Thread: Browser Hijacked
View Single Post
Old 12-01-2006, 02:43 PM   #5 (permalink)
jooools
Registered User
 
Join Date: Feb 2005
Posts: 69
OS: Vista Home Premium


Hi - thanks for the instructions which I have now completed. My latest Hijackthis log is below together with 3 other reports. My browser is still being re-directed - grateful for any further advice.

Cheers

Jooools



Logfile of HijackThis v1.99.0
Scan saved at 21:34:54, on 01/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Documents and Settings\Julian\Desktop\New Folder\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Pictures - {C7486E80-B111-4768-995E-23CF307346FC} - C:\Program Files\UnH Solutions\Flash and Pics Control\FPCButton.dll (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{642CC269-B0F6-46FE-9BEE-19402AED8BBF}: NameServer = 85.255.114.39 85.255.112.11
O23 - Service: .NETSecurity - Unknown - C:\WINDOWS\system32\netsecurity.exe (file missing)
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - Unknown - %ProgramFiles%\WinPcap\rpcapd.exe (file missing)
O23 - Service: TrueVector Internet Monitor - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

----------------------------------------------------------------------


Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\XFIND.COM
Cannot execute C:\FIXWAREOUT\FINDT\XFIND.COM

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.


---------------------------------------------------------------


SDFix: Version 1.44
********************

01/12/2006 - 21:12:33.71

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Stage One - Safe Mode
Checking Services...

Service Name:


File Path:



Starting Registry Repairs...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking For Malware:
--------------------


Backing Up and Removing any Files Found...

Final Check:

Services:
---------


Authorized Applications Export:


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
%windir%\system32\sessmgr.exe REG_SZ %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
C:\Program Files\WinMX\WinMX.exe REG_SZ C:\Program Files\WinMX\WinMX.exe:*:Enabled:WinMX Application
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp REG_SZ C:\Program Files\Kazaa Lite K++\KazaaLite.kpp:*:Enabled:KazaaLite
C:\Program Files\NapMX\NapMX.exe REG_SZ C:\Program Files\NapMX\NapMX.exe:*:Enabled:NapMX
C:\Program Files\BitTorrent\btdownloadgui.exe REG_SZ C:\Program Files\BitTorrent\btdownloadgui.exe:*:Enabled:btdownloadgui
C:\Program Files\MSN Messenger\msnmsgr.exe REG_SZ C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.0
C:\Program Files\Grisoft\AVG Free\avginet.exe REG_SZ C:\Program Files\Grisoft\AVG Free\avginet.exe:*:Enabled:avginet.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe REG_SZ C:\Program Files\Grisoft\AVG Free\avgemc.exe:*:Enabled:avgemc.exe
C:\Documents and Settings\Julian\Desktop\utorrent-1.4.2-beta-build-431.exe REG_SZ C:\Documents and Settings\Julian\Desktop\utorrent-1.4.2-beta-build-431.exe:*:Enabled:µTorrent
C:\Program Files\iTunes\iTunes.exe REG_SZ C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
C:\Program Files\Shareaza\Shareaza.exe REG_SZ C:\Program Files\Shareaza\Shareaza.exe:*:Enabled:Shareaza
C:\Program Files\LimeWire\LimeWire.exe REG_SZ C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire
C:\Documents and Settings\Julian\Desktop\utorrent.exe REG_SZ C:\Documents and Settings\Julian\Desktop\utorrent.exe:*:Enabled:µTorrent


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
%windir%\system32\sessmgr.exe REG_SZ %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
C:\Program Files\MSN Messenger\msnmsgr.exe REG_SZ C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.0

Files:
------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking for files with Hidden Attributes:

C:\Program Files\Common Files\Ahead\AudioPlugins\lpaccodec.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\lpac_codec_api.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\PNCRT.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\atrc3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\auth3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\cook3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\drv13260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\drv23260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\drv33260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\drv43260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\pnen3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\pnvi3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\pnxr3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\ramf3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rare3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rims3290.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rmff3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rmse3290.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rmwr3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rnlt3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rorw3290.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rtae3290.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rtin3290.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rtve3290.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rv103260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rv203260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rv303260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rv403260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rvre3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\sipr3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\smpl3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\vsrl3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\xmlp3261.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\zipf3260.dll
C:\Program Files\Microsoft Office\MSDE2000\SQLRESLD.DLL
C:\Program Files\Common Files\Ahead\AudioPlugins\AACMP4.EXE
C:\Program Files\Common Files\Ahead\AudioPlugins\OFR.EXE
C:\Program Files\Common Files\Ahead\AudioPlugins\RMADEC.EXE
C:\Program Files\Common Files\Ahead\AudioPlugins\MusePack\MPPDEC.EXE
C:\Program Files\Common Files\Ahead\AudioPlugins\MusePack\MPPENC.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\WINDOWS\system32\B724F8875B.sys

FINISHED!



-------------------------------------------------------



SmitFraudFix v2.126

Scan done at 21:05:18.89, 01/12/2006
Run from C:\Documents and Settings\Julian\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Julian


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Julian\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Julian\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
jooools is offline