Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

kayak99_315f5b

33 Posts

2607

October 1st, 2007 21:00

I have a trojan dnschanger - does it show here?

Using Foxfire/Google search I am redirected to other web search sites. Spybot does not recognize a trojan. Webroot, the free edition, shows I have a trojan dns-changer but I cannot seem to find it and get rid of it. Does this log show it? Any other suggested cleaning? Thanks Logfile of HijackThis v1.99.0 Scan saved at 6:40:03 PM, on 10/1/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\CASIO\Photo Loader\Plauto.exe C:\WINDOWS\system32\PSIService.exe C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Outlook Express\msimn.exe C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\Program Files\Webroot\Spy Sweeper\SSU.EXE C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\UserName\Application Data\Mozilla\Profiles\default\t24iey8c.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\UserName\Application Data\Mozilla\Profiles\default\t24iey8c.slt\prefs.js) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [GhostStartTrayApp] "C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099678867375 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186098370375 O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: ProtexisLicensing - Unknown - C:\WINDOWS\system32\PSIService.exe O23 - Service: Webroot Spy Sweeper Engine - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

bamajim

10.4K Posts

October 2nd, 2007 23:00

kayak99
 
Your log is unreadable as posted.
 
When you compose and submit your reply, please make sure the box under your text which shows "Automatically convert carriage returns to HTML line breaks" is checked or your reply may not format correctly.
 
Then repost your log
 



Microsoft MVP Windows-Security

"The world is what you make of it"




kayak99_315f5b

33 Posts

October 2nd, 2007 23:00

Missed than option, thanks.


Logfile of HijackThis v1.99.0
Scan saved at 6:40:03 PM, on 10/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\UserName\Application Data\Mozilla\Profiles\default\t24iey8c.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\UserName\Application Data\Mozilla\Profiles\default\t24iey8c.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [GhostStartTrayApp] "C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099678867375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186098370375
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Webroot Spy Sweeper Engine - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

bamajim

10.4K Posts

October 3rd, 2007 13:00

kayak99

Nothing showing in your log. I'm assuming you are getting the warning from Norton.

Let's do this

Run an online virus scan called Kaspersky from HERE.
  • 1. Click on " Kaspersky Online Scanner"
    2. A new smaller window will pop up. Press on " Accept". After reading the contents.
    3. Now Kaspersky will update the anti-virus database. Let it run.
    4. Click on " Next"->>" Scan Settings", and make sure the database is set to " extended". And check both the scan options. Then click OK.
    5. Then click on " My Computer". And the scan will start.
    6. Once finished, save a log as ". txt" to the desktop.




Copy and post the results of the Kaspersky Online scan

Note: The Kaspersky online scanner is not yet fully compatible with IE7. You may get returned to a window without the Accept/Decline buttons after allowing the ActiveX control. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.














Microsoft MVP Windows-Security



"The world is what you make of it"




kayak99_315f5b

33 Posts

October 4th, 2007 01:00

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, October 03, 2007 10:24:02 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 4/10/2007
Kaspersky Anti-Virus database records: 426926
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 101139
Number of viruses found: 4
Number of infected objects: 32
Number of suspicious objects: 0
Duration of the scan process: 01:54:54

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Firefox\Profiles\8s31yy73.default\cert8.db Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Firefox\Profiles\8s31yy73.default\history.dat Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Firefox\Profiles\8s31yy73.default\key3.db Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Firefox\Profiles\8s31yy73.default\parent.lock Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Firefox\Profiles\8s31yy73.default\search.sqlite Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Firefox\Profiles\8s31yy73.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Profiles\sliprock\vd792pw0.slt\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Profiles\sliprock\vd792pw0.slt\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Profiles\sliprock\vd792pw0.slt\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Profiles\sliprock\vd792pw0.slt\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Profiles\sliprock\vd792pw0.slt\cert8.db Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Profiles\sliprock\vd792pw0.slt\history.dat Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Profiles\sliprock\vd792pw0.slt\key3.db Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Profiles\sliprock\vd792pw0.slt\parent.lock Object is locked skipped
C:\Documents and Settings\User Name\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\User Name\Local Settings\Application Data\Identities\{7C2CADAC-7DAD-4C9C-B2B3-6AEF13480E5B}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\User Name\Local Settings\Application Data\Identities\{7C2CADAC-7DAD-4C9C-B2B3-6AEF13480E5B}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped
C:\Documents and Settings\User Name\Local Settings\Application Data\Identities\{7C2CADAC-7DAD-4C9C-B2B3-6AEF13480E5B}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\User Name\Local Settings\Application Data\Identities\{7C2CADAC-7DAD-4C9C-B2B3-6AEF13480E5B}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped
C:\Documents and Settings\User Name\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\User Name\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\User Name\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User Name\Local Settings\Temp\~DF27CE.tmp Object is locked skipped
C:\Documents and Settings\User Name\Local Settings\Temp\~DF27DB.tmp Object is locked skipped
C:\Documents and Settings\User Name\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User Name\ntuser.dat Object is locked skipped
C:\Documents and Settings\User Name\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Netscape\Communicator\Program\Plugins\NPMySrch.dll Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\smswDEMO\SyrasoftTS.exe/vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\smswDEMO\SyrasoftTS.exe 7-Zip: infected - 1 skipped
C:\smswDEMO\SyrasoftTS.exe UPX: infected - 1 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125213.exe/stream/Script Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125213.exe/stream Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125213.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125214.exe/stream/Script Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125214.exe/stream Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125214.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125215.exe/stream/Script Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125215.exe/stream Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125215.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125216.exe/stream/Script Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125216.exe/stream Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125216.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125217.exe/stream/Script Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125217.exe/stream Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125217.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125218.exe/stream/Script Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125218.exe/stream Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125218.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125220.exe/stream/Script Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125220.exe/stream Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125220.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125221.exe/stream/Script Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125221.exe/stream Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125221.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125222.exe/stream/Script Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125222.exe/stream Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125222.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1364\A0130292.dll Infected: not-a-virus:AdWare.Win32.Coupons.a skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1369\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{17EE54E1-2001-4383-BACF-F692AB243A97}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

bamajim

10.4K Posts

October 4th, 2007 13:00

kayak99

The infection is in system restore folders. Which does not pose a threat unless you have to use system restore in the next 45 days. But lets' see if we can clean them.

1. Please perform an Ewido Online Malware Scan


  • When a dialog box appears asking you if you would like to download and install the ewido anti-spyware online scanner please click Yes to allow the download.
  • Click on Start Scan.
  • after the scan completes i twill produce a log for you, copy and paste the results of that scan as a reply to this thread
  • If any infections are found, (After you save the logfile), Click on Remove Infections.








Microsoft MVP Windows-Security



"The world is what you make of it"




kayak99_315f5b

33 Posts

October 8th, 2007 16:00

I ran Ewido and it did not recognize the trojan(s)

Here is the latest Kaspersky.

P.S. You mentioned the trojan not posing a threat - it changes my search each time I use Firefox. Would it help to delete that browser?

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, October 08, 2007 12:52:39 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 8/10/2007
Kaspersky Anti-Virus database records: 429111
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 101223
Number of viruses found: 3
Number of infected objects: 31
Number of suspicious objects: 0
Duration of the scan process: 01:56:21

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Profiles\sliprock\vd792pw0.slt\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Profiles\sliprock\vd792pw0.slt\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Profiles\sliprock\vd792pw0.slt\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Profiles\sliprock\vd792pw0.slt\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Profiles\sliprock\vd792pw0.slt\history.dat Object is locked skipped
C:\Documents and Settings\User Name\Application Data\Mozilla\Profiles\sliprock\vd792pw0.slt\parent.lock Object is locked skipped
C:\Documents and Settings\User Name\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\User Name\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\User Name\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\User Name\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User Name\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User Name\ntuser.dat Object is locked skipped
C:\Documents and Settings\User Name\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Netscape\Communicator\Program\Plugins\NPMySrch.dll Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\smswDEMO\SyrasoftTS.exe/vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\smswDEMO\SyrasoftTS.exe 7-Zip: infected - 1 skipped
C:\smswDEMO\SyrasoftTS.exe UPX: infected - 1 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125213.exe/stream/Script Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125213.exe/stream Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125213.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125214.exe/stream/Script Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125214.exe/stream Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125214.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125215.exe/stream/Script Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125215.exe/stream Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125215.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125216.exe/stream/Script Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125216.exe/stream Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125216.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125217.exe/stream/Script Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125217.exe/stream Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125217.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125218.exe/stream/Script Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125218.exe/stream Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125218.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125220.exe/stream/Script Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125220.exe/stream Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125220.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125221.exe/stream/Script Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125221.exe/stream Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125221.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125222.exe/stream/Script Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125222.exe/stream Infected: Trojan.Win32.DNSChanger.jf skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125222.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1373\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Message Edited by kayak99 on 10-08-2007 12:40 PM

Message Edited by kayak99 on 10-08-2007 12:41 PM

kayak99_315f5b

33 Posts

October 8th, 2007 17:00

To recap, here is how the dns is changed. I google something. Say "apples". Google presents the lists of apple links. I click on a link. The systen then goes THRU 101links.info to another search engine (it varies) to another list of "apples" links. These are always completely general aud useless anyway.

I go "back" to the google search. When I click on the same link that took me through 101links.info, I get the real apples link google had listed.



"Obtain DNS servers automatically" was set correctly.


ipconfig /flushdns (spelled correctly with space) give me the following message:

"Could not flush the DNS Resolver Cache: Function failed during execution.


Killed all the files you listed.

Rebooted and tried the search. Same deal. Using google through firefox routes me through 191links.info



FYI, tried google through netscape and it doe snot redirect only firefox.



Thanks

Message Edited by kayak99 on 10-08-2007 01:55 PM

Message Edited by kayak99 on 10-08-2007 01:55 PM

bamajim

10.4K Posts

October 8th, 2007 17:00

kayak99

1. That's not possible from the System Restore folder.
Are you sure you are saving your Search settings in Firefox? A tutorial is HERE

2. Now lets check some settings on your system.

(2000/XP) Only

  • In the windows control panel.
    If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections.
    Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties.
    Click the Networking tab.
    Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
    Press OK twice to get out of the properties screen and reboot if it asks.
    That option might not be avaiable on some systems







Next Go start run type cmd and hit OK
type
ipconfig /flushdns (that space between g and / is needed)
then hit enter, type exit hit enter

3. Please download the Killbox.
  • 1)Save it to the desktop
    2) Rt Click->>Extract all->.Extract it to your Desktop
    3) Double Click Killbox.exe to run it
    4)Select " Delete on Reboot", and then select "All files".
    5) Copy the file names below to the clipboard by highlighting them and pressing Control-C:

    • C:\Program Files\Netscape\Communicator\Program\Plugins\NPMySrch.dll
      C:\smswDEMO\SyrasoftTS.exe/vnchooks.dll
      C:\smswDEMO\SyrasoftTS.exe
      C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125213.exe
      C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125214.exe
      C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125215.exe
      C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125216.exe
      C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125217.exe
      C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125218.exe
      C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125220.exe
      C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125221.exe
      C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1354\A0125222.exe


    6) Return to Killbox, go to the File menu, and choose " Paste from Clipboard".
    7) Click the red-and-white " Delete File" button.  Click " Yes" at the Delete on Reboot prompt.








4. Reboot your PC ->> Then rerun the Kaspersky online scan and post a fresh Kaspersky log




















Microsoft MVP Windows-Security


"The world is what you make of it"



bamajim

10.4K Posts

October 8th, 2007 18:00

kayak99
 
If it only does through Firefox, then maybe you should uninstall the aplication, it may be corrupt.
 
Are you still getting the infection warning from your AV?
 



Microsoft MVP Windows-Security



"The world is what you make of it"



kayak99_315f5b

33 Posts

October 8th, 2007 21:00

No Trojan warning from AVG. AVG only showing tracking cookies but the Trojan still exists in Firefox so, unless there is another solution I'm going to save my Firefox bookmarks (and hope it is not attached in there) and delete that browser. Thanks for your help

bamajim

10.4K Posts

October 9th, 2007 00:00

kayak99
 
Once you do that let me see one more fresh Hijackthis log, so I can make sure it doesn't show up somewhere else.
 



Microsoft MVP Windows-Security


"The world is what you make of it"



bamajim

10.4K Posts

October 9th, 2007 00:00

Kayak99
 
Will do this week if I don't have to leave town.
 
You can post the fresh Hijackthis log after you uninstall the browser. Just reply when ready.
 



Microsoft MVP Windows-Security


"The world is what you make of it"



kayak99_315f5b

33 Posts

October 9th, 2007 00:00

I know, thanks. I need to copy some passwords and it appears that is manually done one by one. I wanted to capure a hijack this before I did it, just to compare.

kayak99_315f5b

33 Posts

October 9th, 2007 00:00

Will do this week if I don't have to leave town.

Here a hijackthis log is as of now - 10-8-07 - thanks

Logfile of HijackThis v1.99.0
Scan saved at 9:24:50 PM, on 10/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\User Name\Application Data\Mozilla\Profiles\default\t24iey8c.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and SettingsUser Name\Application Data\Mozilla\Profiles\default\t24iey8c.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [GhostStartTrayApp] "C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099678867375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186098370375
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown - C:\WINDOWS\system32\PSIService.exe

kayak99_315f5b

33 Posts

October 9th, 2007 21:00

Firefox gone, still have netscape and Explorer. The DNS Changer must still be around because it does change some Explorer searches but not Netscape.

Here is the latest hijackthis log.

Thanks

Logfile of HijackThis v1.99.0
Scan saved at 6:03:59 PM, on 10/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\User Name\Application Data\Mozilla\Profiles\default\t24iey8c.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\User Name\Application Data\Mozilla\Profiles\default\t24iey8c.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [GhostStartTrayApp] "C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099678867375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186098370375
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown - C:\WINDOWS\system32\PSIService.exe

View More

View All

No Events found!

Top