| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 96506 | 2009-01-12 17:46:00 | Browser Redirecting. | Mr Deck (14501) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 738057 | 2009-01-12 17:46:00 | Hi all :help: I have searching the net for a fix for this problem but I have just got more confused.:dogeye: Here is what is happening; When I google anything the browser takes me to other websites such as Yell.com, Ebay sites which have nothing to do with the search. This happens in Ie And Firefox. Here is the print out of Hijack this.( I have no clue what to remove if anything in the list) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:42:11, on 12/01/2009 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\RtHDVCpl.exe C:\Windows\System32\rundll32.exe C:\Program Files\Virgin Broadband\PCguard\RPS.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe C:\Users\Pat\AppData\Roaming\Adobe\Manager.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Windows\system32\taskeng.exe C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe C:\Windows\system32\wbem\unsecapp.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe C:\Program Files\Windows Mail\WinMail.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.101tricks.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe" O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKCU\..\Run: [Run] "C:\Users\Pat\AppData\Roaming\Adobe\Manager.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe" O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe O13 - Gopher Prefix: O16 - DPF: CabBuilder - kiw.imgag.com O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - fpdownload2.macromedia.com O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.vista.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe -- End of file - 5838 bytes If the above does not help where can I find the BUG!! that is causing the problem? Thank you in Advance for any help. Take care all |
Mr Deck (14501) | ||
| 738058 | 2009-01-12 17:54:00 | Welcome to PF1 Mr Deck Tick these entries, then tick fix checked Close browsers O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime This maybe suss O4 - HKCU\..\Run: [Run] "C:\Users\Pat\AppData\Roaming\Adobe\Manager.ex e" Then get malwarebytes and trojan remover below. Update both then scan Then select all options under utilities, in trojan remover |
Speedy Gonzales (78) | ||
| 738059 | 2009-01-12 18:50:00 | Hi Speedy. Thank you for the quick reply. Still no luck unfortunatly. I have ran the 2 programs but still redirecting me. I am going to try and record what is happening on my browser, At the bottom it says ETACH while browsing and a load of other stuff as well. If i record it maybe someone will make some sense of it. I will kill it before it kills me lol Take care all Pat |
Mr Deck (14501) | ||
| 738060 | 2009-01-12 18:53:00 | Post a pic / snapshot if you can here (imagef1.net.nz) Uninstall this O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.vista.exe Uninstall Adaware, And Pest Control And install Avast Home |
Speedy Gonzales (78) | ||
| 738061 | 2009-01-12 22:14:00 | Hiya Ok It sayts at the bottom of the browser Transferring data from Google to www.ecata.info then Ecata moves that to other random sites. If that makes sense? |
Mr Deck (14501) | ||
| 738062 | 2009-01-12 22:39:00 | You may have trojan.dnschanger. After you did a scan with malwarebytes, if it picked anything up. Did you click on show results, tick whatever, then click on remove selected to remove it? Close the browser while you do this |
Speedy Gonzales (78) | ||
| 738063 | 2009-01-13 08:16:00 | Hi Speedy It's 8 am here in the not so sunny UK but the browser seems to be working fine. Just for the record. Whatever it was redirects the google search pages to other websites in a new Tab, when you do a second search you may hit the page you want. It slows the browser down as well in my case about 40% However I am on Virgin super fast so for me it's not to bad. Scan results below for future referance below: ***** THE SYSTEM HAS BEEN RESTARTED ***** 12/01/2009 18:23:59: Trojan Remover has been restarted ---------- Cleaning up TDSS keys/files: C:\Windows\system32\drivers\msqpdxvmppkybw.sys - deleted C:\Windows\system32\msqpdxvfceispt.dll - deleted ---------- ================================================== ===== Removing the following registry keys: HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv. sys - removed HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Min imal\msqpdxvmppkybw.sys - already removed (or did not exist) HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Net work\msqpdxvmppkybw.sys - already removed (or did not exist) ================================================== ===== 12/01/2009 18:23:59: Trojan Remover closed ************************************************** ********** ***** NORMAL SCAN FOR ACTIVE MALWARE ***** Trojan Remover Ver 6.7.5.2560. For information, email support@simplysup1.com [Unregistered version] Scan started at: 18:17:53 12 Jan 2009 Using Database v7258 Operating System: Windows Vista SP1 [Windows Vista Service Pack 1 (Build 6001)] Edition: Windows Vista (TM) Home Premium File System: NTFS User Account Control is Enabled. Data directory: C:\Users\Pat\AppData\Roaming\Simply Super Software\Trojan Remover\ Database directory: C:\Program Files\Trojan Remover\ Logfile directory: C:\Users\Pat\Documents\Simply Super Software\Trojan Remover Logfiles\ Program directory: C:\Program Files\Trojan Remover\ Running with Administrator privileges ************************************************** ********** The following Anti-Malware program(s) are loaded: Microsoft Windows Defender ************************************************** ********** ************************************************** ********** 18:17:53: Scanning ----------WIN.INI----------- WIN.INI found in C:\Windows ************************************************** ********** 18:17:53: Scanning --------SYSTEM.INI--------- SYSTEM.INI found in C:\Windows ************************************************** ********** 18:17:53: ----- SCANNING FOR ROOTKIT SERVICES ----- Hidden Service Keyname: msqpdxserv.sys Hidden Service: \systemroot\system32\drivers\msqpdxvmppkybw.sys C:\Windows\system32\drivers\msqpdxvmppkybw.sys 74240 bytes Created: 07/01/2009 Modified: 07/01/2009 Company: [no info] Entry has been scheduled for deletion when the PC is restarted C:\Windows\system32\drivers\msqpdxvmppkybw.sys - no action requested on this file ---------- ************************************************** ********** 18:18:44: Scanning -----WINDOWS REGISTRY----- -------------------- Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon This key's "Shell" value calls the following program(s): File: explorer.exe C:\Windows\explorer.exe 2927104 bytes Created: 12/12/2008 Modified: 29/10/2008 Company: Microsoft Corporation ---------- This key's "Userinit" value calls the following program(s): File: C:\Windows\system32\userinit.exe C:\Windows\system32\userinit.exe 25088 bytes Created: 20/10/2008 Modified: 19/01/2008 Company: Microsoft Corporation ---------- -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows -------------------- Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Value Name: load -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value Name: Windows Defender Value Data: %ProgramFiles%\Windows Defender\MSASCui.exe -hide C:\Program Files\Windows Defender\MSASCui.exe 1008184 bytes Created: 20/10/2008 Modified: 19/01/2008 Company: Microsoft Corporation -------------------- Value Name: RtHDVCpl Value Data: RtHDVCpl.exe C:\Windows\RtHDVCpl.exe 4702208 bytes Created: 25/10/2007 Modified: 25/10/2007 Company: Realtek Semiconductor -------------------- Value Name: MSConfig Value Data: "C:\Windows\system32\msconfig.exe" /auto C:\Windows\system32\msconfig.exe 227840 bytes Created: 20/10/2008 Modified: 19/01/2008 Company: Microsoft Corporation -------------------- Value Name: NvCplDaemon Value Data: RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup C:\Windows\system32\NvCpl.dll 13539872 bytes Created: 22/05/2008 Modified: 22/05/2008 Company: NVIDIA Corporation -------------------- Value Name: NvMediaCenter Value Data: RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit C:\Windows\system32\NvMcTray.dll 92704 bytes Created: 22/05/2008 Modified: 22/05/2008 Company: NVIDIA Corporation -------------------- Value Name: PCguard Value Data: "C:\Program Files\Virgin Broadband\PCguard\Rps.exe" C:\Program Files\Virgin Broadband\PCguard\Rps.exe 310000 bytes Created: 05/09/2007 Modified: 05/09/2007 Company: Virgin Media -------------------- Value Name: -FreedomNeedsReboot Value Data: "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe 13552 bytes Created: 05/09/2007 Modified: 05/09/2007 Company: Virgin Media -------------------- Value Name: SunJavaUpdateSched Value Data: "C:\Program Files\Java\jre6\bin\jusched.exe" C:\Program Files\Java\jre6\bin\jusched.exe 136600 bytes Created: 16/12/2008 Modified: 16/12/2008 Company: Sun Microsystems, Inc. -------------------- Value Name: Corel File Shell Monitor Value Data: C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe 16200 bytes Created: 30/10/2007 Modified: 30/10/2007 Company: Corel, Inc. -------------------- Value Name: QuickTime Task Value Data: "C:\Program Files\QuickTime\QTTask.exe" -atboottime C:\Program Files\QuickTime\QTTask.exe 413696 bytes Created: 04/11/2008 Modified: 04/11/2008 Company: Apple Inc. -------------------- Value Name: TrojanScanner Value Data: C:\Program Files\Trojan Remover\Trjscan.exe /boot C:\Program Files\Trojan Remover\Trjscan.exe 1231752 bytes Created: 12/01/2009 Modified: 01/01/2009 Company: Simply Super Software -------------------- -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Once This Registry Key appears to be empty -------------------- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run Value Name: WMPNSCFG Value Data: C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe 202240 bytes Created: 20/10/2008 Modified: 19/01/2008 Company: Microsoft Corporation -------------------- -------------------- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once Value Name: IndexCleaner Value Data: "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe" C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe 61168 bytes Created: 05/09/2007 Modified: 05/09/2007 Company: Virgin Media -------------------- ************************************************** ********** 18:18:48: Scanning -----SHELLEXECUTEHOOKS----- ShellExecuteHooks key is empty ************************************************** ********** 18:18:48: Scanning -----HIDDEN REGISTRY ENTRIES----- Taskdir check completed ---------- No Hidden File-loading Registry Entries found ---------- ************************************************** ********** 18:18:48: Scanning -----ACTIVE SCREENSAVER----- No active ScreenSaver found to scan. ************************************************** ********** 18:18:48: Scanning ----- REGISTRY ACTIVE SETUP KEYS ----- ************************************************** ********** 18:18:48: Scanning ----- SERVICEDLL REGISTRY KEYS ----- ************************************************** ********** 18:18:53: Scanning ----- SERVICES REGISTRY KEYS ----- Key: 61883 ImagePath: system32\DRIVERS\61883.sys C:\Windows\system32\DRIVERS\61883.sys 45696 bytes Created: 20/10/2008 Modified: 19/01/2008 Company: Microsoft Corporation ---------- Key: aawservice ImagePath: "C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe" C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe 611664 bytes Created: 10/09/2008 Modified: 10/09/2008 Company: Lavasoft ---------- Key: Apple Mobile Device ImagePath: "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe" C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe 132424 bytes Created: 07/11/2008 Modified: 07/11/2008 Company: Apple Inc. ---------- Key: Avc ImagePath: system32\DRIVERS\avc.sys C:\Windows\system32\DRIVERS\avc.sys 40448 bytes Created: 20/10/2008 Modified: 19/01/2008 Company: Microsoft Corporation ---------- Key: blbdrive ImagePath: \SystemRoot\system32\drivers\blbdrive.sys - file is missing - alert is globally excluded ---------- Key: CSS DVP ImagePath: system32\DRIVERS\css-dvp.sys C:\Windows\system32\DRIVERS\css-dvp.sys 835792 bytes Created: 19/10/2008 Modified: 26/11/2007 Company: Authentium, Inc ---------- Key: dvpapi ImagePath: "C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.vista.exe" C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.vista.exe -R- 177448 bytes Created: 27/11/2007 Modified: 27/11/2007 Company: Authentium, Inc. ---------- Key: ialm ImagePath: system32\DRIVERS\igdkmd32.sys C:\Windows\system32\DRIVERS\igdkmd32.sys 1380864 bytes Created: 02/11/2006 Modified: 19/10/2006 Company: Intel Corporation ---------- Key: IpInIp ImagePath: system32\DRIVERS\ipinip.sys - file is missing - alert is globally excluded ---------- Key: irsir ImagePath: system32\DRIVERS\irsir.sys C:\Windows\system32\DRIVERS\irsir.sys 20992 bytes Created: 02/11/2006 Modified: 02/11/2006 Company: Microsoft Corporation ---------- Key: ITMRTSVC ImagePath: "C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe" C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe 280080 bytes Created: 19/12/2006 Modified: 19/12/2006 Company: CA, Inc. ---------- Key: MarvinBus ImagePath: system32\DRIVERS\MarvinBus.sys C:\Windows\system32\DRIVERS\MarvinBus.sys 171520 bytes Created: 23/09/2005 Modified: 23/09/2005 Company: Pinnacle Systems GmbH ---------- Key: MSDV ImagePath: system32\DRIVERS\msdv.sys C:\Windows\system32\DRIVERS\msdv.sys 52608 bytes Created: 20/10/2008 Modified: 19/01/2008 Company: Microsoft Corporation ---------- Key: msiserver ImagePath: %systemroot%\system32\msiexec /V ---------- Key: NETw3v32 ImagePath: system32\DRIVERS\NETw3v32.sys C:\Windows\system32\DRIVERS\NETw3v32.sys 1781760 bytes Created: 02/11/2006 Modified: 02/11/2006 Company: Intel® Corporation ---------- Key: nvstor ImagePath: system32\drivers\nvstor.sys C:\Windows\system32\drivers\nvstor.sys 40040 bytes Created: 02/11/2006 Modified: 02/11/2006 Company: NVIDIA Corporation ---------- Key: nvstor32 ImagePath: system32\DRIVERS\nvstor32.sys C:\Windows\system32\DRIVERS\nvstor32.sys 110624 bytes Created: 26/10/2007 Modified: 26/10/2007 Company: NVIDIA Corporation ---------- Key: nvsvc ImagePath: %SystemRoot%\system32\nvvsvc.exe C:\Windows\system32\nvvsvc.exe 118784 bytes Created: 22/05/2008 Modified: 22/05/2008 Company: NVIDIA Corporation ---------- Key: NwlnkFlt ImagePath: system32\DRIVERS\nwlnkflt.sys - file is missing - alert is globally excluded ---------- Key: NwlnkFwd ImagePath: system32\DRIVERS\nwlnkfwd.sys - file is missing - alert is globally excluded ---------- Key: PAC207 ImagePath: system32\DRIVERS\PFC027.SYS C:\Windows\system32\DRIVERS\PFC027.SYS 508160 bytes Created: 29/05/2007 Modified: 29/05/2007 Company: PixArt Imaging Inc. ---------- Key: PDAgent ImagePath: "C:\Program Files\Raxco\PerfectDisk\PDAgent.exe" C:\Program Files\Raxco\PerfectDisk\PDAgent.exe 414984 bytes Created: 28/04/2008 Modified: 28/04/2008 Company: Raxco Software, Inc. ---------- Key: PDEngine ImagePath: "C:\Program Files\Raxco\PerfectDisk\PDEngine.exe" C:\Program Files\Raxco\PerfectDisk\PDEngine.exe 738568 bytes Created: 28/04/2008 Modified: 28/04/2008 Company: Raxco Software, Inc. ---------- Key: ProtexisLicensing ImagePath: C:\Windows\system32\PSIService.exe C:\Windows\system32\PSIService.exe 177704 bytes Created: 05/06/2007 Modified: 05/06/2007 Company: ---------- Key: Radialpoint Security Services ImagePath: C:\Windows\system32\dllhost.exe /Processid:{80098F68-1220-4F43-80A8-15C7395B8874} C:\Windows\system32\dllhost.exe 7168 bytes Created: 02/11/2006 Modified: 02/11/2006 Company: Microsoft Corporation ---------- Key: RPPKT ImagePath: system32\DRIVERS\rp_pkt32.sys C:\Windows\system32\DRIVERS\rp_pkt32.sys 48384 bytes Created: 19/10/2008 Modified: 19/04/2007 Company: Radialpoint, Inc. ---------- Key: RPSKT ImagePath: system32\DRIVERS\rp_skt32.sys C:\Windows\system32\DRIVERS\rp_skt32.sys 53192 bytes Created: 19/10/2008 Modified: 19/10/2008 Company: Radialpoint Inc. ---------- Key: RPSUpdaterR ImagePath: C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe 99056 bytes Created: 05/09/2007 Modified: 19/10/2008 Company: Radialpoint Inc. ---------- Key: RP_FWS ImagePath: C:\Program Files\Virgin Broadband\PCguard\Fws.exe C:\Program Files\Virgin Broadband\PCguard\Fws.exe 293104 bytes Created: 05/09/2007 Modified: 05/09/2007 Company: Virgin Media ---------- Key: RTL8023xp ImagePath: system32\DRIVERS\Rtnicxp.sys C:\Windows\system32\DRIVERS\Rtnicxp.sys 47104 bytes Created: 02/11/2006 Modified: 02/11/2006 Company: Realtek Semiconductor Corporation ---------- Key: snpstd ImagePath: system32\DRIVERS\snpstd.sys C:\Windows\system32\DRIVERS\snpstd.sys 299776 bytes Created: 18/02/2004 Modified: 18/02/2004 Company: ---------- Key: usnjsvc ImagePath: "C:\Program Files\Windows Live\Messenger\usnsvc.exe" C:\Program Files\Windows Live\Messenger\usnsvc.exe 98328 bytes Created: 18/10/2007 Modified: 18/10/2007 Company: Microsoft Corporation ---------- Key: WLSetupSvc ImagePath: "C:\Program Files\Windows Live\installer\WLSetupSvc.exe" C:\Program Files\Windows Live\installer\WLSetupSvc.exe 266240 bytes Created: 25/10/2007 Modified: 25/10/2007 Company: Microsoft Corporation ---------- ************************************************** ********** 18:19:02: Scanning -----VXD ENTRIES----- ************************************************** ********** 18:19:02: Scanning ----- WINLOGON\NOTIFY DLLS ----- No WINLOGON\NOTIFY DLLs found to scan ************************************************** ********** 18:19:02: Scanning ----- CONTEXTMENUHANDLERS ----- Key: 7-Zip CLSID: {23170F69-40C1-278A-1000-000100020000} Path: C:\Program Files\7-Zip\7-zip.dll C:\Program Files\7-Zip\7-zip.dll 69632 bytes Created: 06/12/2007 Modified: 06/12/2007 Company: Igor Pavlov ---------- Key: MagicISO CLSID: {DB85C504-C730-49DD-BEC1-7B39C6103B7A} Path: C:\Program Files\MagicISO\misosh.dll C:\Program Files\MagicISO\misosh.dll 20992 bytes Created: 18/11/2008 Modified: 05/06/2006 Company: MagicISO, Inc. ---------- Key: {FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B} Path: C:\Program Files\Virgin Broadband\PCguard\AVCntxtR.dll C:\Program Files\Virgin Broadband\PCguard\AVCntxtR.dll 106736 bytes Created: 05/09/2007 Modified: 05/09/2007 Company: Radialpoint Inc. ---------- ************************************************** ********** 18:19:02: Scanning ----- FOLDER\COLUMNHANDLERS ----- Key: {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} File: "C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll" C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll 357888 bytes Created: 28/08/2008 Modified: 28/08/2008 Company: Sun Microsystems, Inc. ---------- ************************************************** ********** 18:19:03: Scanning ----- BROWSER HELPER OBJECTS ----- Key: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} BHO: C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll 63128 bytes Created: 12/01/2006 Modified: 12/01/2006 Company: Adobe Systems Incorporated ---------- Key: {3C060EA2-E6A9-4E49-A530-D4657B8C449A} BHO: C:\Program Files\Virgin Broadband\PCguard\pkR.dll C:\Program Files\Virgin Broadband\PCguard\pkR.dll 55024 bytes Created: 05/09/2007 Modified: 05/09/2007 Company: Radialpoint Inc. ---------- Key: {53707962-6F74-2D53-2644-206D7942484F} BHO: C:\PROGRA~1\SPYBOT~1\SDHelper.dll C:\PROGRA~1\SPYBOT~1\SDHelper.dll - file is excluded from scanning [SPYBOT S&D file] ---------- Key: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} BHO: C:\Program Files\Java\jre6\bin\ssv.dll C:\Program Files\Java\jre6\bin\ssv.dll 320920 bytes Created: 16/12/2008 Modified: 16/12/2008 Company: Sun Microsystems, Inc. ---------- Key: {9030D464-4C02-4ABF-8ECC-5164760863C6} BHO: C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll 328752 bytes Created: 20/09/2007 Modified: 20/09/2007 Company: Microsoft Corporation ---------- Key: {DBC80044-A445-435b-BC74-9C25C1C588A9} BHO: C:\Program Files\Java\jre6\bin\jp2ssv.dll C:\Program Files\Java\jre6\bin\jp2ssv.dll 34816 bytes Created: 16/12/2008 Modified: 16/12/2008 Company: Sun Microsystems, Inc. ---------- ************************************************** ********** 18:19:04: Scanning ----- SHELLSERVICEOBJECTS ----- ************************************************** ********** 18:19:04: Scanning ----- SHAREDTASKSCHEDULER ENTRIES ----- ************************************************** ********** 18:19:04: Scanning ----- IMAGEFILE DEBUGGERS ----- No "Debugger" entries found. ************************************************** ********** 18:19:04: Scanning ----- APPINIT_DLLS ----- The AppInit_DLLs value is blank or does not exist ************************************************** ********** 18:19:04: Scanning ----- SECURITY PROVIDER DLLS ----- ************************************************** ********** 18:19:04: Scanning ------ COMMON STARTUP GROUP ------ [C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup] The Common Startup Group attempts to load the following file(s) at boot time: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini -HS- 174 bytes Created: 02/11/2006 Modified: 20/10/2008 Company: [no info] -------------------- ************************************************** ********** 18:19:05: Scanning ----- USER STARTUP GROUPS ----- Checking Startup Group for: Pat [C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Sta rt Menu\Programs\Startup] C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Sta rt Menu\Programs\Startup\desktop.ini -HS- 174 bytes Created: 19/10/2008 Modified: 19/10/2008 Company: [no info] ---------- -------------------- ************************************************** ********** 18:19:05: Scanning ----- SCHEDULED TASKS ----- No Scheduled Tasks found to scan ************************************************** ********** 18:19:05: Scanning ----- SHELLICONOVERLAYIDENTIFIERS ----- No ShellIconOverlayIdentifiers Registry key found to scan ************************************************** ********** 18:19:05: ----- ADDITIONAL CHECKS ----- Heuristic checks for hidden files/drivers completed ---------- Layered Service Provider entries checks completed ---------- Windows Explorer Policies checks completed ---------- Checking autorun.inf in D:\ D:\autorun.inf -RHS- 255 bytes Created: 07/01/2009 Modified: 07/01/2009 Company: [no info] D:\autorun.inf ShellExecute entry: ["resycled\boot.com d:"] D:\resycled\boot.com -RHS- 30720 bytes Created: 12/11/2008 Modified: 06/01/2009 Company: [no info] D:\autorun.inf - READ-ONLY, HIDDEN and SYSTEM file attributes removed D:\autorun.inf - file renamed to: D:\autorun.inf.vir ---------- -------------------- Desktop Wallpaper: C:\Users\Public\Pictures\Sample Pictures\Desert Landscape.jpg C:\Users\Public\Pictures\Sample Pictures\Desert Landscape.jpg 228863 bytes Created: 02/11/2006 Modified: 24/10/2008 Company: [no info] ---------- Web Desktop Wallpaper: %SystemDrive%\Users\Public\Pictures\Sample Pictures\Desert Landscape.jpg C:\Users\Public\Pictures\Sample Pictures\Desert Landscape.jpg 228863 bytes Created: 02/11/2006 Modified: 24/10/2008 Company: [no info] ---------- Checks for rogue DNS NameServers completed Checking for specific malicious files: C:\Program Files\Mozilla Firefox\components\iamfamous.dll - Trojan.Agent C:\Program Files\Mozilla Firefox\components\iamfamous.dll - file renamed to: C:\Program Files\Mozilla Firefox\components\iamfamous.dll.vir ---------- ---------- Additional checks completed ************************************************** ********** 18:19:40: Scanning ----- RUNNING PROCESSES ----- C:\Windows\System32\smss.exe [1 loaded module] -------------------- C:\Windows\system32\csrss.exe [13 loaded modules in total] -------------------- C:\Windows\system32\wininit.exe [25 loaded modules in total] -------------------- C:\Windows\system32\csrss.exe [13 loaded modules in total] -------------------- C:\Windows\system32\services.exe [37 loaded modules in total] -------------------- C:\Windows\system32\lsass.exe [61 loaded modules in total] -------------------- C:\Windows\system32\lsm.exe [21 loaded modules in total] -------------------- C:\Windows\system32\winlogon.exe [29 loaded modules in total] -------------------- C:\Windows\system32\svchost.exe [46 loaded modules in total] -------------------- C:\Windows\system32\nvvsvc.exe - file already scanned [23 loaded modules in total] -------------------- C:\Windows\system32\svchost.exe - file already scanned [42 loaded modules in total] -------------------- C:\Windows\System32\svchost.exe - file already scanned [59 loaded modules in total] -------------------- C:\Windows\System32\svchost.exe - file already scanned [67 loaded modules in total] -------------------- C:\Windows\System32\svchost.exe - file already scanned [123 loaded modules in total] -------------------- C:\Windows\system32\svchost.exe - file already scanned [152 loaded modules in total] -------------------- C:\Windows\system32\SLsvc.exe [25 loaded modules in total] -------------------- C:\Windows\system32\rundll32.exe [41 loaded modules in total] -------------------- C:\Windows\system32\svchost.exe - file already scanned [91 loaded modules in total] -------------------- C:\Program Files\Virgin Broadband\PCguard\Fws.exe - file already scanned [69 loaded modules in total] -------------------- C:\Windows\system32\svchost.exe - file already scanned [95 loaded modules in total] -------------------- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe - file already scanned [30 loaded modules in total] -------------------- C:\Windows\system32\Dwm.exe [36 loaded modules in total] -------------------- C:\Windows\Explorer.EXE - file already scanned [163 loaded modules in total] -------------------- C:\Program Files\Windows Defender\MSASCui.exe - file already scanned [41 loaded modules in total] -------------------- C:\Windows\RtHDVCpl.exe - file already scanned [46 loaded modules in total] -------------------- C:\Windows\System32\rundll32.exe [30 loaded modules in total] -------------------- C:\Program Files\Virgin Broadband\PCguard\RPS.exe - file already scanned [159 loaded modules in total] -------------------- C:\Program Files\Windows Media Player\wmpnscfg.exe - file already scanned [28 loaded modules in total] -------------------- C:\Windows\System32\spoolsv.exe [78 loaded modules in total] -------------------- C:\Windows\system32\taskeng.exe [76 loaded modules in total] -------------------- C:\Windows\system32\svchost.exe - file already scanned [63 loaded modules in total] -------------------- C:\Windows\system32\taskeng.exe [47 loaded modules in total] -------------------- C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe [29 loaded modules in total] -------------------- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe - file already scanned [29 loaded modules in total] -------------------- C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.vista.exe - file already scanned [21 loaded modules in total] -------------------- C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe - file already scanned [34 loaded modules in total] -------------------- C:\Program Files\Raxco\PerfectDisk\PDAgent.exe - file already scanned [48 loaded modules in total] -------------------- C:\Windows\system32\svchost.exe - file already scanned [46 loaded modules in total] -------------------- C:\Windows\system32\PSIService.exe - file already scanned [25 loaded modules in total] -------------------- C:\Windows\system32\svchost.exe - file already scanned [52 loaded modules in total] -------------------- C:\Windows\System32\svchost.exe - file already scanned [18 loaded modules in total] -------------------- C:\Windows\system32\SearchIndexer.exe [61 loaded modules in total] -------------------- C:\Windows\system32\WUDFHost.exe [34 loaded modules in total] -------------------- C:\Program Files\Windows Media Player\wmpnetwk.exe [93 loaded modules in total] -------------------- C:\Program Files\Raxco\PerfectDisk\PDEngine.exe - file already scanned [45 loaded modules in total] -------------------- C:\Windows\system32\wbem\unsecapp.exe [27 loaded modules in total] -------------------- C:\Windows\system32\wbem\wmiprvse.exe [32 loaded modules in total] -------------------- C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe - file already scanned [84 loaded modules in total] -------------------- C:\Windows\system32\dllhost.exe [72 loaded modules in total] -------------------- C:\Windows\System32\msdtc.exe [54 loaded modules in total] -------------------- C:\Program Files\Mozilla Firefox\firefox.exe [119 loaded modules in total] -------------------- C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe [72 loaded modules in total] -------------------- C:\Windows\system32\NOTEPAD.EXE [20 loaded modules in total] -------------------- C:\Program Files\Trojan Remover\Rmvtrjan.exe FileSize: 2921336 [This is a Trojan Remover component] [71 loaded modules in total] -------------------- ************************************************** ********** 18:21:13: Checking HOSTS file No malicious entries were found in the HOSTS file ************************************************** ********** 18:21:13: Scanning ------ %TEMP% DIRECTORY ------ C:\Users\Pat\AppData\Local\Temp\etilqs_Fa1XVkwoJA9 dUth1f8Un appears to be in-use/locked ************************************************** ********** 18:21:18: Scanning ------ C:\Windows\Temp DIRECTORY ------ ************************************************** ********** 18:21:20: Scanning ------ ROOT DIRECTORY ------ ************************************************** ********** 18:21:20: ------ Scan for other files to remove ------ No malware-related files found to remove ************************************************** ********** ------ INTERNET EXPLORER HOME/START/SEARCH SETTINGS ------ HKLM\Software\Microsoft\Internet Explorer\Main\"Start Page": go.microsoft.com HKLM\Software\Microsoft\Internet Explorer\Main\"Local Page": %SystemRoot%\system32\blank.htm HKLM\Software\Microsoft\Internet Explorer\Main\"Search Page": go.microsoft.com HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL": go.microsoft.com HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL": go.microsoft.com HKCU\Software\Microsoft\Internet Explorer\Main\"Start Page": http://www.101tricks.co.uk/ HKCU\Software\Microsoft\Internet Explorer\Main\"Local Page": C:\Windows\system32\blank.htm HKCU\Software\Microsoft\Internet Explorer\Main\"Search Page": go.microsoft.com ************************************************** ********** === CHANGES WERE MADE TO THE WINDOWS REGISTRY === === ONE OR MORE FILES WERE RENAMED OR REMOVED === Scan completed at: 18:21:20 12 Jan 2009 Total Scan time: 00:03:27 ------------------------------------------------------------------------- One or more files could not be moved or renamed as requested. They may be in use by Windows, so Trojan Remover needs to restart the system in order to deal with these files. 12/01/2009 18:21:31: restart commenced ************************************************** ********** Malwarebytes' Anti-Malware 1.32 Database version: 1646 Windows 6.0.6001 Service Pack 1 12/01/2009 18:38:16 mbam-log-2009-01-12 (18-38-16).txt Scan type: Quick Scan Objects scanned: 46022 Time elapsed: 4 minute(s), 58 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 2 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\totalvid (Trojan.DNSChanger) -> Quarantined and deleted successfully. C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Sta rt Menu\Programs\totalvid (Trojan.DNSChanger) -> Quarantined and deleted successfully. Files Infected: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\totalvid\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully. C:\Users\Pat\AppData\Roaming\Adobe\Manager.exe (Trojan.Agent) -> Quarantined and deleted successfully. Thank you for your help if anyone ever wants to learn a magic trick or two to impress friends let me know :) I'll stick around the forum just incase I can help anyone out at anytime. Take care all Pat |
Mr Deck (14501) | ||
| 738064 | 2009-01-13 08:24:00 | Ah ha, so it was dnschanger. Good to hear its running a lot better ! This is what was causing it, the end of the malwarebytes log Folders Infected: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\totalvid (Trojan.DNSChanger) -> Quarantined and deleted successfully. C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Sta rt Menu\Programs\totalvid (Trojan.DNSChanger) -> Quarantined and deleted successfully. Files Infected: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\totalvid\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully. C:\Users\Pat\AppData\Roaming\Adobe\Manager.exe (Trojan.Agent) -> Quarantined and deleted successfully. |
Speedy Gonzales (78) | ||
| 1 | |||||