• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
Sign in to follow this  
Followers 0
yoshidave

Search engine redirect/hijack

17 posts in this topic

Lavasoft,

 

I'm a new forum member. I've been using Ad-Aware SE Personal for a few years now and it's worked out great. But this issue is strange. I've read through some other posts concerning this search engine redirect issue. I feel like user Ai Tak knows what it is but I don't know how to fix it myself. Is this the correct forum for posting scan logs? I have an Ad-Aware log and HijackThis log ready for anyone who would be kind enough to help me.

 

Thanks,

 

Blix

Share this post


Link to post
Share on other sites

Hello,Blix86 & Welcome

 

Please show me both logfiles.

 

Gogo ;)

Share this post


Link to post
Share on other sites

Gogo,

 

Thanks for your help. Here's Ad-Aware first:

 

Ad-Aware SE Build 1.06r1

Logfile Created on:Wednesday, February 07, 2007 1:22:24 PM

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R150 06.02.2007

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

MRU List(TAC index:0):16 total references

Tracking Cookie(TAC index:3):31 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Definition File:

=========================

Definitions File Loaded:

Reference Number : SE1R150 06.02.2007

Internal build : 188

File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref

File size : 979344 Bytes

Total size : 3197605 Bytes

Signature data size : 3180780 Bytes

Reference data size : 16313 Bytes

Signatures total : 83548

CSI Fingerprints total : 5801

CSI data size : 276023 Bytes

Target categories : 15

Target families : 1037

 

 

Memory + processor status:

==========================

Number of processors : 1

Processor architecture : Intel Pentium IV

Memory available:29 %

Total physical memory:522736 kb

Available physical memory:147788 kb

Total page file size:885992 kb

Available on page file:457808 kb

Total virtual memory:2097024 kb

Available virtual memory:2029520 kb

OS:Microsoft Windows XP Professional Service Pack 2 (Build 2600)

 

Ad-Aware SE Settings

===========================

Set : Search for negligible risk entries

Set : Search for low-risk threats

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan within archives

Set : Scan my Hosts file

 

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Include alternate data stream details in log file

Set : Play sound at scan completion if scan locates critical objects

 

 

2-7-2007 1:22:24 PM - Scan started. (Full System Scan)

 

MRU List Object Recognized!

Location: : C:\Documents and Settings\Administrator\Application

 

Data\microsoft\office\recent

Description : list of recently opened documents using microsoft office

 

 

MRU List Object Recognized!

Location: : C:\Documents and Settings\Administrator\recent

Description : list of recently opened documents

 

 

MRU List Object Recognized!

Location: : software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct3d

 

 

MRU List Object Recognized!

Location: : software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct X

 

 

MRU List Object Recognized!

Location: : software\microsoft\directdraw\mostrecentapplication

Description : most recent application to use microsoft directdraw

 

 

MRU List Object Recognized!

Location: : S-1-5-21-329068152-1085031214-725345543-500\software\microsoft\internet

 

explorer

Description : last download directory used in microsoft internet explorer

 

 

MRU List Object Recognized!

Location: : S-1-5-21-329068152-1085031214-725345543-500\software\microsoft\internet

 

explorer\typedurls

Description : list of recently entered addresses in microsoft internet explorer

 

 

MRU List Object Recognized!

Location: : S-1-5-21-329068152-1085031214-725345543-500\software\microsoft\microsoft

 

management console\recent file list

Description : list of recent snap-ins used in the microsoft management console

 

 

MRU List Object Recognized!

Location: : S-1-5-21-329068152-1085031214-725345543-500\software\microsoft\search

 

assistant\acmru

Description : list of recent search terms used with the search assistant

 

 

MRU List Object Recognized!

Location: :

 

S-1-5-21-329068152-1085031214-725345543-500\software\microsoft\windows\currentversion\applets\regedit

Description : last key accessed using the microsoft registry editor

 

 

MRU List Object Recognized!

Location: :

 

S-1-5-21-329068152-1085031214-725345543-500\software\microsoft\windows\currentversion\explorer\comdlg32\

 

lastvisitedmru

Description : list of recent programs opened

 

 

MRU List Object Recognized!

Location: :

 

S-1-5-21-329068152-1085031214-725345543-500\software\microsoft\windows\currentversion\explorer\comdlg32\

 

opensavemru

Description : list of recently saved files, stored according to file extension

 

 

MRU List Object Recognized!

Location: :

 

S-1-5-21-329068152-1085031214-725345543-500\software\microsoft\windows\currentversion\explorer\recentdoc

 

s

Description : list of recent documents opened

 

 

MRU List Object Recognized!

Location: :

 

S-1-5-21-329068152-1085031214-725345543-500\software\microsoft\windows\currentversion\explorer\runmru

Description : mru list for items opened in start | run

 

 

MRU List Object Recognized!

Location: : software\musicmatch\musicmatch jukebox\4.0\mmradio

Description : information on the last station listened to using musicmatch radio

 

 

MRU List Object Recognized!

Location: : S-1-5-21-329068152-1085031214-725345543-500\software\microsoft\windows

 

media\wmsdk\general

Description : windows media sdk

 

 

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 564

ThreadCreationTime : 2-2-2007 4:02:02 AM

BasePriority : Normal

 

 

#:2 [csrss.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 612

ThreadCreationTime : 2-2-2007 4:02:08 AM

BasePriority : Normal

 

 

#:3 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 640

ThreadCreationTime : 2-2-2007 4:02:12 AM

BasePriority : High

 

 

#:4 [services.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 684

ThreadCreationTime : 2-2-2007 4:02:14 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : services.exe

 

#:5 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 696

ThreadCreationTime : 2-2-2007 4:02:15 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : lsass.exe

 

#:6 [ati2evxx.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 892

ThreadCreationTime : 2-2-2007 4:02:18 AM

BasePriority : Normal

FileVersion : 6.14.10.4131

ProductVersion : 6.14.10.4131.01

ProductName : ATI External Event Utility for WindowsNT and Windows9X

CompanyName : ATI Technologies Inc.

FileDescription : ATI External Event Utility EXE Module

InternalName : ATI2EVXX.EXE

LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.

OriginalFilename : ATI2EVXX.EXE

 

#:7 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 924

ThreadCreationTime : 2-2-2007 4:02:18 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:8 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1000

ThreadCreationTime : 2-2-2007 4:02:18 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:9 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1096

ThreadCreationTime : 2-2-2007 4:02:19 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:10 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1164

ThreadCreationTime : 2-2-2007 4:02:19 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:11 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1300

ThreadCreationTime : 2-2-2007 4:02:20 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:12 [ccsvchst.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\

ProcessID : 1416

ThreadCreationTime : 2-2-2007 4:02:21 AM

BasePriority : Normal

FileVersion : 106.1.3.3

ProductVersion : 106.1.3.3

ProductName : Symantec Security Technologies

CompanyName : Symantec Corporation

FileDescription : Symantec Service Framework

InternalName : ccSvcHst

LegalCopyright : Copyright © 2000-2006 Symantec Corporation. All rights reserved.

OriginalFilename : ccSvcHst.exe

 

#:13 [appsvc32.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\AppCore\

ProcessID : 1564

ThreadCreationTime : 2-2-2007 4:02:24 AM

BasePriority : Normal

FileVersion : 1.0.00.101

ProductVersion : 1.0

ProductName : Symantec Application Core

CompanyName : Symantec Corporation

FileDescription : Symantec Application Core Service

InternalName : AppSvc32

LegalCopyright : Copyright © 1997-2006 Symantec Corporation

OriginalFilename : AppSvc32.exe

 

#:14 [spoolsv.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1676

ThreadCreationTime : 2-2-2007 4:02:25 AM

BasePriority : Normal

FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)

ProductVersion : 5.1.2600.2696

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : spoolsv.exe

 

#:15 [aluschedulersvc.exe]

FilePath : C:\Program Files\Symantec\LiveUpdate\

ProcessID : 964

ThreadCreationTime : 2-2-2007 4:02:32 AM

BasePriority : Normal

FileVersion : 3.1.0.99

ProductVersion : 3.1.0.99

ProductName : LiveUpdate

CompanyName : Symantec Corporation

FileDescription : Automatic LiveUpdate Scheduler Service

InternalName : Automatic LiveUpdate Scheduler Service

LegalCopyright : Copyright © 1996-2006 Symantec Corporation

OriginalFilename : ALUSchedulerSvc.exe

 

#:16 [alg.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 408

ThreadCreationTime : 2-2-2007 4:02:40 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Application Layer Gateway Service

InternalName : ALG.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : ALG.exe

 

#:17 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 688

ThreadCreationTime : 2-2-2007 5:29:19 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:18 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 2036

ThreadCreationTime : 2-2-2007 7:53:20 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:19 [mdm.exe]

FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\

ProcessID : 2696

ThreadCreationTime : 2-2-2007 8:36:35 AM

BasePriority : Normal

FileVersion : 7.00.9466

ProductVersion : 7.00.9466

ProductName : Microsoft® Visual Studio .NET

CompanyName : Microsoft Corporation

FileDescription : Machine Debug Manager

InternalName : mdm.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : mdm.exe

 

#:20 [symlcsvc.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\

ProcessID : 3672

ThreadCreationTime : 2-2-2007 10:11:46 AM

BasePriority : Normal

FileVersion : 1.9.1.1034

ProductVersion : 1.9.1.1034

ProductName : Symantec Core Component

CompanyName : Symantec Corporation

FileDescription : Symantec Core Component

InternalName : symlcsvc

LegalCopyright : Copyright © 2003

OriginalFilename : symlcsvc.exe

 

#:21 [ati2evxx.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 2792

ThreadCreationTime : 2-5-2007 9:04:14 PM

BasePriority : Normal

FileVersion : 6.14.10.4131

ProductVersion : 6.14.10.4131.01

ProductName : ATI External Event Utility for WindowsNT and Windows9X

CompanyName : ATI Technologies Inc.

FileDescription : ATI External Event Utility EXE Module

InternalName : ATI2EVXX.EXE

LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.

OriginalFilename : ATI2EVXX.EXE

 

#:22 [explorer.exe]

FilePath : C:\WINDOWS\

ProcessID : 3376

ThreadCreationTime : 2-5-2007 9:04:17 PM

BasePriority : Normal

FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 6.00.2900.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : EXPLORER.EXE

 

#:23 [tgcmd.exe]

FilePath : C:\Program Files\support.com\bin\

ProcessID : 2088

ThreadCreationTime : 2-5-2007 9:04:34 PM

BasePriority : Normal

FileVersion : 5,5,402,0

ProductVersion : 5,5,402,0

ProductName : Support.com Scheduler and Command Dispatcher

CompanyName : Support.com, Inc.

FileDescription : Support.com Scheduler and Command Dispatcher

InternalName : TGCMD

LegalCopyright : Copyright 1997-2069 Support.com

OriginalFilename : TGCMD.EXE

 

#:24 [jusched.exe]

FilePath : C:\Program Files\Java\jre1.5.0_10\bin\

ProcessID : 3908

ThreadCreationTime : 2-5-2007 9:04:36 PM

BasePriority : Normal

 

 

#:25 [point32.exe]

FilePath : C:\Program Files\Microsoft IntelliPoint\

ProcessID : 2988

ThreadCreationTime : 2-5-2007 9:04:39 PM

BasePriority : Normal

 

 

#:26 [hpztsb09.exe]

FilePath : C:\WINDOWS\system32\spool\drivers\w32x86\3\

ProcessID : 1064

ThreadCreationTime : 2-5-2007 9:04:40 PM

BasePriority : Normal

FileVersion : 2.236.4.0

ProductVersion : 2.236.4.0

ProductName : HP DeskJet

CompanyName : HP

LegalCopyright : Copyright © Hewlett-Packard Company 1999-2003

 

#:27 [hpwuschd2.exe]

FilePath : C:\Program Files\Hewlett-Packard\HP Software Update\

ProcessID : 1888

ThreadCreationTime : 2-5-2007 9:04:43 PM

BasePriority : Normal

FileVersion : 50.0.146.000

ProductVersion : 050.000.146.000

ProductName : hp digital imaging - hp all-in-one series

CompanyName : Hewlett-Packard Co.

FileDescription : Hewlett-Packard Product Assistant

InternalName : hpwuSchd2

LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2004

OriginalFilename : hpwuSchd2.exe

Comments : Hewlett-Packard Product Assistant

 

#:28 [mim.exe]

FilePath : C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\

ProcessID : 600

ThreadCreationTime : 2-5-2007 9:04:47 PM

BasePriority : Normal

FileVersion : 10.10.0093

ProductVersion : 10.10.0093

ProductName : Musicmatch Jukebox

CompanyName : Musicmatch, Inc.

FileDescription : mim

InternalName : mim

LegalCopyright : Copyright © Musicmatch 1998-2004

LegalTrademarks :

OriginalFilename : mim.exe

 

#:29 [mmdiag.exe]

FilePath : C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\

ProcessID : 3920

ThreadCreationTime : 2-5-2007 9:04:48 PM

BasePriority : Normal

FileVersion : 10.10.0093

ProductVersion : 10.10.0093

ProductName : Musicmatch Jukebox

CompanyName : Musicmatch, Inc.

FileDescription : Logging and tracing manager

InternalName : MMTraceExe

LegalCopyright : Copyright © Musicmatch 1998-2004

LegalTrademarks :

OriginalFilename : MMTraceExe.EXE

 

#:30 [hpcmpmgr.exe]

FilePath : C:\Program Files\HP\hpcoretech\

ProcessID : 2444

ThreadCreationTime : 2-5-2007 9:04:48 PM

BasePriority : Normal

FileVersion : 1.7.1.0

ProductVersion : 1.7.1.0

ProductName : hp coretech (COmponent REuse TECHnology)

CompanyName : Hewlett-Packard Company

FileDescription : HP Framework Component Manager Service

InternalName : HPComponentManagerService module

LegalCopyright : Copyright © Hewlett-Packard. 2002-2003

OriginalFilename : HPCmpMgr.exe

 

#:31 [hpotdd01.exe]

FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\bin\

ProcessID : 556

ThreadCreationTime : 2-5-2007 9:04:57 PM

BasePriority : Normal

FileVersion : 1, 0, 0, 1

ProductVersion : 1, 0, 0, 1

ProductName : Hewlett-Packard hpotdd01

CompanyName : Hewlett-Packard

FileDescription : hpotdd01

InternalName : hpotdd01

LegalCopyright : Copyright © 2002

OriginalFilename : hpotdd01.exe

 

#:32 [atidtct.exe]

FilePath : C:\Program Files\ATI Multimedia\main\

ProcessID : 1720

ThreadCreationTime : 2-5-2007 9:04:59 PM

BasePriority : Normal

FileVersion : 9.01.002

ProductVersion : 9.01

ProductName : ATI Multimedia Center

CompanyName : ATI Technologies Inc.

FileDescription : ATI Device Detection Application

InternalName : AtiDtct

LegalCopyright : Copyright © 2003 ATI Technologies Inc.

OriginalFilename : AtiDtct.EXE

 

#:33 [cli.exe]

FilePath : C:\Program Files\ATI Technologies\ATI.ACE\

ProcessID : 3736

ThreadCreationTime : 2-5-2007 9:05:01 PM

BasePriority : Normal

 

 

#:34 [ccapp.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\

ProcessID : 3072

ThreadCreationTime : 2-5-2007 9:05:08 PM

BasePriority : Normal

FileVersion : 106.1.3.3

ProductVersion : 106.1.3.3

ProductName : Symantec Security Technologies

CompanyName : Symantec Corporation

FileDescription : Symantec User Session

InternalName : ccApp

LegalCopyright : Copyright © 2000-2006 Symantec Corporation. All rights reserved.

OriginalFilename : ccApp.exe

 

#:35 [dsagnt.exe]

FilePath : C:\PROGRA~1\DELLSU~1\

ProcessID : 1428

ThreadCreationTime : 2-5-2007 9:05:40 PM

BasePriority : Below Normal

FileVersion : 1, 1, 0, 73

ProductVersion : 1, 1, 0, 73

ProductName : Dell Support

CompanyName : Gteko Ltd.

FileDescription : Dell Support

InternalName : AUAgent

LegalCopyright : Copyright © 2000 - 2004 Gteko Ltd.

OriginalFilename : AUAgent.exe

 

#:36 [ctfmon.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 3484

ThreadCreationTime : 2-5-2007 9:05:47 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : CTF Loader

InternalName : CTFMON

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : CTFMON.EXE

 

#:37 [atirw.exe]

FilePath : C:\Program Files\ATI Multimedia\RemCtrl\

ProcessID : 3368

ThreadCreationTime : 2-5-2007 9:05:59 PM

BasePriority : Normal

FileVersion : 2.5.0.0

ProductVersion : 2.5.0.0

ProductName : ATI Remote Wonder

CompanyName : ATI Technologies Inc.

FileDescription : ATI Remote Wonder

LegalCopyright : Copyright © 2002-2004 ATI Technologies Inc.

OriginalFilename : ATIRW.EXE

 

#:38 [rundll32.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 3828

ThreadCreationTime : 2-5-2007 9:06:33 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Run a DLL as an App

InternalName : rundll

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : RUNDLL.EXE

 

#:39 [msmsgs.exe]

FilePath : C:\Program Files\Messenger\

ProcessID : 2412

ThreadCreationTime : 2-5-2007 9:07:22 PM

BasePriority : Normal

FileVersion : 4.7.3001

ProductVersion : Version 4.7.3001

ProductName : Messenger

CompanyName : Microsoft Corporation

FileDescription : Windows Messenger

InternalName : msmsgs

LegalCopyright : Copyright © Microsoft Corporation 2004

LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S.

 

and/or other countries.

OriginalFilename : msmsgs.exe

 

#:40 [ad-aware.exe]

FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\

ProcessID : 528

ThreadCreationTime : 2-7-2007 6:21:36 PM

BasePriority : Normal

FileVersion : 6.2.0.236

ProductVersion : SE 106

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

LegalCopyright : Copyright © Lavasoft AB Sweden

OriginalFilename : Ad-Aware.exe

Comments : All Rights Reserved

 

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 16

 

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 16

 

 

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 16

 

 

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@atdmt[2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:4

Value : Cookie:administrator@atdmt.com/

Expires : 2-4-2012 7:00:00 PM

LastSync : Hits:4

UseCount : 0

Hits : 4

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@media.fastclick[1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:1

Value : Cookie:administrator@media.fastclick.net/

Expires : 2-7-2007 2:19:20 PM

LastSync : Hits:1

UseCount : 0

Hits : 1

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@clickbank[1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:1

Value : Cookie:administrator@clickbank.net/

Expires : 8-6-2007 1:16:02 PM

LastSync : Hits:1

UseCount : 0

Hits : 1

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@ehg-dig.hitbox[2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:37

Value : Cookie:administrator@ehg-dig.hitbox.com/

Expires : 2-7-2008 12:11:24 PM

LastSync : Hits:37

UseCount : 0

Hits : 37

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@uk.sitestat[1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:1

Value : Cookie:administrator@uk.sitestat.com/riskwaters/risk/

Expires : 2-6-2012 12:01:08 AM

LastSync : Hits:1

UseCount : 0

Hits : 1

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@incisivemedia.112.2o7[1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:1

Value : Cookie:administrator@incisivemedia.112.2o7.net/

Expires : 2-6-2012 12:01:10 AM

LastSync : Hits:1

UseCount : 0

Hits : 1

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@statse.webtrendslive[2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:8

Value : Cookie:administrator@statse.webtrendslive.com/

Expires : 2-4-2017 12:44:02 AM

LastSync : Hits:8

UseCount : 0

Hits : 8

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@revsci[2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:5

Value : Cookie:administrator@revsci.net/

Expires : 2-2-2027 11:33:14 AM

LastSync : Hits:5

UseCount : 0

Hits : 5

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@msnportal.112.2o7[1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:1

Value : Cookie:administrator@msnportal.112.2o7.net/

Expires : 2-5-2012 7:49:18 PM

LastSync : Hits:1

UseCount : 0

Hits : 1

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@data.coremetrics[1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:1

Value : Cookie:administrator@data.coremetrics.com/

Expires : 2-6-2022 11:57:54 AM

LastSync : Hits:1

UseCount : 0

Hits : 1

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@2o7[2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:38

Value : Cookie:administrator@2o7.net/

Expires : 2-6-2012 1:14:36 PM

LastSync : Hits:38

UseCount : 0

Hits : 38

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@tribalfusion[2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:2

Value : Cookie:administrator@tribalfusion.com/

Expires : 2-6-2008 7:28:46 PM

LastSync : Hits:2

UseCount : 0

Hits : 2

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@pro-market[2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:6

Value : Cookie:administrator@pro-market.net/

Expires : 5-31-2030 7:00:00 PM

LastSync : Hits:6

UseCount : 0

Hits : 6

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@ads.addynamix[2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:2

Value : Cookie:administrator@ads.addynamix.com/

Expires : 2-6-2012 12:11:28 PM

LastSync : Hits:2

UseCount : 0

Hits : 2

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@live365[1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:2

Value : Cookie:administrator@live365.com/

Expires : 2-11-2012 3:44:22 AM

LastSync : Hits:2

UseCount : 0

Hits : 2

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@doubleclick[2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:6

Value : Cookie:administrator@doubleclick.net/

Expires : 2-5-2010 4:08:24 PM

LastSync : Hits:6

UseCount : 0

Hits : 6

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@questionmarket[2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:2

Value : Cookie:administrator@questionmarket.com/

Expires : 3-30-2008 4:05:32 AM

LastSync : Hits:2

UseCount : 0

Hits : 2

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@clickz[2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:4

Value : Cookie:administrator@clickz.com/

Expires : 1-17-2038 7:00:00 PM

LastSync : Hits:4

UseCount : 0

Hits : 4

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@server.iad.liveperson[1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:3

Value : Cookie:administrator@server.iad.liveperson.net/

Expires : 2-6-2008 7:51:14 PM

LastSync : Hits:3

UseCount : 0

Hits : 3

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@server.iad.liveperson[2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:5

Value : Cookie:administrator@server.iad.liveperson.net/hc/80503492

Expires : 2-6-2008 7:51:18 PM

LastSync : Hits:5

UseCount : 0

Hits : 5

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@adlegend[2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:3

Value : Cookie:administrator@adlegend.com/

Expires : 2-6-2017 11:59:14 PM

LastSync : Hits:3

UseCount : 0

Hits : 3

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@fastclick[2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:2

Value : Cookie:administrator@fastclick.net/

Expires : 2-6-2009 1:16:42 PM

LastSync : Hits:2

UseCount : 0

Hits : 2

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@mediaplex[1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:2

Value : Cookie:administrator@mediaplex.com/

Expires : 6-21-2009 7:00:00 PM

LastSync : Hits:2

UseCount : 0

Hits : 2

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@advertising[1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:12

Value : Cookie:administrator@advertising.com/

Expires : 2-6-2012 12:14:58 PM

LastSync : Hits:12

UseCount : 0

Hits : 12

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@www.stopzilla[2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:2

Value : Cookie:administrator@www.stopzilla.com/

Expires : 2-6-2008 7:50:46 PM

LastSync : Hits:2

UseCount : 0

Hits : 2

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@zedo[2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:15

Value : Cookie:administrator@zedo.com/

Expires : 2-4-2017 11:48:32 AM

LastSync : Hits:15

UseCount : 0

Hits : 15

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@goclick[2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:2

Value : Cookie:administrator@goclick.com/

Expires : 12-31-2009 7:00:00 PM

LastSync : Hits:2

UseCount : 0

Hits : 2

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@uk.sitestat[2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:1

Value : Cookie:administrator@uk.sitestat.com/riskwaters/

Expires : 2-6-2012 12:01:08 AM

LastSync : Hits:1

UseCount : 0

Hits : 1

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@247realmedia[1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:1

Value : Cookie:administrator@247realmedia.com/

Expires : 12-31-2020 7:00:00 PM

LastSync : Hits:1

UseCount : 0

Hits : 1

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@tacoda[1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:66

Value : Cookie:administrator@tacoda.net/

Expires : 2-2-2008 1:07:14 PM

LastSync : Hits:66

UseCount : 0

Hits : 66

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : administrator@hitbox[2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:19

Value : Cookie:administrator@hitbox.com/

Expires : 2-7-2008 12:11:24 PM

LastSync : Hits:19

UseCount : 0

Hits : 19

 

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 31

Objects found so far: 47

 

 

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 47

 

 

Scanning Hosts file......

Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

1 entries scanned.

New critical objects:0

Objects found so far: 47

 

 

 

 

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 47

 

1:53:14 PM Scan Complete

 

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:30:50.266

Objects scanned:190265

Objects identified:31

Objects ignored:0

New critical objects:31

Share this post


Link to post
Share on other sites

And now HijackThis log:

 

Logfile of HijackThis v1.99.1

Scan saved at 1:54:40 PM, on 2/7/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\support.com\bin\tgcmd.exe

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\DELLSU~1\DSAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\HijackThis\hijackthis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

 

http://cgi.verizon.net/bookmarks/bmredir.a...mp;bm=ho_search

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

 

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

 

http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

 

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

 

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented

 

by Comcast

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

 

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec

 

Shared\coShared\Browser\1.0\NppBho.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

 

Files\Java\jre1.5.0_10\bin\ssv.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common

 

Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll

O4 - HKLM\..\Run: [WebDriveTray] C:\Program Files\WebDrive\webdrive.exe /trayicon

O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe

O4 - Startup: PowerReg Scheduler V3.exe

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe

 

Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader

 

8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader

 

8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel -

 

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

 

Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

 

Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file

 

missing)

O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/

 

(file missing)

O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file

 

missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

 

Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

 

%windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

 

Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

 

Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

 

http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

 

http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

 

http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) -

 

https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) -

 

http://www.vzwpix.com/activex/VerizonWirel...loadControl.cab

O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) -

 

http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{59394607-DADB-48AB-A4D4-E3FF804DACF8}: NameServer =

 

85.255.116.23,85.255.112.74

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.23 85.255.112.74

O17 - HKLM\System\CS1\Services\Tcpip\..\{59394607-DADB-48AB-A4D4-E3FF804DACF8}: NameServer =

 

85.255.116.23,85.255.112.74

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.23 85.255.112.74

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

 

C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program

 

Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common

 

Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common

 

Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program

 

Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec

 

Shared\VAScanner\comHost.exe

O23 - Service: hpdj - HP - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hpdj.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program

 

Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec

 

Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common

 

Files\Symantec Shared\AppCore\AppSvc32.exe

O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program

 

Files\WebDrive\wdservice.exe

 

 

Gogo, Do you think it may be the "fake codec installer" thing?

 

Thanks,

Blix

Share this post


Link to post
Share on other sites

Hi,Blix

 

First may i ask that you don't change the look or feel of the logfile

 

 

Run HijackThis

Scan and when it finishes, put a check mark only next to these following items : (if present)

 

O4 - Startup: PowerReg Scheduler V3.exe

O4 - Startup: PowerReg Scheduler.exe

 

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file

missing)

O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/

(file missing)

O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file

missing)

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{59394607-DADB-48AB-A4D4-E3FF804DACF8}: NameServer =

85.255.116.23,85.255.112.74

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.23 85.255.112.74

O17 - HKLM\System\CS1\Services\Tcpip\..\{59394607-DADB-48AB-A4D4-E3FF804DACF8}: NameServer =

85.255.116.23,85.255.112.74

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.23 85.255.112.74

 

Close all browsers and any open Windows, making sure that only HijackThis is open

Click Fix Checked

Close HijackThis

 

-------------------

 

Download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe

http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

 

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.

The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.

Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

 

Once the desktop loads please post the text that will open (report.txt) together with the results from look.txt, present on your desktop and a new Hijackthis log.

 

Note: ONLY if you have connection problems afterwards - go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.

 

-------------------

 

Then come back here with a new HijackThis logfile and the Fixwareout report.txt

 

Gogo :D

Share this post


Link to post
Share on other sites

Gogo,

 

Here is file: report.txt. I had windows perform a search, but I couldn't find file: look.txt that you referred to in your last post. :D I will post new HijackThis log next. I've copied and pasted the text directly from the logs. I'm sorry if this changes the look or feel of the logs in any way; I don't know any other way to do it.

 

-Blix

 

Fixwareout

Last edited 1/30/2007

Post this report in the forums please

...

Prerun check

»»»»» HKLM run and Winlogon System values

C:\WINDOWS\System32\kdele.exe will be moved to C:\WINDOWS\temp\kdele.ren at reboot.

 

»»»»» System restarted

Reg Entries that were deleted

...

Random Runs removed from HKLM

...

 

»»»»» Misc files.

 

»»»»» Checking for older varients.

 

»»»»» Postrun check

»»»»» HKLM run

»»»»» Winlogon System value

"system"=""

»»»»»

 

PLEASE NOTE, There CAN be LEGITIMATE FILES LISTED IN THIS SECTION.

 

This WILL/CAN also list Legit Files, Submit them at Virustotal

Search five digit cs, dm kd and jb files.

»»»»»

»»»»» Current runs

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WebDriveTray"="C:\\Program Files\\WebDrive\\webdrive.exe /trayicon"

"tgcmd"="\"C:\\Program Files\\support.com\\bin\\tgcmd.exe\" /server"

"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mimboot.exe"

"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""

"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb09.exe"

"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"

"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""

"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"

"DeviceDiscovery"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"

"ATI DeviceDetect"="C:\\Program Files\\ATI Multimedia\\main\\ATIDtct.EXE"

"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"

"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""

"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""

"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

"Installed"="1"

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

"DellSupport"="\"C:\\PROGRA~1\\DELLSU~1\\DSAgnt.exe\" /startup"

"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

"ATI Remote Control"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIRW.exe"

 

Hosts file was reset, If you use a custom hosts file please replace it

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 3:05:24 PM, on 2/7/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\WebDrive\wdservice.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\notepad.exe

C:\Program Files\WebDrive\webdrive.exe

C:\Program Files\support.com\bin\tgcmd.exe

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\PROGRA~1\DELLSU~1\DSAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\PdeSrv2.exe

C:\Program Files\HijackThis\hijackthis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

 

http://cgi.verizon.net/bookmarks/bmredir.a...mp;bm=ho_search

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

 

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

 

http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

 

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

 

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented

 

by Comcast

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

 

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec

 

Shared\coShared\Browser\1.0\NppBho.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

 

Files\Java\jre1.5.0_10\bin\ssv.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common

 

Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll

O4 - HKLM\..\Run: [WebDriveTray] C:\Program Files\WebDrive\webdrive.exe /trayicon

O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe

 

Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader

 

8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader

 

8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel -

 

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

 

Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

 

Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

 

Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

 

Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

 

http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

 

http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

 

http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) -

 

https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) -

 

http://www.vzwpix.com/activex/VerizonWirel...loadControl.cab

O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) -

 

http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

 

C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program

 

Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common

 

Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common

 

Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program

 

Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec

 

Shared\VAScanner\comHost.exe

O23 - Service: hpdj - HP - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hpdj.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program

 

Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec

 

Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common

 

Files\Symantec Shared\AppCore\AppSvc32.exe

O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program

 

Files\WebDrive\wdservice.exe

Share this post


Link to post
Share on other sites

Also,

 

I just tried linking to a site from my search engine and I didn't get redirected. Pages seem to load a lot faster now also. :) So, unless you recognize any problems in the new logs I've posted, I think you've solved my problem! What can I do in the future to avoid this?

 

Thanks again for your help. You're the MAN/WOMAN. :D

 

-Blix

Share this post


Link to post
Share on other sites

Hey,Blix86

 

Try this

 

uncheck "word wrap" in Format menu of the Notepad

 

--------------

 

Open notepad and copy and paste next bold in it:

 

regedit /e peek1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg"

 

regedit /e peek2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder"

 

type peek1.txt >> startup.txt

 

type peek2.txt >> startup.txt

 

del peek*.txt

 

start notepad startup.txt

 

post the startup.txt file and new HijackThis logfile

 

and is the PC any better now

 

Gogo :D

Share this post


Link to post
Share on other sites

Gogo,

 

Please excuse my inexperience. I've pasted the bold lines into notepad, but I don't know what to name the file or what to do with it. Also, I can't find file: startup.txt on my computer (windows search returned nothing).

 

Here is new HijackThis log:

 

Logfile of HijackThis v1.99.1

Scan saved at 3:05:24 PM, on 2/7/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\WebDrive\wdservice.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\notepad.exe

C:\Program Files\WebDrive\webdrive.exe

C:\Program Files\support.com\bin\tgcmd.exe

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\PROGRA~1\DELLSU~1\DSAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\PdeSrv2.exe

C:\Program Files\HijackThis\hijackthis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.a...mp;bm=ho_search

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll

O4 - HKLM\..\Run: [WebDriveTray] C:\Program Files\WebDrive\webdrive.exe /trayicon

O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/VerizonWirel...loadControl.cab

O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: hpdj - HP - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hpdj.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\WebDrive\wdservice.exe

Share this post


Link to post
Share on other sites

Hi,Blix86

 

It's me try it like this please

 

 

Open notepad and copy and paste next bold in it:

 

regedit /e peek1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg"

 

regedit /e peek2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder"

 

type peek1.txt >> startup.txt

 

type peek2.txt >> startup.txt

 

del peek*.txt

 

start notepad startup.txt

 

Save this as lookdisable.bat , choose to save as *all files and place it on your desktop.

 

This is how the batch must look after you created it:bat.JPG

 

Doubleclick on lookdisable.bat and post the contents of it here.

 

 

Gogo ;)

Share this post


Link to post
Share on other sites

Gogo,

 

Here is the .bat:

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"=""

"hkey"="HKLM"

"command"=""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ATI Launchpad]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"=""

"hkey"="HKCU"

"command"=""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BCMSMMSG]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="BCMSMMSG"

"hkey"="HKLM"

"command"="BCMSMMSG.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IgfxTray]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="igfxtray"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\system32\\igfxtray.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Intel system tool]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="svehost"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\system32\\svehost.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SFP]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="vzSFPWin"

"hkey"="HKCU"

"command"="C:\\Program Files\\Common Files\\Verizon Online\\SFP\\vzSFPWin.EXE /s"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\stats1]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="stats1"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\system32\\stats1.exe"

"inimapping"="0"

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

Share this post


Link to post
Share on other sites

Hi,Blix86

 

 

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.

 

Backup the Registry:

 

Navigate to Start | Run and paste the following:

 

regedit /e c:\registrybackup.reg

 

Now click OK

It won't appear to be doing anything, that's normal.

Your mouse pointer may turn to an hour glass for a minute.

Please continue when it no longer has the hour glass.

 

------------------

 

Open Notepad and copy and paste the following quotebox into a new text document. (Don't forget to copy and paste REGEDIT4!)

NOTE: do not copy the word quote

 

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Intel system tool]

 

Save this as fix.reg Choose to save as *all files and place it on your Desktop.

It should look like this:reg.gif

Double-click on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.

 

------------------

 

Download The Avenger Copyright © Swandog46

You must extract avenger.exe to your desktop, before you run it.

 

CLOSE ALL WINDOWS (even this one) AND PROGRAMS!!!!

 

 

Copy all the text contained in the code box below to your Clipboard.

NOTE: don't copy the word quote

 

Files to delete:

C:\Windows\System32\svehost.exe

 

The above script is for this user only, if you need help please start your own thread.

 

Start the Avenger.

Under "Script file to execute" choose "Input Script Manually".

Click on the Magnifying Glass icon which will open a new window titled "View/edit script".

Paste the entire text in into this window.

Click done, now click on the Green Light

Answer "Yes" twice when prompted.

Your computer shoud reboot, and briefly open a black command window on your desktop, this is normal.

 

After the restart, it will create a log file that should open.

This log file will be located at C:\avenger.txt

 

Paste the contents of C:\avenger.txt into your reply along with a fresh HijackThis! log.

 

Also: Avenger has made backups of all the files, etc., that you asked it to delete, located at C:\avenger\backup.zip.

 

 

-----------------

 

Then come back here so we may do are last steps here.

 

 

Gogo ;)

Share this post


Link to post
Share on other sites
I'm a new forum member. I've been using Ad-Aware SE Personal for a few years now and it's worked out great. But this issue is strange. I've read through some other posts concerning this search engine redirect issue. I feel like user Ai_Tak knows what it is but I don't know how to fix it myself. Is this the correct forum for posting scan logs? I have an Ad-Aware log and HijackThis log ready for anyone who would be kind enough to help me.
Yes, you were correct, you were infected with the fake codec trojan (aka wareout, aka zlob, aka trojan.flush, aka kedr) that I have been focusing on recently.

 

The other helpers around here are now fully aware of this trojan and have got you going on the right track.

 

Do you remember how/when/where you got infected? Also, skim over the fake codec trojan page (ignore anything that is too technical) and see if any of it seems familiar.

Share this post


Link to post
Share on other sites

Gogo,

 

Here is the Avenger log. I think it couldn't find file: svehost.exe because I may have deleted it manually yesterday ^_^ (I've been going through msconfig and regedit myself trying to delete viruses/spyware/other unecessary crap, etc.). But here it is anyway, next post is new HijackThis:

 

 

 

Logfile of The Avenger version 1, by Swandog46

Running from registry key:

\Registry\Machine\System\CurrentControlSet\Services\fsjksvld

 

*******************

 

Script file located at: \??\C:\WINDOWS\wftcicbc.txt

Script file opened successfully.

 

Script file read successfully

 

Backups directory opened successfully at C:\Avenger

 

*******************

 

Beginning to process script file:

 

 

 

File C:\Windows\System32\svehost.exe not found!

Deletion of file C:\Windows\System32\svehost.exe failed!

 

Could not process line:

C:\Windows\System32\svehost.exe

Status: 0xc0000034

 

 

Completed script processing.

 

*******************

 

Finished! Terminate.

Share this post


Link to post
Share on other sites

And new HijackThis logfile:

 

Logfile of HijackThis v1.99.1

Scan saved at 4:44:50 PM, on 2/8/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\support.com\bin\tgcmd.exe

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\WebDrive\wdservice.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe

C:\PROGRA~1\DELLSU~1\DSAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\PdeSrv2.exe

C:\Program Files\HijackThis\hijackthis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.a...mp;bm=ho_search

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll

O4 - HKLM\..\Run: [WebDriveTray] C:\Program Files\WebDrive\webdrive.exe /trayicon

O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [stats1] C:\WINDOWS\system32\stats1.exe

O4 - HKLM\..\Run: [intel system tool] C:\WINDOWS\system32\svehost.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

O4 - HKCU\..\Run: [sFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/VerizonWirel...loadControl.cab

O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: hpdj - HP - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hpdj.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\WebDrive\wdservice.exe

O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Share this post


Link to post
Share on other sites
Yes, you were correct, you were infected with the fake codec trojan (aka wareout, aka zlob, aka trojan.flush, aka kedr) that I have been focusing on recently.

 

The other helpers around here are now fully aware of this trojan and have got you going on the right track.

 

Do you remember how/when/where you got infected? Also, skim over the fake codec trojan page (ignore anything that is too technical) and see if any of it seems familiar.

 

Ai_Tak,

 

Glad you could weigh in on this issue. Unfortunately, I'm not the only person to use this computer, so I can't be absolutely certain when it got infected. I noticed it about a week ago. At first, I thought it was just bad links/websites but after a while I noticed a pattern and that even legit sites were doing it. Also, I think it caused my browser to be unable to load certain websites that I regularly travel to (is this called "DoS"?). Sorry I can't give you more specific details.

 

Gogo has been extremely helpful and I'm no longer experiencing this problem. I'll read over the fake codec trojan page and if I notice anything I'll post here.

 

Thanks,

Blix

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0