PDA

View Full Version : www.yahabags.com



Gopherbassist
2006-10-09, 03:45
I'm not exactly sure what is causing it, but something keeps redirecting me to the page at
www.yahabags.com and then to either


http://64.182.127.227/redgk.php?mc=VPgVcWxKNu03%2B2syWDdRsqh6Xxp4LahshzNLrqNIOPA4%2F2QpU%2FAQcm9MLOg2AHAyT%2FEYcG5LMu46%2FnAyVPcQcXFGLOg1%2FmQqUvgPdnRJL%2BY2AG0tUfUPcW1MLug3%2BWgwVPochap%2BXyRlLYNdkiEcemxELugz%2BmsyWDZLpKGFHh1jNZsYkiFErJ2KcyhnAnAyWChWtKxQLeVl9ptmhiFQo6FEYSVv95k3g%2FEfmqSHbzBGGqM%2BkitXiJNdd%2FxcFaFCYy0vlaGAXyZmOGhOai0qqm9tcR5RIZpjbRpXmp6JMyFZMY5ldTpEq7FpWP1NOY9tgyw8halLc%2F5FMGdhgjRal6NGXy1OHGhtUhojj45YVRB5QKs%2FjzNXc52AUyhqHoE6cQtTh5FIaR15O4ltlyVUl4RpZRxIP5trjyUti7FqbwVoKqVfeAg1da5fbTAzDo8tXwooka1ia%2FlGC61nlTQTiZNaUyhyDqxriAREtJ6DeCFXQJA6hAVQmLKOYwNTKqdMcgkxsX1XTfp4P7BPkRUwk6FLUiBOCqlLjjUtpKiGUR1QMoxolTJbl6%2BCRgVjGH5dYggklolvVClXIbBLYg9adLZpSAVNQak%2FeA9VjYhJaQxPGqdwbjFZl4ttbQJMGoJHaSxOl42AQhxuFGs9kANWs4VvRBh6KqBrgyRQcISPRyZcOINcZQZRmZVtQyRqCnhvZAJXqmJ%2BOytMHZwtXwFacoVgay5lCYBlRCIfcXRJNuY2&v=51d312a2d11d88fb46eb7159a9f1bc41

or


http://67.29.139.199/click/?affiliate=VK2&subid=1008&Terms=lighting%20fixtures&sid=Z092044902x81M3d3dfhTNwgDM0ETMxQDM3AjN48VN4EDMx81MyMjN3IDM2ETM

Has anyone else had this happen?

tashi
2006-10-09, 04:38
Hello Gopherbassist

Your description sounds like a HiJacked browser, can you give more details please.

1) Operating System.
2) Security programs installed.
3) Open Spybot>Help>About
Let us know the version and latest detection update please.

Cheers.

moldybagel23
2006-10-10, 06:30
Hi,

I did some looking around on the sites, I'm trying to find more about the cookies left when using firefox.
For that bottom link, here is the contents of the cookie thats left when visiting the site:

Name of cookie:
LiveHelpSession

Contents:
a%3A2%3A%7Bs%3A7%3A%22REQUEST%22%3Bi%3A594447%3Bs
%3A8%3A%22LANGUAGE%22%3Bs%3A2%3A%22en%22%3B%7D

Ill work more with this later, hopefully you guys can add this to the tracking/spyware cookie listings in a future update.

Yodama
2006-10-10, 11:47
I'm not exactly sure what is causing it, but something keeps redirecting me to the page at

www.yahabags.com

if possible please attach a spybot or hijackthis log, so we have more hints for analysis

that website appears to be a completely useless searchsite, searches are completely ignored and only the same result get shown.
I added the website as well as the refernced daily-search website , wich is the same to our detection database. They will be flagged with our next update.





http://64.182.127.227/redgk.php?mc=VPgVcWxKNu03%2B2syWDdRsqh6Xxp4LahshzNLrqNIOPA4%2F2QpU%2FAQcm9MLOg2AHAyT%2FEYcG5LMu46%2FnAyVPcQcXFGLOg1%2FmQqUvgPdnRJL%2BY2AG0tUfUPcW1MLug3%2BWgwVPochap%2BXyRlLYNdkiEcemxELugz%2BmsyWDZLpKGFHh1jNZsYkiFErJ2KcyhnAnAyWChWtKxQLeVl9ptmhiFQo6FEYSVv95k3g%2FEfmqSHbzBGGqM%2BkitXiJNdd%2FxcFaFCYy0vlaGAXyZmOGhOai0qqm9tcR5RIZpjbRpXmp6JMyFZMY5ldTpEq7FpWP1NOY9tgyw8halLc%2F5FMGdhgjRal6NGXy1OHGhtUhojj45YVRB5QKs%2FjzNXc52AUyhqHoE6cQtTh5FIaR15O4ltlyVUl4RpZRxIP5trjyUti7FqbwVoKqVfeAg1da5fbTAzDo8tXwooka1ia%2FlGC61nlTQTiZNaUyhyDqxriAREtJ6DeCFXQJA6hAVQmLKOYwNTKqdMcgkxsX1XTfp4P7BPkRUwk6FLUiBOCqlLjjUtpKiGUR1QMoxolTJbl6%2BCRgVjGH5dYggklolvVClXIbBLYg9adLZpSAVNQak%2FeA9VjYhJaQxPGqdwbjFZl4ttbQJMGoJHaSxOl42AQhxuFGs9kANWs4VvRBh6KqBrgyRQcISPRyZcOINcZQZRmZVtQyRqCnhvZAJXqmJ%2BOytMHZwtXwFacoVgay5lCYBlRCIfcXRJNuY2&v=51d312a2d11d88fb46eb7159a9f1bc41

or


http://67.29.139.199/click/?affiliate=VK2&subid=1008&Terms=lighting%20fixtures&sid=Z092044902x81M3d3dfhTNwgDM0ETMxQDM3AjN48VN4EDMx81MyMjN3IDM2ETM


These other 2 searchsites appear to be actually working but need more analysis to determine if they are malicious in any way. It is possible that they acutally pay to get redirected to by the hijacker above.
But for the time being they do not get added to our detection database.

tashi
2006-10-11, 00:18
Gopherbassist, just to clarify.

These instructions are for Spybot-S&D version 1.4


Open SpyBot, check for and get any updates available.
Close all browsers, check for problems and fix everything found in red
Then on the toolbar menu select mode and switch to advanced mode, on the left lower down select tools, and view report, ensure all the options are selected near the bottom except

Uncheck[ ] do not report disabled or known legitimate Items.
uncheck[ ] Include a list of services in report.
Uncheck[ ] Include uninstall list in report.

Now select (near the top) view report.
Press export in the save in box choose a place such as your my documents folder, then in your next post near the bottom select the "browse" button; navigate to and attach or post that report.

If you wish to post a HJT log please do so in the malware forum:
Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22)

Instructions for getting a HJT log are here:
"BEFORE you POST" -Preliminary Steps (http://forums.spybot.info/showthread.php?t=288)

TAMBARU
2006-10-18, 00:11
I am having the same problem. I have run spybot, spyhunter, registry cleaners etc, and cannot get rid of this when searching with Explorer. Does anyone have a fix?

Paul

tashi
2006-10-18, 01:20
Hello

I suggest following the instructions already posted above so that we have a log to work with. ;)

As for SpyHunter, please see:
Note on Enigma SpyHunter:
Rogue/Suspect Anti-Spyware Products & Web Sites (http://www.spywarewarrior.com/rogue_anti-spyware.htm#notes)

Stealth-Ghost
2006-10-22, 14:11
I get this too. When I click on a link at say google, it redirects me there and the only way I have to solve this is to backspace 2-3 times back to google, and click the link again, then it works. This happends about 1/10 links I click.

I did what you said to the other person, that report, and I got this:
SpybotSD.Report.txt:
Your file of 41.9 KB bytes exceeds the forum's limit of 19.5 KB for this filetype.

So I made it a zip file, hope it works.

Thanks for any help, its annoying =/

tashi
2006-10-22, 19:50
--- Search result list ---
Microsoft.WindowsSecurityCenter.AntiVirusOverride: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride!=dword:0

Microsoft.WindowsSecurityCenter.FirewallOverride: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride!=dword:0


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-01-17 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-10-20 Includes\Cookies.sbi (*)
2006-10-13 Includes\Dialer.sbi (*)
2006-10-20 Includes\DialerC.sbi (*)
2006-10-13 Includes\Hijackers.sbi (*)
2006-10-20 Includes\HijackersC.sbi (*)
2006-10-20 Includes\Keyloggers.sbi (*)
2006-10-20 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-10-13 Includes\Malware.sbi (*)
2006-10-20 Includes\MalwareC.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2006-10-20 Includes\PUPSC.sbi (*)
2006-10-20 Includes\Revision.sbi (*)
2006-10-13 Includes\Security.sbi (*)
2006-10-20 Includes\SecurityC.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2006-10-20 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-10-13 Includes\Trojans.sbi (*)
2006-10-20 Includes\TrojansC.sbi (*)



--- System information ---
Windows XP (Build: 2600) Service Pack 2

<Snip> Removed Windows Updates List

--- Startup entries list ---
Located: HK_LM:Run, ATICCC
command: "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
file: C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe
size: 90112
MD5: 0dc2e1b6951bd2170bc47f0eebf629b3

Located: HK_LM:Run, AtiPTA
command: atiptaxx.exe
file: C:\WINDOWS\system32\atiptaxx.exe
size: 344064
MD5: 0bc11b0f5dbd99089157fcf6267a812c

Located: HK_LM:Run, CTHelper
command: CTHELPER.EXE
file: C:\WINDOWS\CTHELPER.EXE
size: 17920
MD5: 866346f3d82f0ca2c7d80aff41a6e1d3

Located: HK_LM:Run, CTxfiHlp
command: CTXFIHLP.EXE
file: C:\WINDOWS\system32\CTXFIHLP.EXE
size: 18944
MD5: 279615246e6343b7c4badbcb8cf37067

Located: HK_LM:Run, Logitech Utility
command: Logi_MwX.Exe
file: C:\WINDOWS\Logi_MwX.Exe
size: 19968
MD5: cddabeaca10942f0ddde962fe0dac71a

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 155648
MD5: c74c7963eec07af49dce44d64819b2bf

Located: HK_LM:Run, SunJavaUpdateSched
command: C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
file: C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
size: 36975
MD5: 61a3a9d5d98bf0331df5b716144a8100

Located: HK_CU:Run, AIM
command: C:\Program Files\AIM\aim.exe -cnetwait.odl
file:

Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996a38c0b0cf151c2140ae29fc8

Located: HK_CU:Run, MsnMsgr
command: "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
file: C:\Program Files\MSN Messenger\MsnMsgr.Exe
size: 5354792
MD5: c1ee2387ede907599ee3a6de9493f672

Located: Startup (disabled), Adobe Gamma Loader (DISABLED)
command: C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
file: C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
size: 110592
MD5: 5cd0cd0ec4dc5df459b3ac016764f5aa

Located: Startup (disabled), ATI CATALYST System Tray (DISABLED)
command: C:\PROGRA~1\ATITEC~1\ATI.ACE\CLI.exe SystemTray
file: C:\PROGRA~1\ATITEC~1\ATI.ACE\CLI.exe
size: 45056
MD5: 64c4c17bf6a40ff1cd21205e6fd415b8

Located: Startup (disabled), Billminder (DISABLED)
command: C:\QUICKENW\billmind.exe
file:

Located: Startup (disabled), BitTorrent (DISABLED)
command: C:\PROGRA~1\BITTOR~1\BITTOR~1.EXE
file:

Located: Startup (disabled), Xfire (DISABLED)
command: C:\PROGRA~1\Xfire\Xfire.exe
file: C:\PROGRA~1\Xfire\Xfire.exe
size: 2278912
MD5: 75885bbea71f18b59d2bc3294307b678

Located: System.ini, AtiExtEvent
command: Ati2evxx.dll
file: Ati2evxx.dll

Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll

Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll

Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll

Located: System.ini, geeda
command: C:\WINDOWS\System32\geeda.dll
file: C:\WINDOWS\System32\geeda.dll

Located: System.ini, ScCertProp
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, Schedule
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll

Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll

Located: System.ini, termsrv
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll

Located: System.ini, wlballoon
command: wlnotify.dll
file: wlnotify.dll


--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 11/3/2003 4:17:44 PM
Date (last access): 10/22/2006 4:05:46 AM
Date (last write): 11/3/2003 4:17:44 PM
Filesize: 54248
Attributes: archive
MD5: FC7850324464E4D19A24A03D882B5CC4
CRC32: 452E8571
Version: 6.0.1.1091

{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 1/17/2006 9:57:20 PM
Date (last access): 10/22/2006 4:44:18 AM
Date (last write): 5/31/2005 2:04:00 AM
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0

{5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
BHO name:
CLSID name: DriveLetterAccess
description: Hewlett-Packard's DLA software
classification: Unknown
known filename: tfswshx.dll
info link:
info source: TonyKlein
Path: C:\WINDOWS\system32\dla\
Long name: tfswshx.dll
Short name:
Date (created): 9/14/2004 8:56:10 AM
Date (last access): 10/22/2006 4:42:12 AM
Date (last write): 3/15/2004 12:04:00 AM
Filesize: 118836
Attributes: archive
MD5: 3A79721C9ACC30CBA57266854C20238B
CRC32: 6FCEA787
Version: 1.4.7.1

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.5.0_06\bin\
Long name: ssv.dll
Short name:
Date (created): 3/2/2006 2:53:00 PM
Date (last access): 10/22/2006 4:44:18 AM
Date (last write): 11/10/2005 2:22:12 PM
Filesize: 184423
Attributes: archive
MD5: F01726F7CA8538FDD4663C9DB8FEAEDC
CRC32: 0111B892
Version: 5.0.60.5

{80A44721-A513-46AC-8651-628A9C8C34A4} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\System32\
Long name: nowlnwjs.dll
Short name:
Date (created): 3/23/2006 5:12:48 PM
Date (last access): 10/22/2006 4:44:18 AM
Date (last write): 3/23/2006 5:12:52 PM
Filesize: 122900
Attributes: archive
MD5: 8285D2F94549579E5D5477862C93FFE7
CRC32: 8947C7EA

{9ECB9560-04F9-4bbc-943D-298DDF1699E1} (Web assistant)
BHO name: Web assistant
CLSID name: CNisExtBho Class
description: NIS 2004,
classification: Legitimate
known filename: NISShExt.dll
info link: http://www.symantec.com/sabu/nis/nis_pe/
info source: TonyKlein
Path: C:\Program Files\Common Files\Symantec Shared\AdBlocking\
Long name: NISShExt.dll
Short name:
Date (created): 11/21/2003 3:04:52 PM
Date (last access): 10/22/2006 4:42:12 AM
Date (last write): 11/21/2003 3:04:52 PM
Filesize: 126976
Attributes: archive
MD5: AA25220AFA13EECBE417A96DFEE4DF88
CRC32: BF3755F7
Version: 7.0.1.11

{BDF3E430-B101-42AD-A544-FADC6B084872} (NAV Helper)
BHO name: NAV Helper
CLSID name: CNavExtBho Class
description: Norton Antivirus
classification: Legitimate
known filename: NavShExt.dll
info link: http://www.symantec.com/nav/nav_9xnt/
info source: TonyKlein
Path: C:\Program Files\Norton Internet Security\Norton AntiVirus\
Long name: NAVSHEXT.DLL
Short name:
Date (created): 9/28/2004 3:24:36 PM
Date (last access): 10/22/2006 4:44:18 AM
Date (last write): 12/4/2003 7:22:30 PM
Filesize: 103368
Attributes: archive
MD5: 65C8A602DFA9D5860F1E328CB8575317
CRC32: 929FB7E0
Version: 10.0.10.13



--- ActiveX list ---
{00000055-9980-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\fhg.inf
Codebase: http://codecs.microsoft.com/codecs/i386/fhg.CAB
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.

{00000161-0000-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\msaudio.inf
Codebase: http://codecs.microsoft.com/codecs/i386/msaudio.cab
description: Microsoft Audio Codec
classification: Legitimate
known filename: MSAUDIO.CAB
info link:
info source: Patrick M. Kolla

{0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate)
DPF name:
CLSID name: Creative Software AutoUpdate
Installer: C:\WINDOWS\Downloaded Program Files\CTSUEng.inf
Codebase: http://www.creative.com/su/ocx/15015/CTSUEng.cab
description:
classification: Legitimate
known filename: CTSUEng.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\
Long name: CTSUEng.ocx
Short name:
Date (created): 6/22/2005 7:37:28 PM
Date (last access): 10/11/2006 6:13:02 PM
Date (last write): 6/22/2005 7:37:28 PM
Filesize: 225280
Attributes: archive
MD5: F78ACCCE90722CB62F2D3767BEEBA545
CRC32: 03683A52
Version: 1.50.12.0

{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
description: Macromedia ShockWave Flash Player 7
classification: Legitimate
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\SYSTEM32\Macromed\Director\
Long name: SwDir.dll
Short name:
Date (created): 11/7/2004 9:31:24 PM
Date (last access): 10/17/2006 8:57:12 PM
Date (last write): 9/9/2004 4:45:18 PM
Filesize: 54488
Attributes: archive
MD5: 12EF836DCCCDD0211F3E09D72812B9C6
CRC32: 8038F1E1
Version: 10.1.0.11

{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)
DPF name:
CLSID name: Windows Genuine Advantage Validation Tool
Installer: C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf
Codebase: http://go.microsoft.com/fwlink/?LinkID=39204
description:
classification: Legitimate
known filename: LegitCheckControl.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: LegitCheckControl.DLL
Short name: LEGITC~1.DLL
Date (created): 2/14/2006 10:20:14 AM
Date (last access): 10/15/2006 6:24:02 PM
Date (last write): 8/7/2006 9:50:22 AM
Filesize: 1484592
Attributes: archive
MD5: 5E700932C726D5F845AF03478B999749
CRC32: B7C379F2
Version: 1.5.708.0

{3253344D-0000-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\mpg4sax.inf
Codebase: http://codecs.microsoft.com/codecs/i386/mpg4sax.cab

{33564D57-0000-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\WMV9VCM.inf
Codebase: http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.

{39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class)
DPF name:
CLSID name: FilePlanet Download Control Class
Installer:
Codebase: http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.0.97.cab
description:
classification: Legitimate
known filename: FilePlanetDownloadCtrl.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\IGN\Download Manager\
Long name: FPDC.dll
Short name:
Date (created): 5/2/2006 9:43:42 PM
Date (last access): 9/30/2006 2:19:44 AM
Date (last write): 9/11/2006 12:50:26 PM
Filesize: 353968
Attributes: archive
MD5: DFB5A258E773AC531874D2238BDE3A97
CRC32: 7D6C5C73
Version: 2.3.0.97

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_06
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.5.0_06\bin\
Long name: NPJPI150_06.dll
Short name: NPJPI1~1.DLL
Date (created): 3/2/2006 2:52:58 PM
Date (last access): 9/19/2006 1:24:06 AM
Date (last write): 11/10/2005 2:22:12 PM
Filesize: 69746
Attributes: archive
MD5: D2CF6BB5E9020E6707B62575F8083954
CRC32: 7F39DC54
Version: 5.0.60.5

tashi
2006-10-22, 20:04
{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2)
DPF name: Java Runtime Environment 1.4.2
CLSID name: Java Plug-in 1.4.2_03
Installer:
Codebase: http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi142_03.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\j2re1.4.2_03\bin\
Long name: NPJPI142_03.dll
Short name: NPJPI1~1.DLL
Date (created): 11/19/2003 4:48:18 PM
Date (last access): 6/11/2006 8:12:10 AM
Date (last write): 11/19/2003 4:48:12 PM
Filesize: 65650
Attributes: archive
MD5: 2AD31341BE41AC9B086128AD86A2B53F
CRC32: 081CFB35
Version: 1.4.2.30

{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_03
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
description:
classification: Legitimate
known filename: NPJPI150_03.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.5.0_03\bin\
Long name: NPJPI150_03.dll
Short name: NPJPI1~1.DLL
Date (created): 4/13/2005 4:48:56 AM
Date (last access): 6/11/2006 8:12:24 AM
Date (last write): 4/13/2005 5:06:32 AM
Filesize: 69746
Attributes: archive
MD5: 13FCA03EBCA6E1F8C6481166C516D1FE
CRC32: 868C298F
Version: 5.0.30.7

{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_06
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.5.0_06\bin\
Long name: NPJPI150_06.dll
Short name: NPJPI1~1.DLL
Date (created): 3/2/2006 2:52:58 PM
Date (last access): 10/22/2006 5:02:36 AM
Date (last write): 11/10/2005 2:22:12 PM
Filesize: 69746
Attributes: archive
MD5: D2CF6BB5E9020E6707B62575F8083954
CRC32: 7F39DC54
Version: 5.0.60.5

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_06
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.5.0_06\bin\
Long name: NPJPI150_06.dll
Short name: NPJPI1~1.DLL
Date (created): 3/2/2006 2:52:58 PM
Date (last access): 10/22/2006 5:02:36 AM
Date (last write): 11/10/2005 2:22:12 PM
Filesize: 69746
Attributes: archive
MD5: D2CF6BB5E9020E6707B62575F8083954
CRC32: 7F39DC54
Version: 5.0.60.5

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Flash\
Long name: Flash9.ocx
Short name:
Date (created): 6/22/2006 2:44:20 PM
Date (last access): 10/22/2006 4:47:48 AM
Date (last write): 6/22/2006 2:44:20 PM
Filesize: 2201224
Attributes: readonly archive
MD5: 99F80CA1EBE95677668F54CAC6F4AD6D
CRC32: B7385E3B
Version: 9.0.16.0

{E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class)
DPF name:
CLSID name: Quantum Streaming IE Player Class
Installer: C:\WINDOWS\Downloaded Program Files\qsp2ie.inf
Codebase: http://mvnet.xlontech.net/qm/fox/06071909/qsp2ie06071909.cab
description:
classification: Open for discussion
known filename: QSP2IE05111501.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\Documents and Settings\All Users\Application Data\Move Networks\
Long name: qsp2ie06071909.dll
Short name: QSP2IE~1.DLL
Date (created): 10/6/2006 3:05:12 PM
Date (last access): 10/15/2006 2:09:12 AM
Date (last write): 7/19/2006 10:05:48 AM
Filesize: 706880
Attributes: archive
MD5: 63AD7297A8723DC4C88F47B9732AE1C7
CRC32: 1F03D69D
Version: 1.0.0.1

{F6ACF75C-C32C-447B-9BEF-46B766368D29} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\CTPID.inf
Codebase: http://www.creative.com/su/ocx/15016/CTPID.cab
description:
classification: Legitimate
known filename: CTPID.ocx
info link:
info source: Safer Networking Ltd.



--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 10/22/2006 5:02:35 AM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.dell4me.com/myway
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

<Snip> Removed Winsock list

tashi
2006-10-22, 22:29
Hi Stealth-Ghost.

Please run the Spybot-S&D and on-line anti virus scans (separately) as shown here:

"BEFORE you POST" -Preliminary Steps and scanning with SPYBOT-S&D (http://forums.spybot.info/showthread.php?t=288)

Then start your own thread in the malware forum so we can take a look with HJT:
Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22)

Once you have posted, a helper will take a look at the logs as soon as available and give any further instructions necessary.

Also, you have old versions of Sun Java showing in the Spybot-S&D log, please see:

Sun Microsystems~Java. Security vunerability in older versions left on system (http://forums.spybot.info/showpost.php?p=12880&postcount=2 )

Cheers.

DougH
2009-01-14, 10:40
Hello

As for SpyHunter, please see:
Note on Enigma SpyHunter:
Rogue/Suspect Anti-Spyware Products & Web Sites (http://www.spywarewarrior.com/rogue_anti-spyware.htm#notes)

I believe SpyHunter is no longer on the list