Home   News  Product reviews  Website reviews  Forums   Competitions  Subscribe 
Search
We've teamed up with Firebox.com to bring our readers and visitors the hottest gadgets in our very own shop!
You are not logged in.
Login | New user registration 		Main Index | Search | Active Topics | Who's Online | FAQ / HELP

Security >> HijackThis logs help and analysis
Previous topic Previous   View all topics Index   Next topic Next   Threaded Mode Threaded  
 |  Print Topic
Jump to first unread post. Pages: 1
LThompson
new user


Reg'd: Tue
Posts: 2
Strange redirections
      #389371 - Tue Mar 25 2008 12:41 PM
Reply to this post Reply   Reply to this post Quote  

I'm also being redirected to 'find-thricecock.com' can you help?

I didn't mean to start a new thread

ComboFix

ComboFix 08-03-23.2 - Liam 2008-03-25 12:33:18.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.169 [GMT 0:00]
Running from: C:\Downloads\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-25 to 2008-03-25 )))))))))))))))))))))))))))))))
.

2008-03-24 22:36 . 2008-03-24 22:36 <DIR> d-------- C:\Program Files\Free-Antivirus.eu
2008-03-21 14:51 . 2008-03-21 14:51 <DIR> d--hs---- C:\FOUND.027
2008-03-21 12:55 . 2008-03-21 12:55 86 --a------ C:\WINDOWS\wininit.ini
2008-03-21 12:16 . 2008-03-21 12:16 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-21 12:16 . 2008-03-21 12:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-20 18:09 . 2008-03-20 18:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-20 16:18 . 2008-03-20 16:18 <DIR> d-------- C:\Program Files\Windows Defender
2008-03-20 14:42 . 2008-03-20 14:42 <DIR> d-------- C:\Program Files\FRISK Software
2008-03-20 14:42 . 2008-03-20 14:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FRISK Software
2008-03-20 14:06 . 2008-03-20 14:06 <DIR> d-------- C:\fsaua.data
2008-03-20 13:54 . 2008-03-20 13:54 16,464 -r-hs---- C:\Program Files\tmp3.exe
2008-03-20 13:54 . 2008-03-20 13:54 16,464 -r-hs---- C:\Program Files\tmp2.exe
2008-03-20 13:54 . 2008-03-20 13:54 16,464 -r-hs---- C:\Program Files\tmp1.exe
2008-03-20 13:54 . 2008-03-20 13:54 16,464 -r-hs---- C:\Program Files\tmp0.exe
2008-03-18 17:56 . 2008-03-21 12:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-18 17:56 . 2008-03-18 17:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-16 22:47 . 2008-03-16 22:47 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-14 11:17 . 2008-03-14 11:17 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-03-14 10:51 . 2008-03-14 10:51 <DIR> d-------- C:\Program Files\Windows Live
2008-03-14 10:51 . 2008-03-14 10:51 <DIR> d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-14 10:46 . 2008-03-14 10:46 <DIR> d-------- C:\WINDOWS\Performance
2008-03-14 10:46 . 2008-03-14 10:46 <DIR> d-------- C:\Program Files\Microsoft Windows Vista Upgrade Advisor
2008-03-14 10:46 . 2008-03-14 10:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2008-03-14 10:38 . 2008-03-14 10:38 <DIR> d-------- C:\Documents and Settings\Liam\Bluetooth Software
2008-03-14 10:30 . 2008-03-14 10:30 <DIR> d-------- C:\Program Files\WIDCOMM
2008-03-14 10:30 . 2008-03-14 10:28 879,496 --a------ C:\WINDOWS\system32\drivers\btkrnl.sys
2008-03-14 10:30 . 2008-03-14 10:28 539,432 --a------ C:\WINDOWS\system32\drivers\btaudio.sys
2008-03-14 10:30 . 2008-03-14 10:28 156,392 --a------ C:\WINDOWS\system32\drivers\btwdndis.sys
2008-03-14 10:30 . 2008-03-14 10:28 55,352 --a------ C:\WINDOWS\system32\drivers\btwhid.sys
2008-03-14 10:30 . 2008-03-14 10:28 37,424 --a------ C:\WINDOWS\system32\drivers\btport.sys
2008-03-14 10:30 . 2008-03-14 10:28 37,280 --a------ C:\WINDOWS\system32\drivers\btwmodem.sys
2008-03-06 13:03 . 2008-03-06 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-03-01 12:58 . 2008-03-01 12:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-28 21:40 . 2008-02-28 21:40 <DIR> d-------- C:\Program Files\uTorrent
2008-02-28 21:40 . 2008-02-28 21:40 <DIR> d-------- C:\Documents and Settings\Liam\Application Data\uTorrent
2008-02-28 17:13 . 2008-02-28 17:13 <DIR> d-------- C:\Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-14 10:28 966,656 ----a-w C:\WINDOWS\system32\btrez.dll
2008-03-14 10:28 74,656 ----a-w C:\WINDOWS\system32\drivers\btwusb.sys
2008-02-17 21:41 21,035 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-02-13 19:07 --------- d-----w C:\Program Files\Promotion Wars 1.3
2008-02-10 14:35 31,592 ----a-w C:\Documents and Settings\Liam\Application Data\GDIPFONTCACHEV1.DAT
2008-01-29 20:08 --------- d-----w C:\Program Files\TVAnts
2008-01-29 20:05 --------- d-----w C:\Program Files\SopCast
2008-01-29 19:05 --------- d-----w C:\Program Files\Virtools
2008-01-29 15:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-27 22:15 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2006-12-06 19:55 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012006120620061207\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56 15360]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-09-15 13:22 98304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-12 21:36 180269]
"antiviirus"="C:\Program Files\antiviirus.exe" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-09-11 12:26:12 576104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"DrvAvp"= {1fd261a0-e920-4680-b20b-f3fe6382e6ea} - C:\WINDOWS\Installer\{1fd261a0-e920-4680-b20b-f3fe6382e6ea}\DrvAvp.dll [2008-03-20 13:54 14378]
"zip"= {14a74bd0-1949-4b46-abc0-e2f98dd2c89b} - C:\WINDOWS\Installer\{14a74bd0-1949-4b46-abc0-e2f98dd2c89b}\zip.dll [2008-03-20 13:54 23330]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\TVANTS\\Tvants.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\WINDOWS\\System32\\rtcshare.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56456:TCP"= 56456:TCP:Azureus

R3 BELKIN;Belkin Wireless G USB Network Adapter;C:\WINDOWS\system32\DRIVERS\BLKWGU.sys [2007-06-01 05:13]
S2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\system32\DRIVERS\EAPPkt.sys []
S3 asbp2poa;asbp2poa;C:\DOCUME~1\Liam\LOCALS~1\Temp\asbp2poa.sys []
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;C:\DOCUME~1\Liam\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys []
S3 PortlUSB;PortlUSB;C:\WINDOWS\system32\DRIVERS\YH920GS.sys [2004-06-24 13:52]
S3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS [2003-09-25 16:52]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-25 11:01:04 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-25 12:37:33
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\Installer\{1fd261a0-e920-4680-b20b-f3fe6382e6ea}\DrvAvp.dll
-> C:\WINDOWS\Installer\{14a74bd0-1949-4b46-abc0-e2f98dd2c89b}\zip.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
.
**************************************************************************
.
Completion time: 2008-03-25 12:39:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-25 12:39:12
ComboFix2.txt 2008-03-23 21:08:18
.
2008-03-21 12:34:29 --- E O F ---

HiJackThis

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:34, on 2008-03-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\CF23424.exe
C:\WINDOWS\system32\CF23424.exe
C:\Downloads\HiJackThis_v2.exe
C:\ComboFix\pv.cfexe
C:\WINDOWS\system32\CF23424.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mfc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O21 - SSODL: DrvAvp - {1fd261a0-e920-4680-b20b-f3fe6382e6ea} - C:\WINDOWS\Installer\{1fd261a0-e920-4680-b20b-f3fe6382e6ea}\DrvAvp.dll
O21 - SSODL: zip - {14a74bd0-1949-4b46-abc0-e2f98dd2c89b} - C:\WINDOWS\Installer\{14a74bd0-1949-4b46-abc0-e2f98dd2c89b}\zip.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe

--
End of file - 4531 bytes

Edited by LThompson (Tue Mar 25 2008 12:52 PM)

Post Extras: Print Post   Remind Me!   Notify Moderator  
ourwilly
HijackThis Helper


Reg'd: Sun
Posts: 2826
Loc: England.
Re: Strange redirections [Re: LThompson]
      #389428 - Tue Mar 25 2008 08:13 PM
Reply to this post Reply   Reply to this post Quote  

Hello LThompson

Please print out these instructions or copy and paste this fix into Notepad for future reference as you will be required to reboot into Safe Mode.

------------------------

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Thank you.

Post Extras: Print Post   Remind Me!   Notify Moderator  
LThompson
new user


Reg'd: Tue
Posts: 2
Re: Strange redirections [Re: ourwilly]
      #389477 - Wed Mar 26 2008 10:58 AM
Reply to this post Reply   Reply to this post Quote  

Hi there,

SDFix Log

SDFix: Version 1.162

Run by Liam on 26/03/2008 at 10:44

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\Installer\{1fd261a0-e920-4680-b20b-f3fe6382e6ea}\DrvAvp.dll - Deleted
C:\WINDOWS\Installer\{14a74bd0-1949-4b46-abc0-e2f98dd2c89b}\zip.dll - Deleted



Folder C:\WINDOWS\Installer\{1fd261a0-e920-4680-b20b-f3fe6382e6ea} - Removed
Folder C:\WINDOWS\Installer\{14a74bd0-1949-4b46-abc0-e2f98dd2c89b} - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-26 10:50:37
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\TVANTS\\Tvants.exe"="C:\\Program Files\\TVANTS\\Tvants.exe:*:Enabled:TVAnts"
"C:\\Program Files\\SopCast\\SopCast.exe"="C:\\Program Files\\SopCast\\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"="C:\\Program Files\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\WINDOWS\\System32\\rtcshare.exe"="C:\\WINDOWS\\System32\\rtcshare.exe:*:Enabled:RTC App Sharing"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\HelpCtr.exe"="C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\HelpCtr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 22 Jun 2004 156,784 A..H. --- "C:\Program Files\AOL 9.0\aoltray.exe"
Tue 22 Jun 2004 54,384 A..H. --- "C:\Program Files\AOL 9.0\aolphx.exe"
Tue 22 Jun 2004 31,344 A..H. --- "C:\Program Files\AOL 9.0\RBM.exe"
Wed 4 Apr 2001 28,738 A..HR --- "C:\Office\MSDE2000\SQLRESLD.DLL"
Sat 15 Oct 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 13 Mar 2006 24,576 ...H. --- "C:\Documents and Settings\Liam\My Documents\~WRL0005.tmp"
Thu 20 Mar 2008 14,378 A.SH. --- "C:\System Volume Information\_restore{0C9EF9C2-7D01-445B-A741-C4A7D70D1580}\RP278\A0117260.dll"
Thu 20 Mar 2008 23,330 A.SH. --- "C:\System Volume Information\_restore{0C9EF9C2-7D01-445B-A741-C4A7D70D1580}\RP278\A0117261.dll"
Tue 30 May 2006 20 A..H. --- "C:\Shared\Music Albums\License Backup\drmv1lic.bak"
Sat 15 Oct 2005 4,348 A..H. --- "C:\Shared\Music Albums\License Backup\drmv1key.bak"
Sun 30 Oct 2005 400 A.SH. --- "C:\Shared\Music Albums\License Backup\drmv2key.bak"
Fri 16 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sat 21 Jun 2003 377,344 A..H. --- "C:\Program Files\Smart Projects\IsoBuster\Help\AHlp.exe"
Thu 15 Sep 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"

Finished!

HiJackThis

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:58:11, on 26/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Downloads\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mfc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe

--
End of file - 4350 bytes

-------------------------------------------

Thanks

Post Extras: Print Post   Remind Me!   Notify Moderator  
ourwilly
HijackThis Helper


Reg'd: Sun
Posts: 2826
Loc: England.
Re: Strange redirections [Re: LThompson]
      #389512 - Wed Mar 26 2008 04:29 PM
Reply to this post Reply   Reply to this post Quote  

Hello LThompson

Please reboot your computer and enter Safe Mode (tap the F8 key just before Windows starts to load, then select Safe Mode).

Scan with AVG Anti-Spyware as follows:
  • Click on the "Scanner" button and choose the "Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?", "Possibly unwanted software", and What to Scan?" leave all the default settings.
  • Under "Reports" select "Do not automatically generate reports".
  • Click the "Scan" tab to return to scanning options.
  • Click "Complete System Scan" to start.
  • When the scan has finished, it should automatically be set to Quarantine--if not click on Recommended Action and set it there.
  • You will also be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
IMPORTANT! Do not save the report before you have clicked the :Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.
  • Click on "Save Report" to view all completed scans. Click on the most recent scan you performed, select "Save report as" and save to your desktop. The default file name will be in date/time format: Report-Scan-200706-1606. A copy of each report will be saved in C:\Documents and Settings\<user profile>\Application Data\Grisoft\AVG Antispyware 7.5\Reports.
  • If you installed AVG AS over a previous version, reports are saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
  • If you are a Vista user, reports are saved in C:\Users\<username>\AppData\Roaming\Grisoft\AVG Antispyware 7.5\Reports\
Exit AVG Anti-Spyware when done, reboot normally and post the AVg log report and a new HijackThis log.

Thank you

Post Extras: Print Post   Remind Me!   Notify Moderator  
Pages: 1

Previous topic Previous   View all topics Index   Next topic Next   Threaded Mode Threaded  
Rate this topic

Jump to


Extra information
1 registered and 25 anonymous users are browsing this forum.

Moderator:  putasolutions, greysts, bricat, AndrewC, Joe_London, John_McKenna, Mouse, Hello_There, TheFatControlleR, Nanook, Noviciate 


Print Topic

Forum Permissions
      You cannot start new topics
      You cannot reply to topics
      HTML is disabled
      Mark-up is enabled

Rating:
Topic views: 0

Contact Us | Privacy statement Main website
Hitwise Top 10 Award Winner - Jan-Mar 2005

About us | Contact us | Link to us | Terms & Conditions | Privacy Policy
© Copyright IPC Media Limited, All rights reserved