| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 85628 | 2007-12-16 20:35:00 | Google diverted to other sites. | Ghastly (13168) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 621858 | 2007-12-16 20:35:00 | Hi, this is my first post here, I hope someone can help. My computer was infected with Adware. We have fixed one of the problems but I still have one. When I do a Google search and click on one of the results, it momentarily goes to the right page but then gets diverted to one of three objectionable sites: webcry.com, btcar.com and easywebsearch. I have run SpyBot Search and Destroy and Prevxcsi but they didn't find anything. Further internet searching finds people telling saying to do a Hijack this scan and post it to an expert. So here it is: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:38:41 a.m., on 17/12/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\lkcitdl.exe C:\WINDOWS\System32\lkads.exe C:\WINDOWS\System32\lktsrv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\National Instruments\MAX\nimxs.exe C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe C:\WINDOWS\System32\nisvcloc.exe C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.ex e C:\WINDOWS\System32\CCM\CcmExec.exe C:\WINDOWS\system32\nipalsm.exe C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe C:\WINDOWS\system32\nipalsm.exe C:\WINDOWS\TEMP\FH563.EXE C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Microsoft Office Communicator\Communicator.exe C:\tec5\SDACQ32\SDACQ32AdminTray.exe \Rua-d-422564\c$\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\WINDOWS\system32\msiexec.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intraweb.hortresearch.co.nz/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intraweb.hortresearch.co.nz R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy.hort.net.nz:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = sap.hort.net.nz,https: O1 - Hosts: 202.36.135.65 ZENWSIMPORT O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\Helper\prosearchsite.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [HRCommunicator] "C:\Program Files\Microsoft Office Communicator\HRCommunicator.exe" O4 - HKLM\..\Run: [niDevMon] C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [Application Explorer] C:\Program Files\Novell\ZENworks\NALDESK.EXE O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: SDACQ32AdminTray.lnk = C:\tec5\SDACQ32\SDACQ32AdminTray.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O14 - IERESET.INF: START_PAGE_URL=http://intraweb.hortresearch.co.nz O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hort.net.nz O17 - HKLM\Software\..\Telephony: DomainName = hort.net.nz O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hort.net.nz O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\System32\lkcitdl.exe O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\System32\lkads.exe O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\System32\lktsrv.exe O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe O23 - Service: nidevldu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe O23 - Service: NILM License Manager (NILM License manager) - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe O23 - Service: nimcdldu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe O23 - Service: nipxirmu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\System32\nisvcloc.exe O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe O23 - Service: SIxCmd Service (SIxCmdSvc) - Unknown owner - C:\WINDOWS\system32\xCmdSvc.exe O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe |
Ghastly (13168) | ||
| 621859 | 2007-12-16 20:58:00 | wats O23 - Service: SIxCmd Service (SIxCmdSvc) - Unknown owner - C:\WINDOWS\system32\xCmdSvc.exe | gum digger (6100) | ||
| 621860 | 2007-12-16 21:05:00 | Run HJT again tick these entries then tick fix checked Close browser/s. I dont know what these belong to. Do you? C:\WINDOWS\TEMP\FH563.EXE C:\tec5\SDACQ32\SDACQ32AdminTray.exe O1 - Hosts: 202.36.135.65 ZENWSIMPORT O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\Helper\prosearchsite.dll This is safe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime Dont know what this file is or does. O4 - Global Startup: SDACQ32AdminTray.lnk = C:\tec5\SDACQ32\SDACQ32AdminTray.exe If you didnt do this, tick these O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present Does control panel / task manager / regedit open? Did you add these? O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hort.net.nz O17 - HKLM\Software\..\Telephony: DomainName = hort.net.nz O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hort.net.nz |
Speedy Gonzales (78) | ||
| 621861 | 2007-12-16 21:19:00 | Neither of these look very good to my eyes either. O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\Helper\prosearchsite.dll O23 - Service: SIxCmd Service (SIxCmdSvc) - Unknown owner - C:\WINDOWS\system32\xCmdSvc.exe Unless you installed them. Don't take my word for it, but I'd be suspicious of them. |
Thebananamonkey (7741) | ||
| 621862 | 2007-12-16 23:45:00 | SIxCmd Service appears to be safe (tho probably be best to get rid of it anyway with unknown owner) e404 helper/prosearchsite.dll isn't Summary of E404.EXE Adware.E404 Helper/Hij.Process Company Information Unknown Description of E404.EXE Adware component Adware applications, toolbars and browser extensions may serve advertisements even while you are not surfing the Internet. This application may serve various types of advertising, not limited to pop-up ads. Threat Level (1-10) 6 Processes E404.EXE -------------- |
bevy121 (117) | ||
| 621863 | 2007-12-17 02:22:00 | Thanks for all the replies . I didn't know what to try so I asked out computer support guy to have a lot at your answers . We tried using Google and it didn't get redirected this time . Last week it was almost always being redirected but sometimes it wouldn't get redirected . The computer support guy said to delete prosearchsite . dll . He did that using unlock . exe . Anyway, it appears Google does not get redirected anymore so I am happy . I don't know whether it was me booting the computer this morning (and the Spybot scan) that fixed it or deleting prosearchsite . dll . Thanks for the amazing response . |
Ghastly (13168) | ||
| 1 | |||||