PDA

View Full Version : Browser Hijack


Aggie
2007-07-06, 21:36
Hi,

I have something on my laptop, which hijacks my browsers. I tried to clean it before, but after 1 or 2 days the hijacking came back.

Any help is greatly appreciated…

Don’t know if it helps, but whatever it is, it creates the following registry keys:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\
{porn website url}\
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\
{porn website url}\

where {porn website url} starts with 100hot.com and ends with xxxtoolbar.com

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\{other url}\

Where {other URL} is, for example 008i.com, 1gb.ru, etc all the way to zyban-zocor-levitra.com

Unfortunately that Computer lost internet connection, so I cannot post a Online Scanner Log from today, but as of 07/05/07 the Etrust AntiVir scanner came back fine.

Spybot does not see any problems at all, while SpyEraser flags the following:

---
Adware.ISTBar
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmiracle.com\\
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mt-download.com\\
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\slotch.com\\
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchbarcash.com\\
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com\\
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\flingstone.com\\
--
CWS
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxxtoolbar.com\\
--
Adware.Chiem.b
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\history\qksrv.net\\
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\history\linksynergy.com\\
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\history\fastclick.net\\
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\history\commision-junction.com\\
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\history\bfast.com\\
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\history\fastclick.com\\
--
Adware.CoolWebSearch
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\coolwwwsearch.com\\

I cleaned all of those a few days ago, but they keep coming back…

Here’s the HJT log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 14:25:08, on 7/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\AVG7\avgamsvr.exe
C:\PROGRA~1\AVG7\avgupsvc.exe
C:\PROGRA~1\AVG7\avgemc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\AVG7\avgcc.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpyEraser\SpyEraser.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\David\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\SpyEraser\SpyEraser.exe" -m
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183086516953
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6887 bytes

Thanks
Aggie
pskelley
2007-07-07, 13:55
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Hi Aggie, if you still need help I need to say I see nothing in the HJT log. This is not unusual, HJT which is a small tool, can not see everything. Since you obviously have a problem, let's start looking for what it is like this:

1) Thanks to LonnyBJones and anyone else who helped with this fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.

2) Follow the directions in this link to run AVG Anti-Spyware, make sure you delete or quarantine anything it finds and save the scan report to post.
http://forums.security-central.us/showthread.php?t=3165
Don't get confused here, this is not the same as the antivirus program you are running. Make sure you save the scan report to post.

Restart the computer and post the report from Fixwareout and the scan results from AVG Anti-Spyware. Please add any comments you think will help.

Thanks...Phil
Aggie
2007-07-07, 20:03
Hi Phil

here's the report from Fixwareout:

Username "Aggie" - 2007-07-07 11:34:25 [Fixwareout edited 2007/07/05]

»»»»»Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"AVG7_CC"="C:\\PROGRA~1\\AVG7\\avgcc.exe /STARTUP"
"TPHOTKEY"="C:\\Program Files\\Lenovo\\HOTKEY\\TPOSDSVC.exe"
"LPManager"="C:\\PROGRA~1\\THINKV~1\\PrdCtr\\LPMGR.exe"
"TVT Scheduler Proxy"="C:\\Program Files\\Common Files\\Lenovo\\Scheduler\\scheduler_proxy.exe"
"PWRMGRTR"="rundll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\PWRMGRTR.DLL,PwrMgrBkGndMonitor"
"BLOG"="rundll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\BatLogEx.DLL,StartBattLog"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"ZoneAlarm Client"="\"C:\\Program Files\\ZoneAlarm\\zlclient.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Uniblue SpyEraser"="\"C:\\Program Files\\SpyEraser\\SpyEraser.exe\" -m"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


and here the AVG Anti-Spyware:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:25:40 7/7/2007

+ Scan result:



C:\Documents and Settings\David\Cookies\david@lenovo.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\David\Cookies\david@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\David\Cookies\david@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.


::Report end

current HJT:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:51:27, on 7/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\AVG7\avgcc.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpyEraser\SpyEraser.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\AVG7\avgamsvr.exe
C:\PROGRA~1\AVG7\avgupsvc.exe
C:\PROGRA~1\AVG7\avgemc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\David\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\SpyEraser\SpyEraser.exe" -m
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183086516953
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7256 bytes


I don't know if it has anything to do with this, but checking Zonealarm, it tells me that Firefox is listening on ports 1142 & 1144. Also, explorer.exe tried to access 207.46.248.249:HTTP...

Hope that helps & Thanks a lot for your time
Aggie
pskelley
2007-07-07, 20:52
Hi Aggie, I know no more now than I did before, Fixwareout showed nothing and AVG Anti-Spyware a few cookies, you HJT log is spotless also.

Let's first talk about Zone Alarm, if you are not familiar with how it works, I suggest you take the time to review the tutorial. Right click and Restore the Control Center and the tutorial is on the Status Tab to the right upper corner. The programs you mention are going to access the internet via ports. In Program Control under the Programs tab you can see the programs you allow access to the internet. You do not want to see any programs there you are not aware of.
I can provide more information about Zone Alarm and how firewalls work in general if you need it.

http://whois.domaintools.com/207.46.248.249 <<< this is what your computer is accessing, Microsoft.

Port information for you: http://www.iana.org/assignments/port-numbers
Port check if you wish: https://www.grc.com/x/ne.dll?bh0bkyd2

AVG showed us nothing, it does use some resources and will slow your computer somewhat. You can benefit from the realtime protection during the trial period if you wish or you can uninstall the program.

Next I want to say I am interested in symptoms of this "hijacker", though the information you posted helps, different programs find different stuff, some valid and some not and often what is found is leftovers from other removals. Provide me with as much information as possible about exactly what the computer is doing. I am also interested in any error messages, please post those "word for word".
I wish to collect more information and run a good scan. The scan will not remove anything but will give us a good look at what may be there. We will also look for a hidden rootkin infection. Please do this:

1) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)

2) Please download F-Secure BlackLight Beta:
https://europe.f-secure.com/exclude/blacklight/index.shtml

Save it to its own folder in the Desktop
Double-click blbeta.exe to run the program
Click : Scan
A list of all items found is created

The list is in the BlackLight folder on the Desktop, and named fsbl.xxxxxxx.log (xxxxxxx are numbers).

Please provide the log created by BlackLight in your next reply.

(do not remove anything, most if not all will be valid)


3) Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Post the uninstall list, the report from BlackLight and the scan report from Kaspersky. Post any information I reqested and any comments you think will help.

Thanks
Aggie
2007-07-08, 06:01
Phil,

Here we go:

HJT Uninstall log:
BAHN 3.83 & 3.84 and Flying Fish are 100% legitimate - have been running them for years...

---

Adobe Reader 8
AVG 7.5
AVG Anti-Spyware 7.5
BAHN 3.83r2a (save, it's a simulation programm, if you want
BAHN 3.84r1 more information: www.jbss.de :bigthumb:)
Diskeeper Lite
Flying Fish (also save, it's a little helper to keep track of
distances)
HijackThis 2.0.0
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
InterVideo WinDVD
J2SE Runtime Environment 5.0 Update 6
Mozilla Firefox (2.0.0.4)
MSXML 4.0 SP2 (KB927978)
MSXML 6.0 Parser
On Screen Display
Opera 9.21
PC-Doctor 5 for Windows
Picasa 2
Privoxy 3.0.6
Productivity Center Supplement for ThinkPad
RecordNow Audio
RecordNow Copy
RecordNow Data
Remove Multimedia Center
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
Roll (<--- no idea what this is)
Sonic DLA
Sonic Express Labeler
Sonic Icons for Lenovo
Sonic Update Manager
SoundMAX
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Star Alliance Electronic Timetable (airline group schedule)
Star Alliance Auto Update Conduit (English)
System Update
ThinkPad Bluetooth with Enhanced Data Rate Software
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Modem
ThinkPad PC Card Power Policy
ThinkPad Power Management Driver
ThinkPad Power Manager
ThinkPad UltraNav Driver
ThinkPad UltraNav Utility
ThinkPad Wireless LAN Adapters Software (11a/b, 11b/g, 11a/b/g)
ThinkVantage Productivity Center
ThinkVantage Technologies Welcome Message
Tor 0.1.2.14
Uniblue SpyEraser
Uninstall Star Alliance Mileage Calculator
Wallpapers
Windows Communication Foundation
Windows Defender
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows Presentation Foundation
Windows Workflow Foundation
WinRAR archiver
XP Themes
ZoneAlarm

---

Blacklight log:

07/07/07 21:14:21 [Info]: BlackLight Engine 1.0.64 initialized
07/07/07 21:14:21 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/07/07 21:14:21 [Note]: 7019 4
07/07/07 21:14:21 [Note]: 7005 0
07/07/07 21:14:33 [Note]: 7006 0
07/07/07 21:14:33 [Note]: 7011 912
07/07/07 21:14:33 [Note]: 7026 0
07/07/07 21:14:33 [Note]: 7026 0
07/07/07 21:14:36 [Note]: FSRAW library version 1.7.1022
07/07/07 21:18:05 [Note]: 7007 0

---

Kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, July 07, 2007 22:12:32
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 8/07/2007
Kaspersky Anti-Virus database records: 337302
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 45653
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:38:17

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-07052007-201600.log Object is locked skipped
C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\zto9yvdb.default\cert8.db Object is locked skipped
C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\zto9yvdb.default\history.dat Object is locked skipped
C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\zto9yvdb.default\key3.db Object is locked skipped
C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\zto9yvdb.default\parent.lock Object is locked skipped
C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\zto9yvdb.default\search.sqlite Object is locked skipped
C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\zto9yvdb.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\David\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{EF25E4A4-7DE6-4B96-AB25-9FFA33AB3847} Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\zto9yvdb.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\zto9yvdb.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\zto9yvdb.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\zto9yvdb.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\David\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\History\History.IE5\MSHist012007070720070708\index.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\David\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\David\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_d88.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_41.trc Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\DHAUBRICH2.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT0555a.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT0555d.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
---

Here is the full history of my case as I remember it:
When FireFox was hijacked was when I wanted to go to maps.google.com and typed it in. But instead of google a white website was displayed (maps.google.com was still in the address bar) and the website had the following text (I might not remember it word by word):
--
This site is a DoubleClick advertisement server. To go to the doubleclick homepage click here

To view Doubleclick's privacy policy clickhere
--
The first link went (according to the page source) to hxxp://www.doubleclick.com and the second one to an address similar to hxxp://www.doubleclick.com/privacy.html or so.

After not seeing any obviously bad running process I checked the registry's run, run once etc entries and didn't see anything wrong there, either.
Then I ran SpyBot, which came back clean, and SpyEraser, which gave me the same list as the one in my first post. First I had SpyEraser eliminate the reported problems, then I went and removed manually the keys

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

after checking their subkeys and only seeing suspicious entries in there.

Then I uninstalled FireFox, rebooted and reinstalled FireFox. This worked for about a day or two, but unfortunately I cannot say if I actually rebooted during this time or not.

Then the above mentioned "google" error happened. I checked the registry again and there were all those entries that I had manually deleted...

I hope this helps!

Thanks a lot for all your help!

Aggie

PS: I don't know if you think this will work, but one thing I could try is: If you can recommend a real-time registry change tracking program, I could delete the entries in the registry and see when and by what program they are added again - do you think this is feasible?
Aggie
2007-07-08, 06:07
Please DO NOT click on the doubleclick links in above message as they might be potentially harmful!

They were not intended to be hyperlinks!

Sorry about that
Aggie
pskelley
2007-07-08, 14:09
Thanks for returning your infomation and your feedback, let's have a look;

Uninstall list:
HijackThis 2.0.0 <<< Trend Micro released the new program, it would be good to update. Open HJT > Click on "Main Menu" > Open the Misc Tools section > scroll down until you see "Check for update online" and follow the directions.

J2SE Runtime Environment 5.0 Update 6 <<< check your Java for an update, once you have it downloaded, remove the old version.

Roll (<--- no idea what this is) I do not know it either, it could be an arcade game: http://www.arcadetown.com/rollon/index.asp
I would investigate it or uninstall it if I were you.

I see nothing else.

Blacklight is clean

KASPERSKY ONLINE SCANNER REPORT Saturday, July 07, 2007 22:12:32
Kaspersky is clean?

Let's do a good cleaning:
Clean your Cache and Cookies in IE: Close all instances of Outlook Express and Internet Explorer
Go to Control Panel > Internet Options > General tab
Click the "Delete Cookies" button
Next to it, Click the "Delete Files" button
When prompted, place a check in: "Delete all offline content", click OK* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed): Go to Tools > Options.
Click Privacy in the menu on the left side of the Options window.
Click the Clear button located to the right of each option (History, Cookies, Cache).
Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.* Clean other Temporary files + Recycle bin Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

This was has me wondering. When you get to this point, please provide me with any information you think will help. Any symptoms, and error messages word for word. From all signs this is a clean computer.

After reading your comments, I can suggest a good free registry cleaner if you wish, just let me know if you wish me to post it.

I would also like to run another program to look for a hidden rookit that BlackLight might not have seen for a doublecheck.

* Click here to download AVG Anti Rootkit and save it to your desktop.
http://free.grisoft.com/softw/70free/setup/avgarkt-setup-1.1.0.42.exe
Double-click on the AVG_AntiRootkit_1.0.0.13.exe file to run it.
Click "I Agree" to agree to the EULA.
By default it will install to "G:\Program Files\GRISOFT\AVG Anti-Rootkit Beta".
Click "Next" to begin the installation then click "Install".
It will then ask you to reboot now to finish the installation.
Click "Finish" and your computer will reboot.
After it reboots, double-click on the AVG Anti-Rootkit Beta shortcut that is now on your desktop.
Click on the "Perform in-depth search" button to begin the scan.
The scan will take a while so be patient and let it complete.
When the scan is finished, click the "Save result to file" button.
Save the scan results to your desktop then come back here to copy and paste the results in your next reply to this thread.

Thanks
Aggie
2007-07-09, 01:13
Hi Phil,


HijackThis 2.0.0 updated

J2SE Runtime Environment 5.0 Update 6 updated and uninstalled old version

Roll (<--- no idea what this is) Never mind, I figured out what this is...

Cleaned IE, Firefox and temporary files.

Ran AVG Anti Rootkit and it came back clean, but I didn't see any report button.

What do you think about DiamondCS RegProt (http://www.diamondcs.com.au/freeutilities/regprot.php) as a real-time registry monitor? Or which one would you recommend?

Other than that I don't have anything else to report...I'll try to see if I can reproduce any hijacking, since I haven't dared to use the infected computer for internet stuff if I didn't have to.

Thanks
Aggie
pskelley
2007-07-09, 01:25
Hi Aggie, thanks for the feedback. These folks http://www.diamondcs.com.au/freeutilities/regprot.php have always had excellant products but I have never used that one and can tell you little about it. The price does look right. You are aware Spybot also offers some freeware products also and they are available here:
http://forums.spybot.info/forumdisplay.php?f=3

The registry cleaner I usually post, which is also freeware is this one:

http://www.hoverdesk.net/freeware.htm

Be sure to backup your registry anytime you work in it.

- Press "CTRL - ALT - DEL" keys all at the same time to start "Task Manager"
- In the Task Manager window click on "File", then from the drop-down menu select "New Task (Run...)"
- In the "Create New Task" window enter\type "regedit" (without quotes)
- Once Regedit opens click on the FILE menu and select Export
- Save the file as backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL


I recommend you download RegSeeker.
http://www.hoverdesk.net/freeware.htm
Extract it to it's own folder,
open and double click RegSeeker.exe to start the program.
Maximize the window and click clean registry. Check all sections and click OK.
When the scan is complete, verify the backup box in lower left corner is checked
and click the select all button, then select all again. Then right click within
the search results and select delete. Run it again and again, deleting everything
it finds until it finds nothing. Reboot and make sure your programs are working properly,
control panel and add/remove programs windows open, etc (basically just do a quick check of everything).
In the event anything was 'broken', you can open RegSeeker, click backups and double click
any/all files to put the information back. A reboot may be required for the effects to be seen.
Reboot When done.

I will keep your topic open for a bit, let me know if this helps for if you come up with any new information.

Thank...Phil
Aggie
2007-07-09, 04:26
Hi Phil,

I downloaded the program you recommended and ran it a few times, but there are a few registry entries, that cannot be removed, neither using RegSeeker nor manually using regedit. Any idea on how to remove them?

[HKEY_CLASSES_ROOT\CLSID\{5775505C-9EF1-11D4-AE46-0080BD080808}]
@="BTSecurityCallback Class"
"AppID"="{57755050-9EF1-11D4-AE46-0080BD080808}"

[HKEY_CLASSES_ROOT\CLSID\{5775505C-9EF1-11D4-AE46-0080BD080808}\LocalServer32]

[HKEY_CLASSES_ROOT\CLSID\{5775505C-9EF1-11D4-AE46-0080BD080808}\ProgID]

[HKEY_CLASSES_ROOT\CLSID\{5775505C-9EF1-11D4-AE46-0080BD080808}\TypeLib]

[HKEY_CLASSES_ROOT\CLSID\{5775505C-9EF1-11D4-AE46-0080BD080808}\VersionIndependentProgID]

[HKEY_CURRENT_USER\Software\InterVideo]

[HKEY_CURRENT_USER\Software\InterVideo\Common]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithProgids]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\OpenWithProgids]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dotm]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dotm\OpenWithProgids]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dotx]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dotx\OpenWithProgids]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ppam]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ppam\OpenWithProgids]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\OpenWithProgids]

[HKEY_LOCAL_MACHINE\SOFTWARE\BVRP Software, Inc]

[HKEY_LOCAL_MACHINE\SOFTWARE\BVRP Software, Inc\Digital Line Detect]

[HKEY_LOCAL_MACHINE\SOFTWARE\BVRP Software, Inc\NetWaiting]

[HKEY_LOCAL_MACHINE\SOFTWARE\InterVideo Inc.]

[HKEY_LOCAL_MACHINE\SOFTWARE\InterVideo Inc.\InterVideo Register Manager]

[HKEY_LOCAL_MACHINE\SOFTWARE\MimarSinan]

[HKEY_LOCAL_MACHINE\SOFTWARE\MimarSinan\InstallAware]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft]

I also installed the registry-change tracker and removed the keys mentioned in my OP. So let's see if/when they come back.

I will keep you posted if something weird happens again, right now my systems seems to act normal...
Also, if you have any suggestions/ideas if there's anything else to try, please let me know.

Thank You for all your time
Aggie
pskelley
2007-07-09, 13:11
I will say working in the registry is my least favorite area, which if why I emphasize backups. If you are postivie those entries need to be removed, here is a site with information:
http://www.robvanderwoude.com/regedit.html

You can try RegASSASSIN
http://www.malwarebytes.org/regassassin.php

Microsoft offers a free scan also:
http://onecare.live.com/site/en-us/article/registry_cleaner_why.htm

This information might help:
http://www.theeldergeek.com/registry_edits.htm

Thanks...Phil
Aggie
2007-07-10, 19:29
I will say working in the registry is my least favorite area, which if why I emphasize backups. If you are postivie those entries need to be removed, here is a site with information:
http://www.robvanderwoude.com/regedit.html

You can try RegASSASSIN
http://www.malwarebytes.org/regassassin.php

Microsoft offers a free scan also:
http://onecare.live.com/site/en-us/article/registry_cleaner_why.htm

This information might help:
http://www.theeldergeek.com/registry_edits.htm

Thanks...Phil

Thanks a lot!
Aggie
Aggie
2007-07-14, 00:49
Hi Phil,

I just wanted to give you a quick update: So far my PC has been running fine for the last few days, I haven't noticed any suspicious behaviour or anything.
Also, the registry entries I described in the first post haven't shown up - {knock on wood}

I'll keep monitoring my PC, but at the moment it seems that everything is working as I want it to :D:

Thanks again for all your help :bigthumb:

And if you are ever in Aggieland, I owe you one for all your time :present: :D:

Aggie
pskelley
2007-07-14, 01:05
Music to my ears, let me leave you with this information.

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.