Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Soon after I installed a DivX video codec, I started experiencing a DNS hijack problem. It doesn't matter which browser I use (IE or Firefox), any URL clicked on a google search results page leads to some kind of advertising, not the site listed on the google search results page. While DNS hijacks are not new, I can't find this particular symptom out there. I've tried four tools: Norton AV, Windows Defender, SpyBot Search & Destroy and TrojanHunter. None of them have identified the problem, much less fixed it. I'm starting to wonder if this is a new one.
There is a relatively simple (but annoying) workaround which is to not click on any links in a google search results but use "Copy Shortcut" instead and paste that into the browser bar. The malware doesn't seem to care about that, just Google search results.
Another symptom is that regardless of how I attempt to reset my IP driver properties (including re-installing the driver), it always manages to force my DNS option to static instead of from DHCP. I'm assuming it needs this in order to hijack the DNS.
In any event, I'm getting concerned about not finding a solution to this so I'm asking for some help. I have a HijackThis 2.0.2 log ready to go if someone requests it.
Reid.
Heya Reid
Feel free to post your HJT log if you wish.
Beforehand, alternatively you can run the tools at the link below then paste a fresh HJT log.
The links on the page are all direct downloads with the exception of SUPERAntispyware and the online virus scanners which take you to the download location.
0 
Hi btklwl,
I'll run those items and post the HJT log. But, first, an update: AVG Anti-Spyware was unable to resolve the problem from Safe Mode. I noted in a similar post that this had worked for someone else, albeit on XP SP2. AVG did find three viruses and cleaned them (first thing found by any anti-virus software), but I still have the same symptoms.
I'll run those tools and update the HJT and post shortly.
0
Oh, btw, one other symptom to report. After I reboot the computer, Vista tells me that IE crashed and offers to find a solution or close the program. It never finds a solution so I always close it. Note that whatever IE process is crashing, it isn't my active browser. Its some background IE process that never produces a window. This happens about 5 or 6 times after a reboot and then stops. Not sure if that's related, but it might be.
0
I ran ATF Cleaner.
MBAM found nothing. Moving on to SUPERAntivirus.
Malwarebytes' Anti-Malware 1.20
Database version: 941
Windows 6.0.6001 Service Pack 123:28:02 7/11/2008
mbam-log-7-11-2008 (23-28-02).txtScan type: Full Scan (C:\|D:\|)
Objects scanned: 176030
Time elapsed: 1 hour(s), 14 minute(s), 43 second(s)Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0Memory Processes Infected:
(No malicious items detected)Memory Modules Infected:
(No malicious items detected)
0
SUPERAntiSpyware was fun (not!)
I think the malware knows about this tool. Any attempt to download it through the usual links redirected me somewhere else. I managed to get it through an indirect means, but it took a while to find a way that the malware couldn't intercept the DNS request. I looked up the IP address on another computer and used that to do the download.
Once I did get it installed, it complained that it couldn't update its definitions and to turn off the firewall. I did that and got the same error. So, I just let it run without update - best I could do.
SUPERAntiSpyware found 10 instances of the Adware.Tracking cookie. This, amazingly, seems to have fixed the problem.
While SUPERAntiSpyware was running, I got 32 instances of "Internet Explorer has stopped working" messages. After a reboot, I didn't get any and I could click on google search result links without being redirected to advertising. However, I'm still skeptical that a cookie could do this because it was affecting two browsers (IE, Firefox). All the cookies SUPERAntiSpyware found were stored in an IE location yet Firefox doesn't exhibit the symptom after the IE cookies were removed. Seems curious to me.
For completeness sake, I've included my HJT log below. I'll report back here if symptoms show up again.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:55:57, on 7/12/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: NormalRunning processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\WLTRAY.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\NOTEPAD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.exe C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [EZNETDNS] C:\Program Files\Solid Oak Software\EZDNSWatch\EZDNSWatch.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: QuickSet.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd....
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manage...
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - https://controlcenter.rinksys.com/inc/kaxRemote.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{60E647EE-AFE5-4086-B41C-56DA652E7DEA}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.222.222 208.67.220.220
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.222.222 208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.222.222 208.67.220.220
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Feature Support (BthFilterHelper) - CSR, plc - C:\Program Files\CSR\Vista Profile Pack\BthFilterHelper.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Dell Internal Network Card Power Management (nicconfigsvc) - Dell Inc. - C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: VMware Converter Service (ufad-p2v) - VMware, Inc. - C:\Program Files\VMware\VMware Converter\vmware-ufad.exe
O23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe--
End of file - 14809 bytes
0
Updates:
1. I'm still getting occasional IE crashes as previously reported.
2. Setting my network properties to get DNS automatically from DHCP still won't "stick". It always reverts back to static configuration.
3. The cookies that were quarantined by SUPERAntiSpyware seem to be for several of the sites that I was being redirected to, to wit:
@ads.bleepingcomputer[1].txt
@advertising-light[1].txt
@atdmt[1].txt
@avgtechnologies.112.2o7[2].txt
@imrworldwide[2].txt
@overture[2].txt
@stopzilla[1].txt
@vip-track[1].txt
@www.findstuff[1].txt
@www.stopzilla[1].txtI'm thinking that the underlying problem is still there but because the cookies are deleted it has no where to re-direct to?
0
Heya Reid,
Are you familiar with this program?
EZDNSWatch.exe
This looks suspicious and although the program is legitimate it's executable doesnt return any results when I have tried to search for it.
If you are unaware of what this is upload it to Jotti for a scan.
Click here to go to Jotti Online Malware Scanner
Copy and paste the blue text into the box next to the browse button at the top of the page to scan the file.
C:\Program Files\Solid Oak Software\EZDNSWatch\EZDNSWatch.exe
If you have trouble getting to the Jotti webpage Click Here to go to Virustotal instead.
0
hi btklwl,
Yes, I'm familiar with that tool. It was one of the things I tried to resolve the problem. It watches your DNS settings and lets you know when something messes with them. It also makes sure you're getting OpenDNS results. However, it didn't help with the problem and I have uninstalled it now.
Reid.
0
Heya Reid,
Let's look deeper with Combofix. You may want to note down your ipconfig settings before combofix runs, they may need to be manually reset afterwards.
Temporarily disable any real-time protection by following instructions provided in the link below:
Temporarily Disable Real Time Monitoring Programs
Download Combofix to your desktop.
Note: It is important that it is saved directly to your desktop
Click here to download Combofix by sUBs
Close any open browsers and windows except for Combofix
Right click on Combofix.exe and select "Run as administrator"
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.Note: Do not mouseclick combofix's window while it's running it can cause the program to freeze/hang.
In some cases your Antivirus or other realtime scanner will display an alert after you downloaded Combofix or while you use Combofix, please disable your scanners, delete the copy off the desktop and download Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them. There's nothing wrong with Combofix, heuristic detection can report this false positive because of combofixs' removal technique.
0
I was not able to make a connection to wiki.castlecops.com for the scanner disable instructions. Seems that site is down. So, I used msconfig to disable all startup programs and services except Microsoft stuff and rebooted. I turned off Windows Defender and confirmed that SpyBot, SuperAntiSpywhere and Norton were not running.
Running ComboFix.exe produced the following:
ComboFix 08-07-12.1 - Reid 2008-07-12 21:12:38.1 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.2572 [GMT -7:00]
Running from: C:\Users\Reid\Desktop\ComboFix.exe
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\Users\Reid\g2mdlhlpx.exe
.
((((((((((((((((((((((((( Files Created from 2008-06-13 to 2008-07-13 )))))))))))))))))))))))))))))))
.2008-07-11 23:41 . 2008-07-11 23:41 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-07-11 23:41 . 2008-07-11 23:41 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-07-11 23:39 . 2008-07-11 23:39 <DIR> d-------- C:\Users\Reid\AppData\Roaming\SUPERAntiSpyware.com
2008-07-11 23:39 . 2008-07-11 23:39 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-11 23:39 . 2008-07-11 23:39 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-11 22:04 . 2008-07-11 22:04 <DIR> d-------- C:\Users\Reid\AppData\Roaming\Malwarebytes
2008-07-11 22:03 . 2008-07-11 22:03 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-07-11 22:03 . 2008-07-11 22:03 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-07-11 19:59 . 2008-07-12 16:33 <DIR> d-------- C:\Users\All Users\avg8
2008-07-11 19:59 . 2008-07-12 16:33 <DIR> d-------- C:\ProgramData\avg8
2008-07-11 19:59 . 2008-07-11 19:59 <DIR> d-------- C:\Program Files\AVG
2008-07-11 19:09 . 2008-07-11 19:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-11 15:50 . 2008-07-11 15:50 5,252 --a------ C:\Windows\System32\tmp.reg
2008-07-11 15:25 . 2008-07-11 15:25 <DIR> d-------- C:\Users\Reid\AppData\Roaming\TrojanHunter
2008-07-11 15:12 . 2008-07-11 15:12 <DIR> d-------- C:\Program Files\Solid Oak Software
2008-07-11 15:12 . 2008-01-17 03:00 68,232 --a------ C:\Windows\UnDeployV.exe
2008-07-11 14:38 . 2008-07-12 16:57 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-07-11 14:13 . 2008-07-11 14:13 <DIR> d-------- C:\fixwareout
2008-07-11 13:33 . 2008-07-11 13:34 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-07-11 13:33 . 2008-07-11 13:34 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-07-11 13:33 . 2008-07-11 13:33 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-10 13:51 . 2008-07-10 13:51 <DIR> d-------- C:\Users\Reid\Public
2008-07-10 13:50 . 2008-07-10 13:50 <DIR> d-------- C:\Users\Reid\New Folder
2008-07-04 00:48 . 1997-06-25 15:24 40,448 --a------ C:\Windows\System32\regobj.dll
2008-07-02 21:34 . 2008-07-02 21:55 <DIR> d-------- C:\bdws
2008-07-02 21:32 . 2008-07-02 21:32 <DIR> d-------- C:\Users\All Users\ConeXware
2008-07-02 21:32 . 2008-07-02 21:32 <DIR> d-------- C:\ProgramData\ConeXware
2008-07-02 21:31 . 2008-07-07 01:16 <DIR> d-------- C:\Program Files\PowerArchiver
2008-06-30 14:02 . 2008-06-30 14:02 223 --a------ C:\Windows\System32\Deleted258.cls
2008-06-25 21:10 . 2008-06-25 21:10 <DIR> d-------- C:\Program Files\OfficeOne
2008-06-24 02:04 . 2008-06-24 02:04 <DIR> d-------- C:\Users\All Users\thriXXX
2008-06-24 02:04 . 2008-06-24 02:04 <DIR> d-------- C:\ProgramData\thriXXX
2008-06-24 02:01 . 2008-06-24 02:01 <DIR> d-------- C:\Users\Reid\AppData\Roaming\thriXXX
2008-06-16 11:17 . 2008-06-16 11:17 <DIR> d-------- C:\Program Files\Rocket Division Software
2008-06-13 16:20 . 2008-07-02 19:44 <DIR> d-------- C:\Users\All Users\Roxio
2008-06-13 16:20 . 2008-07-02 19:44 <DIR> d-------- C:\ProgramData\Roxio
2008-06-13 16:19 . 2008-06-13 16:20 <DIR> d-------- C:\Users\Reid\AppData\Roaming\Roxio
2008-06-13 11:10 . 2008-06-13 11:10 <DIR> d-------- C:\Users\Reid\AppData\Roaming\KompoZer
2008-06-13 11:09 . 2008-06-13 11:10 <DIR> d-------- C:\Users\Reid\KompoZer 0.7.10.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-12 23:29 --------- d-----w C:\Program Files\Common Files\AOL
2008-07-12 23:27 --------- d-----w C:\Program Files\Java
2008-07-12 23:24 --------- d-----w C:\Users\Reid\AppData\Roaming\Move Networks
2008-07-12 23:23 --------- d-----w C:\ProgramData\Viewpoint
2008-07-12 01:24 --------- d-----w C:\Program Files\Common Files\PX Storage Engine
2008-07-12 01:22 --------- d-----w C:\Program Files\Microsoft Visual Studio 9.0
2008-07-12 01:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-11 17:04 611,710 ----a-w C:\Users\Reid\AppData\Roaming\nvModes.dat
2008-07-11 15:24 --------- d-----w C:\ProgramData\Symantec
2008-07-09 06:14 --------- d-----w C:\ProgramData\Microsoft Help
2008-07-09 06:01 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-07-09 06:00 --------- d-----w C:\Program Files\Microsoft.NET
2008-07-09 06:00 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-07-09 05:57 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-07-08 23:56 --------- d-----w C:\ProgramData\pdf995
2008-07-01 23:40 --------- d-----w C:\Users\Reid\AppData\Roaming\VMware
2008-06-29 07:45 --------- d-----w C:\Users\Reid\AppData\Roaming\mIRC
2008-06-17 06:05 --------- d-----w C:\ProgramData\VMware
2008-06-16 16:25 --------- d-----w C:\Program Files\VMware
2008-06-14 15:56 --------- d-----w C:\Users\Reid\AppData\Roaming\Corel
2008-06-11 14:23 --------- d-----w C:\Program Files\Windows Mail
2008-06-09 23:06 88 --sh--r C:\Users\All Users\7A74849BFB.sys
2008-06-09 23:06 88 --sh--r C:\ProgramData\7A74849BFB.sys
2008-06-09 23:06 2,828 --sha-w C:\Users\All Users\KGyGaAvL.sys
2008-06-09 23:06 2,828 --sha-w C:\ProgramData\KGyGaAvL.sys
2008-06-04 20:12 --------- d-----w C:\ProgramData\Office Genuine Advantage
2008-05-18 19:23 --------- d-----w C:\Users\Reid\AppData\Roaming\Doyenz,_Inc
2008-05-15 06:29 --------- d-----w C:\Program Files\Google
2008-05-14 20:18 --------- d-----w C:\Program Files\Citrix
2008-04-09 05:00 174 --sha-w C:\Program Files\desktop.ini
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@="{30351346-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@="{30351347-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@="{30351348-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@="{3035134B-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@="{3035134C-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@="{3035134D-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@="{3035134E-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 15:50 221184][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 14:20 73728 C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\Windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=C:\Windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 12:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2007-04-16 05:49 159744 C:\Program Files\Apoint\Apoint.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
--a------ 2007-12-08 15:34 3444736 C:\Windows\System32\WLTRAY.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2007-08-21 08:06 115816 C:\Program Files\Common Files\Symantec Shared\ccApp.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-02-13 16:09 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
--a------ 2007-05-24 23:03 17920 C:\DELL\E-Center\EULALauncher.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoToAssist Express Expert]
--a------ 2008-03-07 10:39 45368 C:\Users\Reid\AppData\Local\Citrix\GoToAssist Express Expert\61\g2ax_start.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 08:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2007-02-12 12:37 174872 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 15:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 15:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 12:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-05-08 05:24 8429568 C:\Windows\System32\nvcpl.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
--a------ 2007-05-08 05:24 67584 C:\Windows\System32\nvhotkey.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-05-08 05:24 81920 C:\Windows\System32\nvmctray.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
--a------ 2007-05-08 05:24 86016 C:\Windows\System32\nvsvc.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
--------- 2006-10-20 16:23 118784 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecureUpgrade]
--a------ 2007-09-14 09:53 218424 C:\Program Files\Wave Systems Corp\SecureUpgrade.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
--a------ 2008-01-18 23:33 1233920 C:\Program Files\Windows Sidebar\sidebar.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-07-07 09:42 2156368 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-05-28 10:33 1506544 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
--a------ 2008-01-29 17:38 583048 C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THGuard]
--a------ 2008-07-09 18:54 1056928 C:\Program Files\TrojanHunter 5.0\THGuard.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WavXMgr]
--a------ 2007-09-10 08:54 85504 C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2008-01-18 23:38 1008184 C:\Program Files\Windows Defender\MSASCui.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]
--a------ 2007-05-31 10:21 648072 C:\Windows\WindowsMobile\wmdc.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2008-01-18 23:33 202240 C:\Program Files\Windows Media Player\wmpnscfg.exe[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
"DefaultOutboundAction"= 0 (0x0)
"DefaultInboundAction"= 1 (0x1)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{A75D7AAB-9E26-4AF9-A435-A85238CDBA8F}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{8AA38BAC-AA28-4383-9037-C5F8D2A8B883}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{033CD453-F830-47C1-9576-CFA252ED9384}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{B58078DD-D90A-4D4C-B30F-20405DD764D6}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{7DDF8FDB-E840-4C8E-9314-5FAA8C4B40DD}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{658F82C9-8C0A-4CED-A232-7A63F655F58E}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{5C9BA917-259E-4DBC-A00B-B26886ACA236}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{1A092AD8-D919-42E0-A944-785333612114}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{BB516C8D-6508-4726-904D-DA8362A7A2CF}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{5213C9A4-FF7C-4B77-BA28-CB2FF71C8FD9}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{E50A7D35-F662-4C6D-B5A0-204F22F64A3B}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{1EC027A4-C31D-4B79-87FB-3444BBDF9CF3}"= UDP:C:\Program Files\Google\Google Talk\googletalk.exe:Google Talk
"{D6034E05-1C00-4184-B201-3E219742EF4B}"= TCP:C:\Program Files\Google\Google Talk\googletalk.exe:Google Talk
"{7185A8F2-F6F7-4BD4-B3D4-44A3CE090A9A}"= Disabled:UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{70780B05-3AFF-4F8E-95F4-D4DA89C7ADCC}"= Disabled:TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{CB19E0EB-DB0A-460E-AB2D-6045A194CC05}"= Disabled:UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{2DFF7FE8-072D-4FBC-A1DB-69BFEF0CBD98}"= Disabled:TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{3C228725-0399-4102-95C6-51759BC1BA11}"= UDP:C:\Program Files\TrojanHunter 5.0\Tools\LiveUpdate\LiveUpdate.exe:LiveUpdate
"{283F99BC-0158-45D6-A9FB-AC74890305A2}"= TCP:C:\Program Files\TrojanHunter 5.0\Tools\LiveUpdate\LiveUpdate.exe:LiveUpdate
"{A5231EC9-71E6-49EF-8FF3-F5CB80089499}"= UDP:C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe:SUPERAntiSpyware Professional
"{F6B8B521-D7CB-42DB-A762-59BBDC116920}"= TCP:C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe:SUPERAntiSpyware Professional
"{E910C652-A795-4CBB-ABBA-F1BAB5E35637}"= UDP:C:\Program Files\TrojanHunter 5.0\TrojanHunter.exe:TrojanHunter Scanner
"{B68AEB6E-2884-4ED5-B41E-72DD24DE1834}"= TCP:C:\Program Files\TrojanHunter 5.0\TrojanHunter.exe:TrojanHunter Scanner[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"DefaultOutboundAction"= 0 (0x0)
"DefaultInboundAction"= 1 (0x1)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
"DefaultOutboundAction"= 0 (0x0)
"DefaultInboundAction"= 1 (0x1)
"DoNotAllowExceptions"= 1 (0x1)R0 PBADRV;PBADRV;C:\Windows\system32\DRIVERS\PBADRV.sys [2007-09-07 08:57]
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080711.001\IDSvix86.sys [2008-02-14 03:51]
R2 vstor2-p2v30;Vstor2 P2V30 Virtual Storage Driver;C:\Program Files\VMware\VMware Converter\vstor2-p2v30.sys [2007-11-01 16:18]
R2 Wave UCSPlus;Wave UCSPlus;C:\Windows\system32\dllhost.exe [2006-11-02 02:45]
R2 WavxDMgr;WavxDMgr;C:\Windows\system32\DRIVERS\WavxDMgr.sys [2007-09-10 08:54]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2008-01-18 20:25]
R3 BthAudioHF;BthAudioHF Service;C:\Windows\system32\DRIVERS\BthAudioHF.sys [2008-03-31 21:15]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2008-03-07 13:39]
S2 DoyenzAgent;Doyenz Agent;C:\Users\Reid\Documents\Visual Studio 2008\Projects\Doyenz\trunk\DoyenzAgent\bin\Debug\DoyenzAgent.exe []
S2 HFGService;Handsfree Headset Service;C:\Windows\system32\svchost.exe [2008-01-18 23:33]
S3 BTHFILT;Bluetooth Command Filter;C:\Windows\system32\DRIVERS\BthFilt.sys [2007-05-05 10:51]
S3 WMSvc;Web Management Service;C:\Windows\system32\inetsrv\wmsvc.exe [2008-01-18 23:33]
S4 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-12-19 13:21]
S4 BthFilterHelper;Bluetooth Feature Support;C:\Program Files\CSR\Vista Profile Pack\BthFilterHelper.exe [2006-11-07 17:26]
S4 SecureStorageService;SecureStorageService;C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe [2007-08-31 16:39]
S4 ufad-p2v;VMware Converter Service;C:\Program Files\VMware\VMware Converter\vmware-ufad.exe [2007-11-01 16:20]
S4 WaveEnrollmentService;WaveEnrollmentService;C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe [2007-09-13 13:31][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthaudiosvc REG_MULTI_SZ HFGService
rsmsvcs REG_MULTI_SZ ntmssvc
GPSvcGroup REG_MULTI_SZ GPSvc[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c153e20c-e4e8-11dc-8bd7-001e37b030d6}]
\shell\AutoRun\command - F:\autorun.exe*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 06:53:15 C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.exe
"2008-07-08 04:07:05 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Reid.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeB/TASK:
"2008-07-11 15:50:27 C:\Windows\Tasks\User_Feed_Synchronization-{1B968693-47A8-4DB4-A451-3CCAD48E122E}.job"
- C:\Windows\system32\msfeedssync.exe
.
- - - - ORPHANS REMOVED - - - -MSConfigStartUp-AVG8_TRAY - C:\PROGRA~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-EZNETDNS - C:\Program Files\Solid Oak Software\EZDNSWatch\EZDNSWatch.exe
MSConfigStartUp-Google Desktop Search - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-googletalk - C:\Program Files\Google\Google Talk\googletalk.exe
**************************************************************************disk not found C:\
please note that you need administrator rights to perform deep scan
scanning hidden processes ...scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------PROCESS: C:\Windows\Explorer.exe
-> C:\Program Files\TortoiseSVN\iconv\_tbl_simple.so
-> C:\Program Files\TortoiseSVN\iconv\windows-1252.so
-> C:\Program Files\TortoiseSVN\iconv\utf-8.so
.
r Running Proce
.
C:\Windows\System32\audiodg.exe
C:\Windows\System32\wlanext.exe
C:\Windows\System32\CISVC.exe
C:\Windows\System32\msdtc.exe
C:\Windows\System32\cmd.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\CIDAEMON.exe
.
**************************************************************************
.
Completion time: 2008-07-12 21:24:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-13 04:24:47Pre-Run: 97,383,366,656 bytes free
Post-Run: 97,168,564,224 bytes free323 --- E O F --- 2008-07-08 00:58:36
0
Some update on previous findings:
1. I was able to update SUPERAntiSpyware's definitions list. I don't know why I couldn't before but it let the update proceed earlier today. I ran it again with the new definitions but it didn't find anything.
2. I purchased TrojanHunter and updated its definition list and ran it again. It only found cookies again.
3. Since turning off all my non-Microsoft services and startup programs (to accommodate ComboFix), the IEUser.exe APPCRASH I reported earlier is not happening. In fact, right now I don't have any symptoms. Browser is not redirecting from Google search result links and no IEUser.exe is not crashing. Of course, I'm also running without any AV protection and several system services are disabled.
4. My DNS settings still won't stick to the "Obtain DNS server address automatically". I can select that radio button, apply the changes and go right back into the IP Properties panel and the malware has changed it back to static DNS. The addresses it uses are 85.255.115.101 and 85.255.112.68. I searched for these addresses and found this page: http://gabrielharrison.co.uk/consul... which documents the problem but offers no solutions.
The problem is similarly documented with a solution here: http://www.bleepingcomputer.com/for...
Unfortunately the "fixwareout.exe" program doesn't run on Vista so I still have no solution.
0
Still more updates:
This malware is quite pernicious. It is back in full force, redirecting me all over the place. I decided to hit it with every tool I had and came up with a few things.
1. I have restarted my Vista machine with several of the services that I need re-enabled, including all four malware scanners. If its of interest, I'll post HJT results again. Just ask.
2. Windows Defender can actually catch the malware attempting the registry change. It produces this log:
Summary:
System Configuration change occurred.This agent monitors security related configuration changes made to Windows.
Detected changes:
New: 85.255.116.61 85.255.112.103
Original: 208.67.222.222 208.67.220.220nsp (Changed):
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\\NameServerAdvice:
Permit this configuration change only if you trust its origin. It is recommended that you run a quick scan if you choose to deny this change.Checkpoint:
Name Server ProtectionCategory:
Configuration ChangeI of course denied it the right to change my DNS addresses. This happened *immediately* after I started IE (after I removed the plug-ins!)
3. SpyBot S&D caught the malware changing my IE search settings. SpyBot S&D prompted me about 20 times for changes to the "Start Page" and "Search Page" registry keys. I got fed up with that so I checked the "Always do this" box to make SpyBot S&D always deny the change. That just caused my screen to fill up with the deny confirmation windows that SS&D produces. I eventually turned off the "Resident" tool in SS&D which stopped producing the window but of course let the malware set those registry entries. That's when the problem came back in IE. I captured four log entries that SS&D provided both before and after I selected the "Always do this" checkbox. Here they are:
7/13/2008 00:19:56 Denied (based on user decision) value "Start Page" (new data: "http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home") changed in Browser page!
7/13/2008 00:20:00 Denied (based on user decision) value "Search Page" (new data: "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch") changed in Browser page!
7/13/2008 00:20:00 Denied (based on user blacklist) value "Start Page" (new data: "http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home") changed in Browser page!
7/13/2008 00:20:01 Denied (based on user blacklist) value "Search Page" (new data: "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch") changed in Browser page!Unfortunately, a SpyBot S&D Scan was not able to detect the malware.
4. I've been starting to suspect that this is a Browser Add-On so I disabled all of them. Sure enough, the problem goes away. I amd going to trying adding them back one by one, until I find the one that's causing the problem. This requires that I constantly restart IE so I'll post those results in the next follow up.
Is this sounding familiar to anyone yet?
0
Heya Reid,
How have you been travelling with the DNS problem?
To be honest I'm stumped.
Have you got any other pc networked to the router?
I was just wondering because I came across the article below and thought it might be of interest.
http://www.trustedsource.org/blog/4...
Also I was wondering if you have tried an online scan yet.
0
Hi btklwl,
Although I could contain the problem, it was a major pain in the a** with all the Windows Defender prompts on registry changes and SpyBot S&D intervening too. My solution: re-install. I spent the last 17 hours rebuilding Vista from scratch. My advice to anyone doing this is to install the original Vista media (pre SP1) and then immediately download and install SP1. Do *not* use Windows Update to get the pre-SP1 updates. That will cause a BSOD if you have > 2GB of RAM. Go figure. After SP1 installs, you can use Windows Update to bring it further up to date. Only took me 10 hours to figure that one out.
Anyway, I have my computer back now and all's well.
I don't think my router has anything to do with it. I locked it down when I first got it (very secure password) and there's only one under-utilized XP machine otherwise attached to it.
THANKS for your help!
0
My Windows XP Pro computer has just become infected with this bug when I was messing around with Divx codes etc too. It blocked my access to the internet, but fortunately I have a laptop as well now. Superantispyware was able to identify and remove some files.. i have to reboot to see if this has worked or not. I didnt realise initially that it was a virus and tried using System Restore to undo what I assumed was a software codec conflict issue, but discovered that I was unable to get Sys Restore to go back to the selected date when I clicked Next. Just thought I would share that with you all.
Cheers,
Rex.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
