google redirect 2

Sounds like you have picked up something like CoolWebSearch - not nice.

Download Hijackthis from
Click scan and save a logfile, then post it here so
we can take a look at it for you. Don't do anything else with Hijackthis, at this stage it's just a diagnostic tool.

Here it is hopefully you can see a problem.
Logfile of HijackThis v1.99.1
Scan saved at 10:00:39 PM, on 12/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\sfmprint.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\sfmsvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINNT\anvshell.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\mdm.exe
C:\WINNT\system32\dllhost.exe
C:\WINNT\system32\dllhost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dmthi.exe] C:\WINNT\system32\dmthi.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - O16 - DPF: {11111111-1111-1111-1111-111111111111} - O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - O16 - DPF: {1A4DA620-6217-11CF-BE62-0080C72EDD2D} (MarqueeCtl Object) - O16 - DPF: {2513AB48-1AEF-4E55-8329-927FF97C9DCE} (AuroraPlugin Class) - O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) - O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - O16 - DPF: {59CCB4A0-727D-11CF-AC36-00AA00A47DD2} (Timer Object) - O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! WebCam Viewer Wrapper) - O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{900B2F62-305B-4BE8-AF3F-D90569A41ACA}: NameServer = 85.255.115.46,85.255.112.230
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.46 85.255.112.230
O17 - HKLM\System\CS1\Services\Tcpip\..\{15C5FDF1-67FB-4B25-929C-FA5C1275DC0E}: NameServer = 85.255.115.46,85.255.112.230
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.46 85.255.112.230
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PsShutdown (PsShutdownSvc) - Unknown owner - C:\WINNT\System32\PSSDNSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe



Glen

Download the pocket killbox




Please download FixWareout from one of these sites:




Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, Hijack This will launch. Close Hijack This, and click OK to proceed.

At the end of the fix, you may need to restart your computer again.

At the end of the fix, you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new Hijack This log.

==================================
If you get an Autoexec nt error do the following

XP Fix -
Scroll down to get XP Fix

And run FixWareout again.






have hijack this fix these entries. close all browsers and programmes before
clicking FIX.


O4 - HKLM\..\Run: [dmthi.exe] C:\WINNT\system32\dmthi.exe
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) - O17 - HKLM\System\CCS\Services\Tcpip\..\{900B2F62-305B-4BE8-AF3F-D90569A41ACA}: NameServer = 85.255.115.46,85.255.112.230
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.46 85.255.112.230
O17 - HKLM\System\CS1\Services\Tcpip\..\{15C5FDF1-67FB-4B25-929C-FA5C1275DC0E}: NameServer = 85.255.115.46,85.255.112.230
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.46 85.255.112.230
* Go to Control Panel. - If you are using Windows XP's Category View, select
the Network and Internet Connections category. If you are in Classic View,
go to the next step .

* Double-click the Network Connections icon
* Right-click the Local Area Connection icon and select Properties.
* Hilight Internet Protocol (TCP/IP) and click the Properties button.
* Be sure Obtain DNS server address automatically is selected.
* OK your way out.



* Restart your computer.


* Got to Start > Run and type in cmd.
Click OK.
Type this line in the command window:

ipconfig /flushdns

Hit Enter.


Double-click on Killbox.exe to run it. Now put a tick by Delete on
Reboot. In the "Full Path of File to Delete" box, copy and paste each
of the following lines one at a time then click on the button that has
the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file on next reboot. Click
Yes. It will then ask if you want to reboot now. Click No. Continue
with that same procedure until you have copied and pasted all of
these in the "Paste Full Path of File to Delete" box.Then click yes
to reboot after you entered the last one.


Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.



C:\WINNT\system32\dmthi.exe



post another log and the fix wareout log!



Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

thanks pechenegs i've changed drives but will try that when I put the old drive back in

Glen

Pechenegs thank a bunch! it worked a treat . When I ran killbox there was no file to delete though. here's my hyjack this log now.
Logfile of HijackThis v1.99.1
Scan saved at 11:55:37 PM, on 26/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\sfmprint.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\sfmsvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mdm.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINNT\anvshell.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\Documents and Settings\Administrator\Desktop\virichecks\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - O16 - DPF: {11111111-1111-1111-1111-111111111111} - O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - O16 - DPF: {1A4DA620-6217-11CF-BE62-0080C72EDD2D} (MarqueeCtl Object) - O16 - DPF: {2513AB48-1AEF-4E55-8329-927FF97C9DCE} (AuroraPlugin Class) - O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - O16 - DPF: {59CCB4A0-727D-11CF-AC36-00AA00A47DD2} (Timer Object) - O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! WebCam Viewer Wrapper) - O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} -
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PsShutdown (PsShutdownSvc) - Unknown owner - C:\WINNT\System32\PSSDNSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe



Glen

have hijack this fix these entries. close all browsers and programmes before
clicking FIX.


O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - O16 - DPF: {11111111-1111-1111-1111-111111111111} - O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -




* Click here to download ATF Cleaner by Atribune and save it to your desktop.



* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.
o If you use Firefox:
+ Click Firefox at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
o If you use Opera:
+ Click Opera at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
* Click Exit on the Main menu to close the program.



Download AVG Anti-Spyware



* Once you have downloaded AVG Anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
* Once the setup is complete you will need run Ewido and update the definition files.
* On the main screen select the icon "Update" then select the "Update now" link.
* Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
* Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
* Once in the Settings screen click on "Recommended actions" and then select "Delete"
* Under "Reports"
* Select "Automatically generate report after every scan"
* Un-Select "Only if threats were found"



Run AVG Anti-Spyware!

# IMPORTANT: Do not open any other windows or programs while AVG is scanning as it may interfere with the scanning process:
# Launch AVG Anti-spyware by double-clicking the icon on your desktop.
# Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
# AVG will now begin the scanning process. Be patient this may take a little time.
Once the scan is complete do the following:
# If you have any infections you will prompted, then select "Apply all actions"
# Next select the "Reports" icon at the top.
# Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
# Close AVG and reboot your system back into Normal Mode.




Make sure your ActiveX controls are set as follows:

Go to Internet Options - Security - Internet, press 'default level', then OK.
Now press "Custom Level."

In the ActiveX section, set the first two options (Download signed and
unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX
controls not marked as safe" to 'disable'.


Active X settings




Run ActiveScan online virus scan here


When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.
- Save the results from the scan!



post another hijack this log, the AVG Anti-Spyware log and active scan logs



Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

Well I must have the cleanest pc in existance LOL.
here's my latest log;
Logfile of HijackThis v1.99.1
Scan saved at 10:03:52 AM, on 28/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\sfmprint.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\sfmsvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mdm.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINNT\anvshell.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\explorer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Creative\SBAudigy\PlayCenter2\CTPlay2.exe
C:\Documents and Settings\Administrator\Desktop\virichecks\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - O16 - DPF: {1A4DA620-6217-11CF-BE62-0080C72EDD2D} (MarqueeCtl Object) - O16 - DPF: {2513AB48-1AEF-4E55-8329-927FF97C9DCE} (AuroraPlugin Class) - O16 - DPF: {59CCB4A0-727D-11CF-AC36-00AA00A47DD2} (Timer Object) - O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! WebCam Viewer Wrapper) - O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} -
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PsShutdown (PsShutdownSvc) - Unknown owner - C:\WINNT\System32\PSSDNSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Thanks for your help!

Glen

clean log! You're welcome!



You should now turn off system restore to flush out the bad restore points and
then re-enable it and make a new clean restore point.


How to turn off system restore







Here's some free tools to keep you from getting infected in the future.


To stop reinfection get spywareblaster from




get the hosts file from here.Unzip it to a folder!





put it into : or click the mvps bat and it should do it for you!


Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98\ME = C:\WINDOWS



ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

when you visit innocent-looking sites that aren't actually innocent at all.





Arovaxshield Protect agianst hijackers etc!



Use spybot's immunize button and use spywareblaster' enable
protection once you update it. you can put spybot's hosts file into
your own and lock it.



I would also suggest switching to Mozilla's firefox browser, it's safer, has
a built in pop up blocker, blocks cookies and adds. Mozilla Thunderbird is also a good
e-mail client.



Another good and free browser is Opera!



Read here to see how to tighten your security:



A good overall guide for firewalls, anti-virus, and anti-trojans as well as
regular spyware cleaners.




you can mark your own thread solved through thread tools at the top of
the page.



Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

you can mark your own thread solved through thread tools at the top of
the page.

Click to expand...

Thanks again for all your help but I don't see the tool you speak of.

Glen

You should now turn off system restore to flush out the bad restore points and
then re-enable it and make a new clean restore point.

Click to expand...

Running 2K server

Glen

Ok forget those bits!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

I'm having problems with the Google redirects, as well. It's not the CoolWebSearch problem, because I ran CWShredder, and it didn't find any of those CWS.* files on my computer.

I did the HiJackThis thing, and I've saved my log. I'm hoping someone will look at it and help me with my problem. Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 5:10:57 AM, on 2/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0

\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\CyberLink\PowerVCRII\Agent.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
I:\Program Files\Movielink\MovielinkManager\Movielink User.exe
I:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Messenger\msmsgs.exe
I:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\Program Files\Okidata\Print Job Accounting\oklogsvc.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Okidata\Print Job Accounting\okwchsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
I:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
I:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Skyscape\smARTupdate.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Zune\ZuneNss.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\wudfhost.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Faydra D. Fields\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - I:\PROGRA~1\TEXTAL~1

\TAForIE.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0

\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [Agent] C:\Program Files\CyberLink\PowerVCRII\Agent.exe
O4 - HKLM\..\Run: [Remote_Agent] C:\Program Files\CyberLink\PowerVCRII\RemoteAgent.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio

Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6

\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6

\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE"

/STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common

Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common

Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [LoadMSvcmm] "I:\Program Files\Movielink\MovielinkManager\Movielink User.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft

Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mstss] C:\Program Files\SysObjectsEX\mstss.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program

Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0

\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Yahoo! Pager] "I:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma

Loader.exe
O4 - Startup: Skyscape smARTupdate.lnk = C:\Program Files\Common

Files\Skyscape\smARTupdate.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0

\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = I:\Program Files\Kodak\Kodak EasyShare

software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software

Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5

\ScannerFinder.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common

Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11

\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} -

C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1

\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}

- C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program

Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1

\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %

windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) -

O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) -

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation

Tool) - O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) -

O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} -

O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) -


f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) -

O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) -

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -

O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) -

O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) -

O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) -

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) -

O16 - DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} (QuickBooks Online Edition Utilities Class

v8) - O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) -

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) -

O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) -

O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) -

O16 - DPF: {AF54BFA2-474E-4B82-A5F3-B79E6F7A80B1} (QuickBooks Online Edition Import Utilities

Class v4) - O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -

O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) -

O17 - HKLM\System\CCS\Services\Tcpip\..\{2C2F256F-2650-486B-BFA4-5A61ABE00AE0}:

NameServer = 85.255.113.115,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB3FB91B-0AF0-4FEE-8310-8D77314F52D8}:

NameServer = 85.255.113.115,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.12
O20 - Winlogon Notify: GoToMyPC - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32

\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -service

(file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program

Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program

Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. -

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Movielink Core Service - Movielink LLC - I:\PROGRA~1\MOVIEL~1\MOVIEL~1

\MOVIEL~1.EXE
O23 - Service: Print Job Accounting (OkiJaSvc) - Oki Data Corporation - C:\Program Files\Okidata\Print

Job Accounting\oklogsvc.exe
O23 - Service: Print Job Accounting Watch Service (OkiWchSvc) - Oki Data Corporation - C:\Program

Files\Okidata\Print Job Accounting\okwchsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program

Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common

Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

you've been hit by the Ukranians and smitfraud!



Please download FixWareout from one of these sites:




Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, Hijack This will launch. Close Hijack This, and click OK to proceed.

At the end of the fix, you may need to restart your computer again.

At the end of the fix, you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new Hijack This log.

==================================
If you get an Autoexec nt error do the following

XP Fix -
Scroll down to get XP Fix

And run FixWareout again.



have hijack this fix these entries. close all browsers and programmes before
clicking FIX.



NameServer = 85.255.113.115,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB3FB91B-0AF0-4FEE-8310-8D77314F52D8}:

NameServer = 85.255.113.115,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.12



* Go to Control Panel. - If you are using Windows XP's Category View, select
the Network and Internet Connections category. If you are in Classic View,
go to the next step .

* Double-click the Network Connections icon
* Right-click the Local Area Connection icon and select Properties.
* Hilight Internet Protocol (TCP/IP) and click the Properties button.
* Be sure Obtain DNS server address automatically is selected.
* OK your way out.



* Restart your computer.


* Got to Start > Run and type in cmd.
Click OK.
Type this line in the command window:

ipconfig /flushdns

Hit Enter.



Please download
SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.




Download AVG Anti-Spyware



* Once you have downloaded AVG Anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
* Once the setup is complete you will need run AVG and update the definition files.
* On the main screen select the icon "Update" then select the "Update now" link.
* Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
* Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
* Once in the Settings screen click on "Recommended actions" and then select "Delete"
* Under "Reports"
* Select "Automatically generate report after every scan"
* Un-Select "Only if threats were found"


Close AVG Anti-Spyware. Anti-spyware, Do NOT run a scan yet. We will do that later in safe mode.



* Click here to download ATF Cleaner by Atribune and save it to your desktop.



* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.
o If you use Firefox:
+ Click Firefox at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
o If you use Opera:
+ Click Opera at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
* Click Exit on the Main menu to close the program.


* Click here for info on how to boot to safe mode if you don't already know
how.

2001052409420406?OpenDocument&src=sec_doc_nam



* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in
safe mode:





Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning: running option #2 on a non infected computer will remove your Desktop background.






Run AVG Anti-Spyware!

# IMPORTANT: Do not open any other windows or programs while AVG is scanning as it may interfere with the scanning process:
# Launch AVG Anti-spyware by double-clicking the icon on your desktop.
# Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
# AVG will now begin the scanning process. Be patient this may take a little time.
Once the scan is complete do the following:
# If you have any infections you will prompted, then select "Apply all actions"
# Next select the "Reports" icon at the top.
# Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
# Close AVG and reboot your system back into Normal Mode.



reboot to normal mode and run a few online scans!



Note: this is a stand alone, it doesn't install to start/programmes.

Download Mwav,



double click on it and it will extract to C:\kaspersky. Click
on the kaspersky folder and click on Kavupd, a black dos window will open
and it will update the programme for you, be patient it will take 5-10
minutes to download the new definitions. Once it's updated, click on mwavscan
to launch the programme.

Use the defaults of:

Memory
startup folders
Registry
system folders
services

Choose drive , all drives and, click scan all files
and then click scan/clean. After it finishes scanning and cleaning post
the log here with a new hijack this log.

Note: this is a very thorough scanner, it might take anything up to an hour
or more, depending on how many drives you have and how badly infected your
pc is.



Highlight the portion of the scan that lists infected items and hold
CTRL + C to Copy then paste it here. The whole log with be extremely
big so there is no way to copy the whole thing. I just need the
infected items list.



Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

Thanks so much.