Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
IE6 Hijacked IE6 Hijacked
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
 
Thread Tools
Old 04-22-2007, 04:52 AM   #1 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 8
OS: WinXP


IE6 Hijacked
Hi
I have tried everything to get rid of pop-ups and advertisments coming up on my pc.
Yet i still get adverts and pop-ups mainly from casinos and other sites always with CiD(if this is any help) in the headding of IE.

current setup:
Windows XP SP2
IE6 SP2
Spybot SD
NOD32 Antivirus

Here is my Hijack this log hope someone could please help:
Logfile of HijackThis v1.99.1
Scan saved at 01:00:48 PM, on 2007/04/22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\DWRCST.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\Program Files\Logitech\QuickCam10\COCIManager.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Pravin\Desktop\hijackthis_sfx\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [infomathfragdupe] C:\Documents and Settings\All Users\Application Data\PopUploadInfoMath\Time Amok.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [SafeClose] C:\DOCUME~1\Pravin\APPLIC~1\BAITBA~1\does boob.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cordless DUALphone Startup.lnk = C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Movies Extractor Scout - {D0EBC326-ECA8-446E-93B7-76702C8F3828} - C:\Program Files\Movies Extractor Scout\flashextract.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1153422061875
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINDOWS\system32\DNTUS26.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
underc is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-25-2007, 05:25 AM   #2 (permalink)
Expert Analyst, Moderator, Security Team
 
Join Date: Sep 2006
Posts: 1,345
OS: xp


Re: IE6 Hijacked
Welcome underc

Download Deckard's System Scanner (DSS) to your Desktop.Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized
    and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your thread in the HijackThis Log Help Forum.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.
LonnyRJones is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-25-2007, 10:22 PM   #3 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 8
OS: WinXP


Re: IE6 Hijacked
thank you for your response and i shall try to action them later on today when i get back home.
thanks again
underc is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-27-2007, 05:19 AM   #4 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 8
OS: WinXP


Re: IE6 Hijacked
Deckard's System Scanner v20070423.42
Run by Pravin on 2007-04-27 at 13:20:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
18: 2007-04-27 11:20:18 UTC - RP301 - Deckard's System Scanner Restore Point
17: 2007-04-26 18:43:29 UTC - RP300 - System Checkpoint
16: 2007-04-25 17:56:34 UTC - RP299 - System Checkpoint
15: 2007-04-24 17:25:44 UTC - RP298 - System Checkpoint
14: 2007-04-23 16:33:32 UTC - RP297 - System Checkpoint


-- First Restore Point --
1: 2007-04-05 00:17:08 UTC - RP284 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Pravin.exe) ----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 01:22:51 PM, on 2007/04/27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\DWRCST.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\Program Files\Logitech\QuickCam10\COCIManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\All Users\Documents\vinay\dss.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZENG07.EXE
C:\DOCUME~1\Pravin\Desktop\HIJACK~1\Pravin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [infomathfragdupe] C:\Documents and Settings\All Users\Application Data\PopUploadInfoMath\Time Amok.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [SafeClose] C:\DOCUME~1\Pravin\APPLIC~1\BAITBA~1\does boob.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cordless DUALphone Startup.lnk = C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Movies Extractor Scout - {D0EBC326-ECA8-446E-93B7-76702C8F3828} - C:\Program Files\Movies Extractor Scout\flashextract.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1153422061875
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINDOWS\system32\DNTUS26.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe


-- HijackThis Fixed Entries (C:\DOCUME~1\Pravin\Desktop\HIJACK~1\backups\) -----

backup-20070422-123600-567 O4 - HKCU\..\Run: [SafeClose] C:\DOCUME~1\Pravin\APPLIC~1\BAITBA~1\does boob.exe
backup-20070422-124403-446 O4 - HKCU\..\Run: [SafeClose] C:\DOCUME~1\Pravin\APPLIC~1\BAITBA~1\does boob.exe

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 dwvkbd (DameWare Virtual Keyboard 32 bit Driver) - c:\windows\system32\drivers\dwvkbd.sys <Verified; DameWare; DameWare Virtual Keyboard Driver; DameWare Virtual Keyboard Driver Version: 1.0.0.0; DameWare Virtual Keyboard Driver Version: 1.0.0.0 built by: WinDDK>
R1 nod32drv - c:\windows\system32\drivers\nod32drv.sys
R2 AMON - c:\windows\system32\drivers\amon.sys <Verified; Eset; NOD32 Antivirus System; 2, 70, 16; 2, 70, 16>
R3 DwMirror - c:\windows\system32\drivers\damewaremini.sys <Verified; DameWare Development, Inc.; DameWare Development Mirror Display Driver; 1.0.4.0; 1.0.4.0>
R3 FETNDIS (VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver) - c:\windows\system32\drivers\fetnd5.sys <Verified; VIA Technologies, Inc.; VIA PCI 10/100Mb Fast Ethernet Adapter; 2.66; 2.66>
R3 FilterService (UVC Filter Service) - c:\windows\system32\drivers\lvuvcflt.sys <Verified; Logitech Inc.; Logitech QuickCam; 10.0.0.1438; 10.0.0.1438>
R3 lvpopflt (Logitech POP Suppression Filter) - c:\windows\system32\drivers\lvpopflt.sys <Verified; Logitech Inc.; Logitech QuickCam; 10.0.0.1438; 10.0.0.1438>
R3 lvselsus (Logitech Selective Suspend Filter) - c:\windows\system32\drivers\lvselsus.sys <Verified; Logitech Inc.; Logitech QuickCam; 10.0.0.1438; 10.0.0.1438>
R3 LVUVC (Logitech QuickCam Fusion(UVC)) - c:\windows\system32\drivers\lvuvc.sys <Verified; Logitech Inc.; Logitech QuickCam; 10.0.0.1438; 10.0.0.1438>
R3 viagfx - c:\windows\system32\drivers\vtmini.sys <Verified; Copyright (C) VIA/S3 Graphics, Inc.; UniChrome(Pro) IGP Driver; 6.14.10.0113-16.94.35.11; 6.14.10.0113-16.94.35.11>

S3 iBurstu (iBurst Terminal) - c:\windows\system32\drivers\iburstu.sys (file missing)
S3 NPF (Netgroup Packet Filter) - c:\windows\system32\drivers\npf.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 DWMRCS (DameWare Mini Remote Control) - c:\windows\system32\dwrcs.exe -service <Not Verified; DameWare Development LLC; DameWare Development DWRCS; 6, 0, 0, 0; 6, 0, 0, 0>
R2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module; 1.1.0808; 1.1.0808>
R2 StarWindService (StarWind iSCSI Service) - c:\program files\alcohol soft\alcohol 120\starwind\starwindservice.exe <Not Verified; Rocket Division Software; StarWind; 2.6.1 Build 0x20050401; 2.6.1 Build 0x20050401>

S3 DNTUS26 (DameWare NT Utilities 2.6) - c:\windows\system32\dntus26.exe <Not Verified; DameWare Development LLC; DameWare Development Remote Command Server; 6, 0, 0, 0; 6, 0, 0, 0>


-- Scheduled Tasks -------------------------------------------------------------

2007-04-27 13:00:00 268 --ah----- C:\WINDOWS\Tasks\AAAB5DFF906CDD17.job


-- Files created between 2007-03-27 and 2007-04-27 -----------------------------

2007-04-22 14:17:48 77312 --a------ C:\WINDOWS\ua2.dll
2007-04-22 13:42:32 0 --a------ C:\WINDOWS\nsreg.dat
2007-04-22 13:42:29 0 d-------- C:\Documents and Settings\Pravin\Application Data\Mozilla
2007-04-04 21:49:25 0 d-------- C:\WINDOWS\DWRCS Uploads
2007-04-04 21:23:36 229376 --a------ C:\WINDOWS\system32\DWRCSET.dll <Not Verified; DameWare Development LLC; DameWare Development DWRCSET; 6, 0, 0, 0; 6, 0, 0, 0>
2007-04-04 21:23:36 219648 --a------ C:\WINDOWS\system32\DWRCS.EXE <Not Verified; DameWare Development LLC; DameWare Development DWRCS; 6, 0, 0, 0; 6, 0, 0, 0>
2007-04-04 21:23:36 53248 --a------ C:\WINDOWS\system32\DWRCK.DLL <Not Verified; DameWare Development LLC; DameWare Development DWRCK; 6, 0, 0, 0; 6, 0, 0, 0>
2007-04-04 21:20:03 73728 --a------ C:\WINDOWS\system32\DNTUS26.exe <Not Verified; DameWare Development LLC; DameWare Development Remote Command Server; 6, 0, 0, 0; 6, 0, 0, 0>
2007-04-04 20:55:42 0 d-------- C:\Documents and Settings\asvv000\Application Data\Identities
2007-04-04 20:55:13 0 d--h----- C:\Documents and Settings\asvv000\Templates
2007-04-04 20:55:13 0 dr------- C:\Documents and Settings\asvv000\Start Menu
2007-04-04 20:55:13 0 dr-h----- C:\Documents and Settings\asvv000\SendTo
2007-04-04 20:55:13 0 dr-h----- C:\Documents and Settings\asvv000\Recent
2007-04-04 20:55:13 0 d--h----- C:\Documents and Settings\asvv000\PrintHood
2007-04-04 20:55:13 524288 --ah----- C:\Documents and Settings\asvv000\NTUSER.DAT
2007-04-04 20:55:13 0 d--h----- C:\Documents and Settings\asvv000\NetHood
2007-04-04 20:55:13 0 dr------- C:\Documents and Settings\asvv000\My Documents
2007-04-04 20:55:13 0 d--h----- C:\Documents and Settings\asvv000\Local Settings
2007-04-04 20:55:13 0 dr------- C:\Documents and Settings\asvv000\Favorites
2007-04-04 20:55:13 0 d-------- C:\Documents and Settings\asvv000\Desktop
2007-04-04 20:55:13 0 d---s---- C:\Documents and Settings\asvv000\Cookies
2007-04-04 20:55:13 0 dr-h----- C:\Documents and Settings\asvv000\Application Data
2007-04-04 20:55:13 0 d---s---- C:\Documents and Settings\asvv000\Application Data\Microsoft
2007-04-01 18:28:53 0 d-------- C:\Program Files\DVDFab Decrypter 3
2007-04-01 18:28:24 0 d-------- C:\vinay
2007-03-31 18:16:42 0 d-------- C:\Documents and Settings\Pravin\Application Data\dvdcss


-- Find3M Report ---------------------------------------------------------------

2007-04-27 13:20:09 0 d-------- C:\Documents and Settings\Pravin\Application Data\Skype
2007-04-04 08:08:25 0 d-------- C:\Documents and Settings\Pravin\Application Data\Canon
2007-03-02 12:34:06 65536 --a------ C:\WINDOWS\system32\DWRCShell.DLL <Not Verified; DameWare Development LLC; DameWare Development DWRCShell; 6, 0, 0, 0; 6, 0, 0, 0>
2007-03-02 12:34:04 72704 --a------ C:\WINDOWS\system32\DWRCST.EXE <Not Verified; DameWare Development; DameWare Development DWRCST; 6, 0, 0, 0; 6, 0, 0, 0>
2007-02-28 07:39:21 0 d-------- C:\Program Files\Bait Base Readme
2007-02-27 18:59:45 218185 --a------ C:\WINDOWS\xcopy.bin
2007-02-27 18:56:23 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-02-27 18:56:18 7 --a------ C:\WINDOWS\system32\msp21.dll
2007-02-27 18:56:18 0 d-------- C:\Program Files\Common Files\Softline Pastel
2007-02-27 18:55:44 0 d-------- C:\Program Files\Common Files\Tidestone
2007-02-27 18:55:39 0 d-------- C:\Program Files\Common Files\Data Dynamics
2007-02-27 18:53:37 0 d-------- C:\Program Files\Common Files\Pervasive Software Shared
2007-02-27 18:53:26 199 --a------ C:\WINDOWS\runconfmig.bat
2007-02-27 18:53:22 254002 --a------ C:\WINDOWS\system32\pscore.dll <Not Verified; Pervasive Software Inc.; Pervasive.SQL V8.6; 8.60.192.030; 1.50.192.030>
2007-02-27 18:53:21 544816 --a------ C:\WINDOWS\system32\pscl.dll <Not Verified; Pervasive Software Inc.; Pervasive.SQL V8.6; 8.60.192.030; 1.50.192.030>
2007-02-27 18:53:20 43760 --a------ C:\WINDOWS\system32\nwlocale.dll
2007-02-27 18:53:20 146976 --a------ C:\WINDOWS\system32\mfcoleui.dll <Not Verified; Microsoft Corporation; Microsoft Windows(TM) OLE 2.0 User Interface Support; 2.00; 2.00>
2007-02-27 18:43:12 0 d-------- C:\Documents and Settings\Pravin\Application Data\Sun
2007-02-27 18:36:58 0 d-------- C:\Program Files\Java
2007-02-27 18:36:11 0 d-------- C:\Program Files\Common Files\Java
2007-02-07 20:00:00 28800 --a------ C:\WINDOWS\system32\DamewareDisp.dll <Verified; DameWare Development, Inc.; DameWare Development Mirror Display Driver; 1.0.4.0; 1.0.4.0>


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"OpwareSE2"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""
"SoundMan"="SOUNDMAN.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"VTTimer"="VTTimer.exe"
"CorelDRAW Graphics Suite 11b"=""
"LogitechCommunicationsManager"="\"C:\\Program Files\\Common Files\\Logitech\\LComMgr\\Communications_Helper.exe\""
"LogitechQuickCamRibbon"="\"C:\\Program Files\\Logitech\\QuickCam10\\QuickCam10.exe\" /hide"
"LVCOMSX"="\"C:\\Program Files\\Common Files\\Logitech\\LComMgr\\LVComSX.exe\""
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"LanguageShortcut"="\"C:\\Program Files\\CyberLink\\PowerDVD\\Language\\Language.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"infomathfragdupe"="C:\\Documents and Settings\\All Users\\Application Data\\PopUploadInfoMath\\Time Amok.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"LDM"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"
"SafeClose"="C:\\DOCUME~1\\Pravin\\APPLIC~1\\BAITBA~1\\does boob.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=dword:00000000

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0



-- Hosts -----------------------------------------------------------------------

127.0.0.1 bin.errorprotector.com ## added by CiD
127.0.0.1 br.errorsafe.com ## added by CiD
127.0.0.1 br.winantivirus.com ## added by CiD
127.0.0.1 br.winfixer.com ## added by CiD
127.0.0.1 cdn.drivecleaner.com ## added by CiD
127.0.0.1 cdn.errorsafe.com ## added by CiD
127.0.0.1 cdn.winsoftware.com ## added by CiD
127.0.0.1 de.errorsafe.com ## added by CiD
127.0.0.1 de.winantivirus.com ## added by CiD
127.0.0.1 download.cdn.drivecleaner.com ## added by CiD

60 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-04-27 at 13:24:10 ---------
Attached Files
File Type: txt extra.txt (9.6 KB, 4 views)
underc is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-27-2007, 08:58 AM   #5 (permalink)
Expert Analyst, Moderator, Security Team
 
Join Date: Sep 2006
Posts: 1,345
OS: xp


Re: IE6 Hijacked
Download fl.zip
http://www.fbeej.ctrlaltdel.dk/Programmer/fl.zip
Extract the contents of the fl.zip to a new folder on Desktop.
Within the folder, locate & double-click fl.bat.
It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply
LonnyRJones is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-28-2007, 03:53 PM   #6 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 8
OS: WinXP


Re: IE6 Hijacked
Volume in drive C has no label.
Volume Serial Number is 606A-3C2C

Directory of C:\Documents and Settings\All Users\Application Data

2006/08/26 07:59 PM <DIR> Adobe
2006/08/26 08:01 PM <DIR> Adobe Systems
2006/07/24 07:57 PM <DIR> Apple Computer
2006/12/26 03:59 PM <DIR> CyberLink
2006/07/20 08:37 PM <DIR> Kaspersky Lab
2006/10/21 04:01 PM <DIR> Logitech
2006/08/30 05:07 PM <DIR> Messenger Plus!
2007/01/29 05:51 PM <DIR> Microsoft Corporation
2007/03/12 09:09 PM <DIR> Microsoft Help
2007/04/22 03:20 PM <DIR> PopUploadInfoMath
2007/01/29 03:28 PM 1,747 QTSBandwidthCache
2006/08/06 10:41 AM <DIR> ScanSoft
2006/07/22 03:32 PM <DIR> Skype
2007/01/30 06:08 AM <DIR> Spybot - Search & Destroy
2006/08/06 10:31 AM <DIR> SSScanAppDataDir
2006/08/06 10:31 AM <DIR> SSScanWizard
2007/01/29 09:14 PM <DIR> TEMP
2006/07/21 08:58 PM <DIR> Windows Genuine Advantage
2006/08/25 05:30 PM <DIR> Windows Live Toolbar
1 File(s) 1,747 bytes
18 Dir(s) 13,462,147,072 bytes free
Volume in drive C has no label.
Volume Serial Number is 606A-3C2C

Directory of C:\Documents and Settings\asvv000\Application Data

2007/04/04 08:55 PM <DIR> Identities
0 File(s) 0 bytes
1 Dir(s) 13,462,147,072 bytes free
Volume in drive C has no label.
Volume Serial Number is 606A-3C2C

Directory of C:\Documents and Settings\Pravin\Application Data

2006/12/11 04:48 PM <DIR> Adobe
2006/07/21 06:42 PM <DIR> AdobeUM
2006/07/24 08:02 PM <DIR> Apple Computer
2006/07/23 03:36 PM <DIR> ArcSoft
2007/04/04 08:08 AM <DIR> Canon
2006/08/26 07:56 PM <DIR> Corel
2006/12/26 04:00 PM <DIR> CyberLink
2007/03/31 06:16 PM <DIR> dvdcss
2006/07/23 10:31 AM <DIR> Help
2006/07/20 06:34 PM <DIR> Identities
2006/07/21 01:35 PM <DIR> Macromedia
2007/04/22 01:42 PM <DIR> Mozilla
2006/07/22 03:13 PM <DIR> ScanSoft
2007/04/29 12:00 AM <DIR> Skype
2007/02/27 06:43 PM <DIR> Sun
2006/08/26 08:07 PM <DIR> vlc
0 File(s) 0 bytes
16 Dir(s) 13,462,147,072 bytes free
Volume in drive C has no label.
Volume Serial Number is 606A-3C2C

Directory of C:\Documents and Settings\Default User\Application Data

2006/07/20 08:12 PM <DIR> .
2006/07/20 08:12 PM <DIR> ..
2006/07/20 08:12 PM 62 desktop.ini
1 File(s) 62 bytes
2 Dir(s) 13,462,147,072 bytes free
Volume in drive C has no label.
Volume Serial Number is 606A-3C2C

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C has no label.
Volume Serial Number is 606A-3C2C

Directory of C:\Documents and Settings\NetworkService\Application Data

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'AAAB5DFF906CDD17.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\pravin\applic~1\baitba~1\dent bone mail.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Pravin'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 04/22/2007 12:00:00
NextRun: 04/29/2007 1:00:00
StartError: 0x80070003
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 02/07/1998
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0
underc is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-28-2007, 09:43 PM   #7 (permalink)
Expert Analyst, Moderator, Security Team
 
Join Date: Sep 2006
Posts: 1,345
OS: xp


Re: IE6 Hijacked
C:\Documents and Settings\All Users\Application Data\PopUploadInfoMath < delete that folder

Copy the contents of the code box below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.

Code:
attrib -h -s "c:\windows\tasks\AAAB5DFF906CDD17.job"
del /a/f/Q "c:\windows\tasks\AAAB5DFF906CDD17.job"
Run check.bat, which will run very quickly.

Uninstall
Messenger Plus! Live & Sponsor


In the windows control panel > java < use the update tab and update (for security reasons)
after thats done you can unionstall the old version>
J2SE Runtime Environment 5.0 Update 6

Post a HijackThis 1.99.1 log

First Make a new folder, example C:\AntiSpyWare
and download/Save HijackThis, to that new folder.
This is necessary to ensure you have backups should anything go wrong
http://www.merijn.org/files/HijackThis.exe
Double click HijackThis.exe, Hit None of the above, just start the program.
Hit Scan When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that, save the log somewhere, and please show us its contents.
Most of what it lists will be harmless or even required, so do NOT fix anything yet.
Last edited by LonnyRJones : 04-28-2007 at 09:45 PM.
LonnyRJones is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-29-2007, 10:31 PM   #8 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 8
OS: WinXP


Re: IE6 Hijacked
hi thanks for help thus far.

busy updating java so when i get back from work ill complete the rest.

thanks again
underc is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-01-2007, 06:26 AM   #9 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 8
OS: WinXP


Re: IE6 Hijacked
Logfile of HijackThis v1.99.1
Scan saved at 02:33:29 PM, on 2007/05/01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\DWRCST.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\QuickCam10\COCIManager.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\AntiSpyWare\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [infomathfragdupe] C:\Documents and Settings\All Users\Application Data\PopUploadInfoMath\Time Amok.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [SafeClose] C:\DOCUME~1\Pravin\APPLIC~1\BAITBA~1\does boob.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cordless DUALphone Startup.lnk = C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Movies Extractor Scout - {D0EBC326-ECA8-446E-93B7-76702C8F3828} - C:\Program Files\Movies Extractor Scout\flashextract.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1153422061875
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINDOWS\system32\DNTUS26.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
underc is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-01-2007, 06:56 AM   #10 (permalink)
Expert Analyst, Moderator, Security Team
 
Join Date: Sep 2006
Posts: 1,345
OS: xp


Re: IE6 Hijacked
Start Hijackthis Scan and place a check next to these items If there.
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [infomathfragdupe] C:\Documents and Settings\All Users\Application Data\PopUploadInfoMath\Time Amok.exe
O4 - HKCU\..\Run: [SafeClose] C:\DOCUME~1\Pravin\APPLIC~1\BAITBA~1\does boob.exe

====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month


To help avoid reinfection see "So how did I get infected in the first place?"
http://castlecops.com/postlite7736-.html

Any problems now ?
LonnyRJones is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-02-2007, 10:06 PM   #11 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 8
OS: WinXP


Re: IE6 Hijacked
Thats great thankyou for taking your time to help its much appriciated.
hope fully the last time it will happen and i learnt some stuff from it thanks once again.
underc is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-07-2007, 10:27 AM   #12 (permalink)
Expert Analyst, Moderator, Security Team
 
Join Date: Sep 2006
Posts: 1,345
OS: xp


Re: IE6 Hijacked
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.

If you should need to post another log for the same PC let me know via a PM (personal message).
LonnyRJones is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!