Thread: redirecting to different web pages in explorer
View Single Post
Old 11-05-2006, 08:55 AM   #5 (permalink)
markkos
Registered User
 
Join Date: Oct 2006
Posts: 6
OS: Win XP


Hi, here are all the logs you asked for:

Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}17275317C574-2DBA-F084-3253-0624D329{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\pqymd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmyqp.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSGZM.EXE 51.764 2006-10-20
C:\WINDOWS\SYSTEM32\DMYQP.EXE 60.934 2002-08-29

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 16:11:22 5.11.2006

+ Scan result:



C:\System Volume Information\_restore{45F00EA5-7255-43E4-B1ED-E6406376CAAF}\RP466\A0078646.exe -> Downloader.INService : Cleaned with backup (quarantined).
D:\Programi\Grafika\CimSW-CAT_v2.0_for_SolidWorks\cimsw-cat\crack.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{45F00EA5-7255-43E4-B1ED-E6406376CAAF}\RP466\A0078645.exe -> Trojan.VB.atz : Cleaned with backup (quarantined).


::Report end


KASPERSKY ONLINE SCANNER REPORT
Sunday, November 05, 2006 5:45:25 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 5/11/2006
Kaspersky Anti-Virus database records: 238402


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
F:\
G:\

Scan Statistics
Total number of scanned objects 111591
Number of viruses found 2
Number of infected objects 5 / 0
Number of suspicious objects 0
Duration of the scan process 01:12:35

Infected Object Name Virus Name Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\Temp\ZLT067f4.TMP Object is locked skipped

C:\WINDOWS\Temp\tmp00006801\tmp00000000 Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\CSC\00000001 Object is locked skipped

C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped

C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped

C:\WINDOWS\Internet Logs\DEUS.ldb Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AVG7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Marko\Local Settings\Temp\~DF5418.tmp Object is locked skipped

C:\Documents and Settings\Marko\Local Settings\Temp\SIMON GREGORČIČ.doc Object is locked skipped

C:\Documents and Settings\Marko\Local Settings\Temp\~DF84AB.tmp Object is locked skipped

C:\Documents and Settings\Marko\Local Settings\Temp\RWI609.tmp Object is locked skipped

C:\Documents and Settings\Marko\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Marko\Local Settings\History\History.IE5\MSHist012006110520061106\index.dat Object is locked skipped

C:\Documents and Settings\Marko\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Marko\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Marko\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Marko\Desktop\keyfinder.exe RarSFX: infected -

C:\Documents and Settings\Marko\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Marko\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped

C:\Documents and Settings\Marko\Application Data\Mozilla\Firefox\Profiles\default.x44\parent.lock Object is locked skipped

C:\Documents and Settings\Marko\Application Data\Mozilla\Firefox\Profiles\default.x44\Cache\_CACHE_MAP_ Object is locked skipped

C:\Documents and Settings\Marko\Application Data\Mozilla\Firefox\Profiles\default.x44\Cache\_CACHE_001_ Object is locked skipped

C:\Documents and Settings\Marko\Application Data\Mozilla\Firefox\Profiles\default.x44\Cache\_CACHE_002_ Object is locked skipped

C:\Documents and Settings\Marko\Application Data\Mozilla\Firefox\Profiles\default.x44\Cache\_CACHE_003_ Object is locked skipped

C:\Documents and Settings\Marko\Application Data\Mozilla\Firefox\Profiles\default.x44\history.dat Object is locked skipped

C:\Documents and Settings\Marko\Application Data\Mozilla\Firefox\Profiles\default.x44\cert8.db Object is locked skipped

C:\Documents and Settings\Marko\Application Data\Mozilla\Firefox\Profiles\default.x44\key3.db Object is locked skipped

C:\Documents and Settings\Marko\Application Data\Skype\markostucin\index2.dat Object is locked skipped

C:\Documents and Settings\Marko\Application Data\Skype\markostucin\contactgroup256.dbb Object is locked skipped

C:\Documents and Settings\Marko\Application Data\Skype\markostucin\chat1024.dbb Object is locked skipped

C:\Documents and Settings\Marko\Application Data\Skype\markostucin\user16384.dbb Object is locked skipped

C:\Documents and Settings\Marko\Application Data\Skype\markostucin\chatmsg512.dbb Object is locked skipped

C:\Documents and Settings\Marko\Application Data\Skype\markostucin\user4096.dbb Object is locked skipped

C:\Documents and Settings\Marko\Application Data\Skype\markostucin\user256.dbb Object is locked skipped

C:\Documents and Settings\Marko\Application Data\Skype\markostucin\user1024.dbb Object is locked skipped

C:\Documents and Settings\Marko\Application Data\Skype\markostucin\chatmsg1024.dbb Object is locked skipped

C:\Documents and Settings\Marko\Application Data\Skype\markostucin\sms256.dbb Object is locked skipped

C:\Documents and Settings\Marko\Application Data\Skype\markostucin\callmember256.dbb Object is locked skipped

C:\Documents and Settings\Marko\Application Data\Skype\markostucin\chatmsg256.dbb Object is locked skipped

C:\Documents and Settings\Marko\Application Data\Skype\markostucin\transfer256.dbb Object is locked skipped

C:\Documents and Settings\Marko\Application Data\Skype\markostucin\chat512.dbb Object is locked skipped

C:\Documents and Settings\Marko\Application Data\Skype\markostucin\call256.dbb Object is locked skipped

C:\Documents and Settings\Marko\Application Data\Skype\markostucin\voicemail256.dbb Object is locked skipped

C:\Documents and Settings\Marko\Application Data\Skype\markostucin\profile4096.dbb Object is locked skipped

C:\Documents and Settings\Marko\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Marko\NTUSER.DAT Object is locked skipped

C:\Program Files\eMule\Incoming\Patch.exe Object is locked skipped

C:\System Volume Information\_restore{45F00EA5-7255-43E4-B1ED-E6406376CAAF}\RP466\change.log Object is locked skipped

Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 17:54:21, on 5.11.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\iolo\System Mechanic 6\SMTrayNotify.exe
C:\WINDOWS\Notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Notepad.exe
C:\hjt\deckard.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Windows Live
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Windows Live
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Windows Live
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [muBlinder] C:\Documents and Settings\Marko\Desktop\muBlinder.exe -startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
markkos is offline