Help!

Search engine HiJack, I tried everything suggested on oth... - help 2

 
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> HijackThis Logs RSS
Next:  US exports to Iran jump tenfold under Bush  
Author Message
milabix



Joined: Jul 06, 2008
Posts: 5



PostPosted: Tue Jul 08, 2008 10:43 pm    Post subject: Search engine HiJack, I tried everything suggested on oth...

Hi, I have a problem where most search results in google or msn link to odd sites, or other search engines. If I cut and paste the link it works fine and if I go back to the original search results and re-click the link the link will then take me where I need to go. I noticed that the link is being re-directed through IP address 67.29.139.253 (this IP address also appears in my history listing all the pages I am being redirected to).

I have read other posts here and on other forums with similar problems and tried the solutions offered there but without luck I've been tryng to get rid of this bug for 2 weeks now).

here is my hijack this log, please note that I purposly run the KGB - Refrog Keylogger to monitor my childrens activities.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:50:45 PM, on 7/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Orb Networks\Orb\bin\OrbMediaService.exe
C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\C0130Mon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,C:\WINDOWS\system32\MPK\MPK.exe
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [\\MICHAEL\EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.EXE /P33 "\\MICHAEL\EPSON Stylus C66 Series" /O6 "USB002" /M "Stylus C66"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [C0130Mon.exe] C:\WINDOWS\C0130Mon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C6A03519-BA6F-438E-AF3A-878F11521CA5} (JpgView Control) - http://www.megatec.com.tw:82/jpgview.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2/ocx/15035/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{31321218-A616-4E75-993B-676602577EF8}: NameServer = 68.87.74.162,68.87.68.162
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - (no file)
O20 - AppInit_DLLs: avgrsstx.dll
O21 - SSODL: qdcvataj - {90e30ca4-aaa4-49d2-99c8-8c71e0066b49} - C:\Documents and Settings\All Users\Application Data\qdcvataj.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: OrbMediaService - Orb Networks - C:\Program Files\Orb Networks\Orb\bin\OrbMediaService.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

--
End of file - 13308 bytes
Back to top
Baby_Tux



Joined: Mar 06, 2007
Posts: 1244



PostPosted: Wed Jul 09, 2008 2:05 am    Post subject: Re: Search engine HiJack, I tried everything suggested on ot [Login to view extended thread Info.]

Quote:
Hi, I have a problem where most search results in google or msn link to odd sites, or other search engines. If I cut and paste the link it works fine and if I go back to the original search results and re-click the link the link will then take me where I need to go. I noticed that the link is being re-directed through IP address 67.29.139.253 (this IP address also appears in my history listing all the pages I am being redirected to).

I have read other posts here and on other forums with similar problems and tried the solutions offered there but without luck I've been tryng to get rid of this bug for 2 weeks now).

here is my hijack this log, please note that I purposly run the KGB - Refrog Keylogger to monitor my childrens activities


First off, posting HIJACKS here really does little good as to MOST of us it is greek anyway. Here is the right area:
LINK TO WHERE TO PUT HIJACK STUFF


As for your problem: Are you putting in search words or a HTTP:// whatever? - If the latter, you WILL get links.

I tried the IP address & it went nowhere so not sure on that either.
How do you have google set up? It should have a very generic look to it. If it DOESN'T there is a word link in the upper right corner to set it back. (classic home)

Please give more info as to what things look like as to the engines.
Back to top
milabix



Joined: Jul 06, 2008
Posts: 5



PostPosted: Wed Jul 09, 2008 10:05 am    Post subject: Re: Search engine HiJack, I tried everything suggested on ot [Login to view extended thread Info.]

I apologize,

I did not notice the subject specific thread.

The symptoms I am experiencing are very similar to the ones described by "DomBray" in the post titled "Google Links Hijack..." (http://help.lockergnome.com/general/Google-Links-Hijack-ftopict55231.html). As a matter of fact i tried some of the techniques suggested there with no success, hence my post.

Basically when I use IE to search (whether I use google or MSN or whether I do it from the address bar, search bar or from within the goolge.com or msn.com web-page search field itself makes no difference) and click on the links provided in the search results page instead of ending up on the requested page (the search result) my browser will "jump" or will be "redirected" through the IP I mentioned to a different webpage such as "Ask.com" or "bediddle.com". It seems like the IP address is only used to re-direct traffic to another random site.

If I click the back button to return to the search results the browser goes back the the Hijacking IP address where I am again redirected to the wrong page so I have to click the back button twice in order to return to the original search results.

In my History folder the IP address is listed as on of the domains I visited and when I expand the folder do see the detail of the visited pages I get 2 sets of pages: the first named "jump", the second named "redirect". When I click on jump I end up on an error page on the site: (http://67.29.139.253/404.html)... the error message says:

Not Found
The requested URL was not found on this server.
--------------------------------------------------------------------------------
Apache Server at 67.29.139.220 Port 80


Note that the IP address listed on the address bar does not match the IP address of the Apache Server (don't know if this is important, but it seems weird to me).

When I click on the "Redirect" pages I am taken back to the web page I was redirected to from my search results page.


I feel like such an idiot, I try to take many precautions to prevent this from happening (short of switching to Firefox full time, something I can't do because some pages I visit regularly don't support it).

In any case, any help is certainly well appreciated, this thing is driving me nuts!

Thanks,

Michael
Back to top
Baby_Tux



Joined: Mar 06, 2007
Posts: 1244



PostPosted: Wed Jul 09, 2008 5:08 pm    Post subject: [Login to view extended thread Info.]

I see this got moved but I will reply anyway...

I have never seen this before so not sure WHAT to make of it. Hope the HIJACK people can find it for you. - For me it is becoming one of those "I have to see it to fix it" things. As I am having a heard time picturing what you are trying so desperately to convey.
And I bet you are having as much "fun" trying to convey it. - See what the HIJACK people say... But I still suspect a Trojan / virus / malware or some such.

As for using firefox, there is an add-on that will render pages as IE. I had pretty good luck with it on pages that were the IE only junk. It takes some setting up or flipping the rendering but is easily done.

Want to try it & need help PM me.
Back to top
greyknight17



Joined: Feb 03, 2003
Posts: 5924

Location: Brooklyn, NY

PostPosted: Thu Jul 10, 2008 5:12 am    Post subject: Re: Search engine HiJack, I tried everything suggested on ot [Login to view extended thread Info.]

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download ATF Cleaner at http://www.atribune.org/ccount/click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O16 - DPF: {C6A03519-BA6F-438E-AF3A-878F11521CA5} (JpgView Control) - http://www.megatec.com.tw:82/jpgview.cab
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - (no file)
O21 - SSODL: qdcvataj - {90e30ca4-aaa4-49d2-99c8-8c71e0066b49} - C:\Documents and Settings\All Users\Application Data\qdcvataj.dll


Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\Documents and Settings\All Users\Application Data\qdcvataj.dll

Go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

I want you to upload this file (C:\WINDOWS\C0130Mon.exe) to http://virusscan.jotti.org and report back what it found.
Back to top
AIM Address Yahoo Messenger
milabix



Joined: Jul 06, 2008
Posts: 5



PostPosted: Thu Jul 10, 2008 11:01 am    Post subject: Re: Search engine HiJack, I tried everything suggested on ot [Login to view extended thread Info.]

Thanks!
I've followed the instructions and all seems to be back to normal.

As per your instructions I uploaded the file (C:\WINDOWS\C0130Mon.exe) to Jotti.org with the following results:

File: C0130Mon.exe
Status: OK
MD5: 1506d4dda47fcb4faaa23af7337ca9e7

Once again, thank you so much!

Michael
Back to top
milabix



Joined: Jul 06, 2008
Posts: 5



PostPosted: Thu Jul 10, 2008 11:33 pm    Post subject: Re: Search engine HiJack, I tried everything suggested on ot [Login to view extended thread Info.]

And here is the Combofix log ( i forgot to post it this morning).

ComboFix 08-07-05.1 - Michael 2008-07-10 19:35:37.4 - NTFSx86
Running from: C:\Documents and Settings\Michael\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-10 to 2008-07-10 )))))))))))))))))))))))))))))))
.

2008-07-09 03:20 . 2008-07-09 03:20 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Windows Desktop Search
2008-07-08 10:06 . 2008-07-08 10:06 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2008-07-08 10:06 . 2008-07-08 10:06 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2008-07-08 09:54 . 2007-06-18 14:18 23,680 --a------ C:\WINDOWS\system32\drivers\motport.sys
2008-07-08 09:54 . 2007-06-18 14:18 23,680 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2008-07-08 09:54 . 2007-11-02 14:36 18,176 --a------ C:\WINDOWS\system32\drivers\motccgp.sys
2008-07-08 09:54 . 2007-01-22 18:33 7,680 --a------ C:\WINDOWS\system32\drivers\motccgpfl.sys
2008-07-08 09:54 . 2007-11-02 14:51 6,400 --a------ C:\WINDOWS\system32\drivers\motswch.sys
2008-07-08 09:34 . 2008-07-08 09:34 <DIR> d-------- C:\Program Files\Avanquest update
2008-07-07 06:38 . 2008-07-07 06:40 <DIR> d--hs---- C:\WINDOWS\system32\MPK
2008-07-07 06:38 . 2008-07-10 06:13 <DIR> d--hs---- C:\Documents and Settings\All Users\Application Data\MPK
2008-07-07 06:38 . 2008-07-07 06:38 595 --a------ C:\WINDOWS\system32\runrefog.lnk
2008-07-07 06:38 . 2008-07-07 06:38 595 --a------ C:\WINDOWS\system32\runkgb.lnk
2008-07-06 21:21 . 2008-07-06 21:21 <DIR> d-------- C:\Program Files\CleanUp!
2008-07-06 20:48 . 2008-07-06 20:48 <DIR> d-------- C:\agnis
2008-07-06 20:39 . 2008-07-06 20:39 <DIR> d-------- C:\ie-spyad_zo
2008-07-06 20:28 . 2008-07-06 22:09 <DIR> d-------- C:\Program Files\SpywareGuard
2008-07-06 20:14 . 2008-07-06 20:14 <DIR> d-------- C:\Program Files\WOT
2008-07-06 17:16 . 2008-07-06 17:16 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-06 17:16 . 2008-07-06 17:16 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\Malwarebytes
2008-07-06 17:16 . 2008-07-06 17:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-06 17:16 . 2008-06-28 14:16 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-06 17:16 . 2008-06-28 14:16 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-06 09:18 . 2008-07-06 21:37 <DIR> d-------- C:\fixwareout
2008-07-05 20:12 . 2008-07-05 20:12 <DIR> d-------- C:\Program Files\DVD Flick
2008-07-05 20:12 . 2008-07-05 23:49 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\DVD Flick
2008-07-05 20:12 . 2000-05-19 17:56 81,920 --a------ C:\WINDOWS\system32\mbmouse.ocx
2008-07-05 20:12 . 2007-08-31 18:36 36,864 --a------ C:\WINDOWS\system32\trayicon_handler.ocx
2008-07-05 19:45 . 2005-03-11 18:37 1,986,560 --a------ C:\WINDOWS\system32\AudFile.dll
2008-07-05 19:45 . 2005-02-24 13:11 1,212,416 --a------ C:\WINDOWS\system32\AudioInfos.dll
2008-07-05 19:45 . 2005-02-24 12:51 348,160 --a------ C:\WINDOWS\system32\WMAFile.dll
2008-07-05 19:45 . 1998-07-12 22:00 141,312 --a------ C:\WINDOWS\system32\MSCMCFR.DLL
2008-07-05 19:45 . 2000-10-01 18:00 119,568 --a------ C:\WINDOWS\system32\VB6FR.DLL
2008-07-05 19:45 . 2005-01-10 13:54 116,296 --a------ C:\WINDOWS\system32\NCTWMAProfiles.prx
2008-07-05 19:45 . 2003-01-26 12:41 40,960 --a------ C:\WINDOWS\system32\SSubTmr6.dll
2008-07-05 19:45 . 1998-07-12 18:00 32,768 --a------ C:\WINDOWS\system32\CMDLGFR.DLL
2008-07-05 19:45 . 1998-07-12 22:00 15,360 --a------ C:\WINDOWS\system32\inetfr.DLL
2008-07-05 19:35 . 2008-07-05 19:37 <DIR> d-------- C:\Program Files\Astonsoft
2008-07-05 19:35 . 2008-07-05 19:36 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\DeepBurner
2008-07-05 09:12 . 2008-07-05 09:12 206,168 -ra------ C:\WINDOWS\system32\cpnprt2.cid
2008-07-05 09:11 . 2008-07-05 09:11 <DIR> d-------- C:\WINDOWS\Cache
2008-07-05 09:11 . 2008-07-05 09:11 <DIR> d-------- C:\Program Files\Coupons
2008-07-04 11:50 . 2008-07-04 11:50 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-04 11:50 . 2008-07-04 14:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-04 11:21 . 1998-06-24 13:00 244,024 --a------ C:\WINDOWS\system32\MSFLXGRD.OCX
2008-07-04 11:21 . 2004-03-09 00:00 212,240 --a------ C:\WINDOWS\system32\richtx32.ocx
2008-07-04 11:15 . 2008-07-04 11:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-04 07:08 . 2008-07-04 07:08 <DIR> d-------- C:\Program Files\InterMute
2008-06-25 21:49 . 2008-06-26 05:21 <DIR> d-------- C:\WINDOWS\system32\5748
2008-06-25 21:04 . 2008-06-25 21:04 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motport_01005.Wdf
2008-06-25 21:03 . 2008-06-25 21:03 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-06-25 20:51 . 2008-07-08 09:56 <DIR> d-------- C:\Program Files\Motorola Phone Tools
2008-06-25 20:51 . 2008-06-25 20:51 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2008-06-25 20:51 . 2008-07-07 23:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-06-25 20:50 . 2008-06-25 20:50 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\InstallShield
2008-06-25 20:49 . 2008-07-06 21:22 <DIR> d-------- C:\Temp
2008-06-25 20:49 . 2008-06-25 20:49 122,880 --a------ C:\Documents and Settings\All Users\Application Data\qdcvataj.dll
2008-06-22 08:55 . 2008-06-22 08:55 <DIR> d-------- C:\Program Files\ValuSoft
2008-06-21 10:52 . 2008-06-21 10:52 <DIR> d-------- C:\WINDOWS\BBSTORE
2008-06-20 13:41 . 2008-06-20 13:41 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 06:44 . 2008-06-20 06:44 138,368 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-17 22:26 . 2008-06-17 22:26 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-06-17 22:26 . 2008-06-17 22:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nokia
2008-06-17 22:16 . 2004-08-03 23:08 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2008-06-17 22:16 . 2004-08-03 23:08 25,600 --a--c--- C:\WINDOWS\system32\dllcache\usbser.sys
2008-06-17 22:15 . 2008-06-17 22:15 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-06-17 22:15 . 2008-06-17 22:15 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-10 23:40 --------- d-----w C:\Documents and Settings\Michael\Application Data\Skype
2008-07-09 07:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-08 13:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-08 09:56 256 ----a-w C:\Documents and Settings\Michael\pool.bin
2008-07-06 03:18 --------- d-----w C:\Documents and Settings\Michael\Application Data\Azureus
2008-07-05 23:29 --------- d-----w C:\Documents and Settings\Michael\Application Data\Roxio
2008-07-04 22:32 --------- d-----w C:\Program Files\Azureus
2008-07-04 15:32 --------- d-----w C:\Program Files\SpywareBlaster
2008-07-04 13:18 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-04 13:18 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-06-21 14:51 --------- d-----w C:\Program Files\The Learning Company
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-18 02:26 --------- d-----w C:\Program Files\Nokia
2008-06-18 02:25 --------- d-----w C:\Program Files\Common Files\Nokia
2008-06-18 02:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-09 20:15 --------- d-----w C:\Program Files\GetData
2008-06-09 10:51 --------- d-----w C:\Program Files\BinaryBiz
2008-06-05 23:11 --------- d-----w C:\Documents and Settings\Michael\Application Data\WebcamZoneTrigger
2008-06-05 10:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\OrbNetworks
2008-06-05 10:19 --------- d-----w C:\Program Files\Orb Networks
2008-06-02 02:41 --------- d-----w C:\Program Files\InterVideo
2008-05-30 10:19 356 ----a-w C:\drmHeader.bin
2008-05-27 23:20 --------- d-----w C:\Program Files\Quicken
2008-05-17 12:35 --------- d-----w C:\Program Files\eMule
2008-05-17 11:30 --------- d-----w C:\Documents and Settings\Michael\Application Data\eMule
2008-05-11 11:47 --------- d-----w C:\Program Files\AVG
2008-05-11 11:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-12 10:34 27,331,400 ----a-w C:\Documents and Settings\Michael\Yugma_JVM.exe
2007-12-21 18:12 1,719,336 ----a-w C:\Documents and Settings\All Users\Application Data\YugmaSE-Uninstaller.exe
2003-11-03 04:52 301,321 ----a-w C:\Documents and Settings\All Users\Office 2003 Editions 60 Day Trial.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-06 12:43 23165736]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44 196608]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-03-28 11:20 1079296]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" [2008-03-26 18:41 1232896]
"Orb"="C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" [2008-05-13 21:29 507904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-24 01:40 196608]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 08:33 122941]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-06 00:05 344064]
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 16:45 28672]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 16:45 65536]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 19:25 73728]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2005-06-30 13:05 671744]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 17:03 1077301]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 19:13 122880]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2005-06-08 18:51 53248]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 20:37 151552]
"\\MICHAEL\EPSON Stylus C66 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.EXE" [2004-01-13 04:00 99840]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 11:43 228088]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-08-16 22:51 98304]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-08-16 22:51 26112]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 17:32 221184]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24 458752]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14 217088]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 10:03 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 09:59 126976]
"C0130Mon.exe"="C:\WINDOWS\C0130Mon.exe" [2007-10-09 02:01 32768]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-04 09:19 1232152]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-12 19:17 88358 C:\WINDOWS\agrsmmsg.exe]
"TPSMain"="TPSMain.exe" [2005-05-31 20:16 282624 C:\WINDOWS\system32\TPSMain.exe]
"ZoomingHook"="ZoomingHook.exe" [2005-06-06 12:58 24576 C:\WINDOWS\system32\ZoomingHook.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 08:00 110592 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2008-03-26 18:41 1232896]

C:\Documents and Settings\Michael\Start Menu\Programs\Startup\
Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-05-02 08:24:42 1283608]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\Belkin\Bluetooth Software\BTTray.exe [2003-09-15 16:53:06 503869]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-08-16 20:09:37 155648]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.GEOX"= C:\WINDOWS\system32\v8120\GeoCodec.dll
"vidc.GEOV"= C:\WINDOWS\system32\v8120\GeoCodec.dll
"vidc.GMP4"= C:\WINDOWS\system32\v8120\GXAMP4.dll
"vidc.GM40"= C:\WINDOWS\system32\v8120\GXAMP4.dll
"vidc.G264"= C:\WINDOWS\system32\v8120\GX264.dll
"msacm.geoadpcm"= C:\WINDOWS\system32\v8100\GeoADPCM.acm
"vidc.GM4H"= C:\WINDOWS\system32\v8120\GXAMP4D.dll
"vidc.GM4S"= C:\WINDOWS\system32\v8120\GXAMP4D.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"C:\\Program Files\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\Creative\\Creative Live! Cam\\Live! Cam Center\\LiveCam.exe"=
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"C:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"=
"C:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"C:\\WINDOWS\\system32\\MPK\\Mpk.exe"=
"C:\\WINDOWS\\system32\\MPK\\MpkView.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4672:UDP"= 4672:UDP:E-Mule:UDP Incoming
"4662:TCP"= 4662:TCP:127.0.0.1

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-04 09:18]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 09:18]
S2 StudioPro;StudioPro webcam;C:\WINDOWS\system32\DRIVERS\StudioPro.sys [2006-12-03 22:09]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-11-02 14:36]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-22 18:33]
S3 motport;Motorola USB Diagnostic Port;C:\WINDOWS\system32\DRIVERS\motport.sys [2007-06-18 14:18]
S3 VC0130Afx;VC130 Audio FX;C:\WINDOWS\system32\Drivers\C0130Afx.sys [2007-06-11 02:01]
S3 VC0130Aud;VC0130 Audio;C:\WINDOWS\system32\Drivers\C0130Aud.sys [2007-03-28 02:00]
S3 VC0130Dev;Live! Cam Notebook Ultra;C:\WINDOWS\system32\DRIVERS\C0130Vid.sys [2007-09-13 02:01]
S3 VC0130Vfx;VC0130 Video FX;C:\WINDOWS\system32\DRIVERS\C0130VFx.sys [2006-06-20 02:05]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-10 19:40:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\MPK\MPK.dll
.
Completion time: 2008-07-10 19:42:34
ComboFix-quarantined-files.txt 2008-07-10 23:42:24
ComboFix2.txt 2008-07-10 10:58:15
ComboFix3.txt 2008-07-07 01:57:19
ComboFix4.txt 2008-07-06 14:48:50

Pre-Run: 32,146,157,568 bytes free
Post-Run: 32,138,346,496 bytes free

233 --- E O F --- 2008-07-09 07:03:15
Back to top
greyknight17



Joined: Feb 03, 2003
Posts: 5924

Location: Brooklyn, NY

PostPosted: Fri Jul 11, 2008 4:29 am    Post subject: [Login to view extended thread Info.]

Download OTMoveIt2 at http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
* Save it to your desktop.
* Double-click OTMoveIt2.exe to run it. (Vista users, right click on OTMoveIt2.exe and select Run as an Administrator).
* Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:
C:\Documents and Settings\All Users\Application Data\qdcvataj.dll


* Return to OTMoveIt2. Right click in the Paste List of Files/Folders to Move window (under the Yellow bar) and choose Paste.
* Click the red Moveit! button.
* Close OTMoveIt2.

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
Back to top
AIM Address Yahoo Messenger
milabix



Joined: Jul 06, 2008
Posts: 5



PostPosted: Fri Jul 11, 2008 10:47 am    Post subject: Thanks [Login to view extended thread Info.]

Kevin, thanks so much for your assistance it is truly appreciated.
My system is now clean.

I have read your resource kit and downloaded all recommended products.
I am doing the same on all other systems in my house.

I'm in the ink-jet equipment and supplies business, if there is anything I can do for you please don't hesitate to let me know. (I realize this might seem inappropriate to some and that Kevin is not doing this for profit or rewards, please don't feel this way; this is just a genuine offer to return a favor).

Thanks again,

Michael
Back to top
greyknight17



Joined: Feb 03, 2003
Posts: 5924

Location: Brooklyn, NY

PostPosted: Sun Jul 13, 2008 1:03 am    Post subject: [Login to view extended thread Info.]

No problem Michael. I'm glad to help out.

I don't need any inkjet (using a laserjet Cool ), but thanks for the offer Cool

Feel free to post back anytime you have problems Smile

Since this issue is resolved, it will be locked.
Back to top
AIM Address Yahoo Messenger
Display posts from previous:   
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> HijackThis Logs All times are: Eastern Time (US & Canada)
Page 1 of 1

 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum