 entries does not confirm that Wareout is present.
If there is no sign of the original Trojan, and no indication of a hidden infection (in the case of Wareout, popups and the presence of some HijackThis! entries not hidden by the rootkit, as described in my previous link) reverting to previous DNS settings may fix this, as Naimryu discovered.
Anyway, after following your links FreewheelinFrank... I fixed the 017 - HKLM entries with Hijack This. This seems to have done the job!!!
-
I managed to track down some more information on this.
Comment from rpggamergirl
Date: 11/08/2006 04:18AM PST
Comment
There are many proof and telltale signs of wareout but different in every case.
In this question, the proof of wareout are:
Symptoms:
*Google search results being re-directed to other search sites
*Spybot's detection of Pipas.A
And confirmed by the entries in his HJT log:
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.90 85.255.112.225
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.90 85.255.112.225
Note: Hijackthis can not remove wareout, removing entries does nothing while wareout is active.
The fixwareout tool must be run to remove the infection.
There are many other symptoms or signs when a pc has wareout, but not all of the symptoms nor the hijackthis entries will be there. There are other entries to look out for but I'm just talking about this very question.
Comment from rpggamergirl
Date: 11/08/2006 04:54AM PST
Comment
No problem.
The most common symptom is the search redirection, and the most common entries showing in hijackthis are the 017 entries.
If you want all the telltale signs and symptoms, I'll post them here.
Comment from rpggamergirl
Date: 11/09/2006 05:40PM PST
Comment
>>Yes, Can you share those information as well?<<
Sure.
Telltale signs of Wareout infection:
Symptoms:(either one of following)
* User complaints of popups mentioning WareOut
* Google search redirection, bogus search results
* the identification of "Downloader.Agent.uj".
* Spybot detects Pipas.A Trojan
* Pest Patrol reports of QHosts.DF
* "UnSpyPC" or "KillAndClean" in add/remove programs list
* If it's the variant QHosts.DF most scanners run on the infected pc will crashed.
Common "wareout" entries that might appear in logs:
There might be 2 HijackThis entries present or none.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=19
O1 - Hosts: localhost 127.0.0.1 <-- sometimes this entry can be the only visible line
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKLM\..\Run: [HCLEAN32.EXE] C:\WINDOWS\HCLEAN32.EXE <-- rarely visible
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [KillAndClean] "D:\Program Files\KillAndClean\KillAndClean.exe"
One or two random O4s, usually not visible, such as:
O4 - HKLM\..\Run: [dmcup.exe] C:\WINDOWS\System32\dmcup.exe
O4 - HKLM\..\Run: [pcbac.exe] pcbac.exe
O4 - HKLM\..\Run: [dmgow.exe] C:\WINDOWS\system32\dmgow.exe
O4 - HKLM\..\Run: [hgmos.exe] C:\Windows\System32\hgmos.exe
The entry may not be exactly as the one above.
O4 - HKLM\..\Run: [dm***.exe] C:\WINDOWS\system32\dm***.exe
O4 - HKLM\..\Run: [hg***.exe] C:\Windows\System32\hg***.exe
Note: * = a randomly generated letter.
Also entries that looks like these:
O4 - HKLM\..\Run: [exe.oqsmd] C:\WINDOWS\system32\dmsqo.exe
O4 - HKLM\..\Run: [exe.zpomd] C:\WINDOWS\system32\dmopz.exe
O4 - HKLM\..\Run: [exe.jlamd] C:\WINDOWS\system32\dmalj.exe
O4 - HKLM\..\Run: [exe.uqhmd] C:\WINDOWS\system32\dmhqu.exe
O4 - HKLM\..\Run: [exe.somgh] C:\WINDOWS\system32\hgmos.exe
The name after "exe." is the filename reversed; it usually begins with the letters "dm, cs, hg" , as above.
Usually there'll be 017 entries showing in hijackthis log with the following IP Addresses:
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECFF8F98-69BE-40ED-A311-2965DB08F05D}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{24945E12-5B0C-4B95-841C-56FBF0A6DAC0}: NameServer = 195.95.218.1,85.255.112.7
or any O17 with a similar IP resolving to Atrivotechnologies, EstHost hosting company, Tartu Peapostkontor, pk. 12, Estonia, InterCage, or to inhoster, Ukraine.
And here are the most common 017 wareout entries that usually present in hijackthis logs: these entries are almost always present, it's rare not to see them in the log with wareout infection.
O17 - HKLM\System\CS2\Services\Tcpip\..\{12DA6479-F89B-4B48-A2D6-1543A1959EDC}: NameServer = 85.255.113.139,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{829B2203-98D9-493A-B9C9-0CBFE371CDBE}: NameServer = 85.255.115.38,85.255.112.103
*Ewido's log shows the following entries:
[176] VM_00B40000 -> Downloader.Agent.uj : Error during cleaning
[196] VM_009B0000 -> Downloader.Agent.uj : Error during cleaning
*SilentRunners' log will show a five-letter exe usually starting with 'cs', 'dm', 'df', is a sure sign of WareOut:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "cspxq.exe" [null data]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csott.exe" [null data]
*BlackLight will also detects some of the files:
01/21/06 10:00:04 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\cspxq.exe
01/21/06 10:00:05 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\dmbsx.exe
The file names will be random, but the exes are five-letter names beginning with 'cs', 'dm' or 'df'.
Have fun 'wareout' hunting! :)
A big thanks to rpggamergirl for sharing this information on Expert Sexchange Experts' Exchange.
http://www.experts-exchange.com/Security/Q_22045521.html?qid=22045521
Some information on FixWareout from the author:
LonnyRJones's Avatar
Join Date: Oct 2005
Posts: 5,069
Default
Usualy an accompaning fake antispyware gets installed along with a rootkit
or to put it better files that can stealth themselves.
wareout, unspypc etc are the fake programs
Both of which will unkindly remove all my runs if i let it.
The stealth part of the infection normal runs from
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"System"
Its invisible and can rename the file at each PC restart
A run running from HKLM that also changes each time the pc is restarted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Usualy the two start points above are present but it is possible to have either and not the other.
These keys are also involved
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls
http://forums.spybot.info/showthread.php?t=8243&highlight=fixwareout+description
The infection is known under various aliases/ variants. Spybot calls it Pipus.A:
http://forums.spybot.info/showthread.php?t=8243&highlight=fixwareout+description
Thanks LonnyRJones for this information.
Ewido calls it Trojan.downloader.uj- it will detect but not remove it. There is another removal tool, and a list of aliases here:
http://blog.evilissimo.net/2006/08/07/how-to-remove-trojandownloaderuj/
avast! calls it Win32:Agent-IU.
In summary, detections by these programs of the following malware indicate a stealthed infection, requiring a specialist removal tool:
Spybot: Pipus.A
Ewido/AVG Anti-Spyware: Trojan.downloader.uj
avast!: Win32:Agent-IU
DNS settings must also be restored after clearing the infection.
That still leaves the mystery of why Naimryu and basilbrush were able to cure the Google hijack just by resetting DNS/deleting rogue 017 entries without seeing any signs of stealthed malware. Either anti-malware programs are now removing the stealth Trojan but leaving the 017 entries, or other malware is also installing the hijack. The fact that nobody in this thread has complained of Wareout pop-ups is also a mystery.