TheTechGuide Forum

General Category => Tech Clinic => Topic started by: twinpeaks on May 28, 2005, 05:07:48 PM

Title: please help: browser hijacked by "allstarsearch"
Post by: twinpeaks on May 28, 2005, 05:07:48 PM

i need some help.

my IE browser has been hijacked and keeps redirecting my home page to allstarsearch.net and then downloads a bunch of nasties. i've run ad-aware and spysweeper, and both detect the infection and then "remove" it, but it keeps coming back. please help me clean out my system! below is my HJT scanlog. many thanks.

Logfile of HijackThis v1.99.1
Scan saved at 3:07:48 PM, on 5/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\apvxdwin.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\web.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\vxgame3.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\vxgame3.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\vxgamet2.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB002" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Register Intellihance Pro 4.0.lnk = C:\Program Files\Extensis\Intellihance\Register Intellihance Pro 4.0.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O13 - DefaultPrefix: http://allstarsearch.net/gall.php?url= (http://\"http://allstarsearch.net/gall.php?url=\")
O13 - WWW Prefix: http://allstarsearch.net/gall.php?url= (http://\"http://allstarsearch.net/gall.php?url=\")
O13 - Home Prefix: http://allstarsearch.net/gall.php?url= (http://\"http://allstarsearch.net/gall.php?url=\")
O13 - Mosaic Prefix: http://allstarsearch.net/gall.php?url= (http://\"http://allstarsearch.net/gall.php?url=\")
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {027AD36E-87AA-7653-2537-224B325BB7D5} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab (http://\"http://housecall60.trendmicro.com/housecall/xscan60.cab\")
O16 - DPF: {35D5BD24-ECB7-373F-349E-3F5548BD8259} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {3D720B9E-A235-7985-A0BA-250A60F8D85B} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {4BDB8B88-D5C1-74DA-F238-470146CD0B1B} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {73058670-1488-7DB6-F39A-7BBC799F538A} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {74FE4A5A-1DA5-6B10-3A35-5D66466E2A68} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

Title: please help: browser hijacked by "allstarsearch"
Post by: guestolo on May 29, 2005, 12:19:43 AM

Sorry for the delay

Can you do the following please

Download Silent Runners.vbs
http://www.cs.nyu.edu/~vs667/articles/hoto...lentRunners.zip (http://\"http://www.cs.nyu.edu/~vs667/articles/hotoffers_removal/files/SilentRunners.zip\")

UNZIP the contents too desktop
Double click to Run Silent Runners
WAIT for the scan to finish, It will notify you when it's complete

Post back the log that's produced

Also post a fresh Hijackthis log

Title: please help: browser hijacked by "allstarsearch"
Post by: twinpeaks on May 29, 2005, 12:39:39 AM

Thanks and here are the logs:

"Silent Runners.vbs", revision 35, http://www.silentrunners.org/ (http://\"http://www.silentrunners.org/\")
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NVIEW" = "rundll32.exe nview.dll,nViewLoadHook" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"PPMemCheck" = "c:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [null data]
"PestPatrol Control Center" = "c:\PROGRA~1\PESTPA~1\PPControl.exe" ["Computer Associates International"]
"CookiePatrol" = "c:\PROGRA~1\PESTPA~1\CookiePatrol.exe" ["Computer Associates International"]
"WinPatrol" = ""C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"" ["BillP Studios"]
"TM Outbreak Agent" = ""C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run" [file not found]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot" ["RealNetworks, Inc."]
"Share-to-Web Namespace Daemon" = "c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" ["Hewlett-Packard"]
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE" [empty string]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"PS2" = "C:\WINDOWS\system32\ps2.exe" ["Hewlett-Packard Company"]
"PCClient.exe" = ""C:\Program Files\Trend Micro\Internet Security\PCClient.exe"" [file not found]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"KBD" = "C:\HP\KBD\KBD.EXE" ["Hewlett-Packard Company"]
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"EPSON Stylus Photo R800" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB002" /M "Stylus Photo R800"" ["SEIKO EPSON CORPORATION"]
"CamMonitor" = "c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [empty string]
"AlcxMonitor" = "ALCXMNTR.EXE" ["Realtek Semiconductor Corp."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" ["Sun Microsystems, Inc."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"AvLiteBr" = (no data)

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{2E246FAE-8420-11D9-870D-000C2917DE7F}\(Default) = "Loader Class" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\Loader.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Share-to-Web Upload Folder"
  -> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL" ["Hewlett-Packard"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{CCFE56EE-C7DE-44EE-A160-4553A5A912C9}" = "OmniPass Shell Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Softex\OmniPass\opshelle.dll" ["Softex Incorporated"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{0E6C58A9-F592-4862-B35F-CA45E24003B3}" = "CloneCD"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Elaborate Bytes\CloneCD\ElbyVCDShell.dll" ["Elaborate Bytes"]
"{C56C4E21-706D-11d0-AFC5-444553540002}" = "My Digital Camera"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\FotoNation\camview.dll" ["FotoNation Inc."]
"{EE337094-9F50-4B8C-9B53-C00F52A3289B}" = "GF Shell Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\LizardTech Shared\lt_lib_gf_iconShellEx.dll" ["LizardTech Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{596AB062-B4D2-4215-9F74-E9109B0A8153}" = "Previous Versions Property Page"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [file not found]
"{9DB7A13C-F208-4981-8353-73CC61AE2783}" = "Previous Versions"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [file not found]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
"{203B1C4D9-BC71-8916-38AD-9DEA5D213614}" = ** INVALID DATA (not CLSID) **

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
INFECTION WARNING! OPXPGina\DLLName = "C:\Program Files\Softex\OmniPass\opxpgina.dll" [null data]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCU\Control Panel\Desktop\
"Wallpaper" = "%USERPROFILE%\Application Data\Microsoft\Wallpaper1.bmp"


Autostart via AUTORUN.INF on local fixed drives:
------------------------------------------------

INFECTION WARNING! D:\AUTORUN.INF -> "OPEN=Info.exe folder.htt 480 480" ["XSS"]


Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\Owner\Start Menu\Programs\Startup
"WordWeb Pro" -> shortcut to: "C:\Program Files\WordWeb\wweb32.exe" ["Antony Lewis"]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"DriveSelect" -> shortcut to: "C:\Program Files\321Studios\Xpress\DriveSelect.exe" [empty string]
"Microsoft Broadband Networking" -> shortcut to: "C:\WINDOWS\Installer\{8CC15633-2327-43F4-BA85-B83FDB4B59BE}\_18be6784.exe" [null data]


Enabled Scheduled Tasks:
------------------------

"1-Click Maintenance" -> launches: "C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe /schedulestart" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{8F4902B6-6C04-4ADE-8052-AA58578A21BD}\
  -> {CLSID}\(Default) = "hp toolkit"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{3DC8D6D6-AFF0-45CC-A847-E5012F60BA57}\
(Default) = "Instant Source"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\Program Files\Instant Source\isrc.dll" ["Blazing Tools Software"]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\
(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBC}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll" ["Sun Microsystems, Inc."]


Internet Explorer Address Prefixes:
-----------------------------------

Prefix for bare domain ("domain-name-here.com")

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Default Prefix\
HIJACK WARNING! (Default) = "http://allstarsearch.net/gall.php?url="

Prefix for specific service (i.e., "www")

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\
HIJACK WARNING! "home" = "http://allstarsearch.net/gall.php?url="
HIJACK WARNING! "mosaic" = "http://allstarsearch.net/gall.php?url="
HIJACK WARNING! "www" = "http://allstarsearch.net/gall.php?url="


HOSTS file
----------

C:\WINDOWS\system32\Drivers\Etc\HOSTS

maps: 1 domain name to an IP address,
      1 of the IP addresses is *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
gearsec, gearsec, "C:\WINDOWS\System32\gearsec.exe" ["GEAR Software"]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
ScsiAccess, ScsiAccess, "C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe" [null data]
Softex OmniPass Service, omniserv, "C:\Program Files\Softex\OmniPass\Omniserv.exe" [null data]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
----------------------------------------------------



Logfile of HijackThis v1.99.1
Scan saved at 10:38:46 PM, on 5/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\vxgame3.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\vxgame3.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\PAVW.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB002" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O13 - DefaultPrefix: http://allstarsearch.net/gall.php?url= (http://\"http://allstarsearch.net/gall.php?url=\")
O13 - WWW Prefix: http://allstarsearch.net/gall.php?url= (http://\"http://allstarsearch.net/gall.php?url=\")
O13 - Home Prefix: http://allstarsearch.net/gall.php?url= (http://\"http://allstarsearch.net/gall.php?url=\")
O13 - Mosaic Prefix: http://allstarsearch.net/gall.php?url= (http://\"http://allstarsearch.net/gall.php?url=\")
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {027AD36E-87AA-7653-2537-224B325BB7D5} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab (http://\"http://housecall60.trendmicro.com/housecall/xscan60.cab\")
O16 - DPF: {343348AA-A0B1-15EB-A494-4EF2190ECE42} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {35D5BD24-ECB7-373F-349E-3F5548BD8259} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {3D720B9E-A235-7985-A0BA-250A60F8D85B} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {42DC7EFD-083D-304C-FAD4-2A5D297ACDFA} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {4A5C2DAF-B7D1-6706-3809-05BD1D2A43FA} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {4BDB8B88-D5C1-74DA-F238-470146CD0B1B} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {5C144B78-188D-6604-43B1-57873FF4704C} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {5E3DCBC5-B4E7-27F3-45D2-4D370902C826} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {5EC22133-B63B-33DB-6A1D-1BD40536C40B} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {6FF08C3B-3CFF-6FD2-18A2-01942D2FABCC} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {73058670-1488-7DB6-F39A-7BBC799F538A} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {74FE4A5A-1DA5-6B10-3A35-5D66466E2A68} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

Title: please help: browser hijacked by "allstarsearch"
Post by: guestolo on May 29, 2005, 01:13:39 AM

I see you have Ewido installed now, it should take care of a few bad files on your computer
Can you do the following please

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Give the link time to load or try it twice, it may be busy
Alternate Download link (http://\"http://www.spywareaid.com/index.php?file=showsoftware&action=dl&softid=1&softtype=exe\")
We'll need this later

==Download and Unzip to a folder Hoster.zip (http://\"http://www.funkytoad.com/download/hoster.zip\")

==Download and save to deskop or a folder
DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf (http://\"http://www.mvps.org/winhelp2002/DelDomains.inf\")
We'll need this later>>If using a Mozilla browser, right click on that link and SAVE Link As

==Download and UNZIP to desktop IEFix.zip
So you now have IEFix.reg on the desktop
[attachment=246:attachment]

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation

In Safe mode

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off when scan is done

====Open Ewido trojan scanner
Click on the Scanner button in the left menu, then click on the Start button. This scan can take a while, so give it time to run
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.
Save the report

Do another scan with Hijackthis and put a check next to these entries:
Not all may be found, but fix what exists

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net (http://\"http://allstarsearch.net\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O1 - Hosts: auto.search.msn.com 127.0.0.1

O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll

O13 - DefaultPrefix: http://allstarsearch.net/gall.php?url= (http://\"http://allstarsearch.net/gall.php?url=\")
O13 - WWW Prefix: http://allstarsearch.net/gall.php?url= (http://\"http://allstarsearch.net/gall.php?url=\")
O13 - Home Prefix: http://allstarsearch.net/gall.php?url= (http://\"http://allstarsearch.net/gall.php?url=\")
O13 - Mosaic Prefix: http://allstarsearch.net/gall.php?url= (http://\"http://allstarsearch.net/gall.php?url=\")
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {027AD36E-87AA-7653-2537-224B325BB7D5} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")

O16 - DPF: {343348AA-A0B1-15EB-A494-4EF2190ECE42} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {35D5BD24-ECB7-373F-349E-3F5548BD8259} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {3D720B9E-A235-7985-A0BA-250A60F8D85B} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {42DC7EFD-083D-304C-FAD4-2A5D297ACDFA} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {4A5C2DAF-B7D1-6706-3809-05BD1D2A43FA} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {4BDB8B88-D5C1-74DA-F238-470146CD0B1B} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {5C144B78-188D-6604-43B1-57873FF4704C} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {5E3DCBC5-B4E7-27F3-45D2-4D370902C826} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {5EC22133-B63B-33DB-6A1D-1BD40536C40B} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {6FF08C3B-3CFF-6FD2-18A2-01942D2FABCC} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {73058670-1488-7DB6-F39A-7BBC799F538A} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {74FE4A5A-1DA5-6B10-3A35-5D66466E2A68} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Double click on IEFix.reg and allow to add or Merge to the registry

RESTART back to Normal mode

Back in Windows

Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Reset home page

IF prompted at anytime by any of your Security software such as WinPatrol
ALLOW the changes so they won't interfere with any fixes we are trying

Open Hoster and click on "Restore Original Hosts"
OK it and exit

==Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

Run another scan with Hijackthis and post a fresh log
Also post the Report from Ewidos

Could you also do the following

Download:  Registry Search Tool from this link
http://billsway.com/vbspage/ (http://\"http://billsway.com/vbspage/\")

Unzip and double-click "RegSrch.vbs"
Note: if your Antivirus or another program prompts about running a ".vbs" file, allow the script to run

In the open field copy and paste the below in bold then hit OK

{203B1C4D9-BC71-8916-38AD-9DEA5D213614}

Wait for the results and post them back here

Title: please help: browser hijacked by "allstarsearch"
Post by: twinpeaks on May 29, 2005, 01:31:37 AM

Thank you again. I'm a little reluctant to reboot. Last time I had an infection like this, when I tried to reboot, the infection got worse, and I was soon unable to boot up at all without extensive and expensive help from Microsoft tech support. Are you fairly confident, based on what you're seeing about my current infections, that I will be able to reboot in safe mode without a problem? By the way, I was unable to update ewido. It saif I have to reboot first.

What do you think?

Title: please help: browser hijacked by "allstarsearch"
Post by: guestolo on May 29, 2005, 01:35:07 AM

Not sure what you mean by the last time you had an infection like this
When was that?

I don't see why you would have a problem rebooting
Except I see a few problems in your running processes

Title: please help: browser hijacked by "allstarsearch"
Post by: twinpeaks on May 29, 2005, 10:26:39 AM

You helped me eliminate the SmartSecurity infection from my computer a couple months ago.  /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Anyway, not to worry, the reboot went fine. Here are the logs:

Logfile of HijackThis v1.99.1
Scan saved at 8:26:04 AM, on 5/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm (http://\"http://search.msn.com/spbasic.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s (http://\"http://home.microsoft.com/access/autosearch.asp?p=%s\")
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB002" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab (http://\"http://housecall60.trendmicro.com/housecall/xscan60.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe




REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "{203B1C4D9-BC71-8916-38AD-9DEA5D213614}" 5/29/2005 8:23:36 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{203B1C4D9-BC71-8916-38AD-9DEA5D213614}"="OLE Module"

[HKEY_USERS\S-1-5-21-818225494-2651060331-2636784919-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}]

[HKEY_USERS\S-1-5-21-818225494-2651060331-2636784919-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}\InProcServer32]

[HKEY_USERS\S-1-5-21-818225494-2651060331-2636784919-1003\Software\Classes\CLSID\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}]

[HKEY_USERS\S-1-5-21-818225494-2651060331-2636784919-1003\Software\Classes\CLSID\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}\InProcServer32]

[HKEY_USERS\S-1-5-21-818225494-2651060331-2636784919-1003_Classes\CLSID\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}]

[HKEY_USERS\S-1-5-21-818225494-2651060331-2636784919-1003_Classes\CLSID\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}\InProcServer32]






Now what?

Title: please help: browser hijacked by "allstarsearch"
Post by: guestolo on May 29, 2005, 10:37:59 AM

Could you possibly supply me with the report that Ewido made
I would like to make sure a few files were removed

Title: please help: browser hijacked by "allstarsearch"
Post by: twinpeaks on May 29, 2005, 10:39:17 AM

Sorry about that. Here it is:


---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:         7:55:43 AM, 5/29/2005
 + Report-Checksum:      6D5800BD

 + Date of database:      5/29/2005
 + Version of scan engine:   v3.0

 + Duration:            419 min
 + Scanned Files:         243563
 + Speed:            9.69 Files/Second
 + Infected files:         11
 + Removed files:         9
 + Files put in quarantine:      9
 + Files that could not be opened:   0
 + Files that could not be cleaned:   2

 + Binder:      Yes
 + Crypter:      Yes
 + Archives:      Yes

 + Scanned items:
   C:\

 + Scan result:
   C:\Program Files\PestPatrol\Quarantine\20050406113759.zip/Documents and Settings/Owner/Cookies/owner@com[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
   C:\Program Files\PestPatrol\Quarantine\20050406113759.zip/Documents and Settings/Owner/Cookies/owner@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
   C:\WINDOWS\system\Loader.dll -> TrojanDownloader.Agent.li -> Cleaned with backup
   C:\WINDOWS\system\svchost.exe -> TrojanDropper.Agent.kz -> Cleaned with backup
   C:\WINDOWS\system32\init32m.exe -> TrojanDownloader.Agent.ho -> Cleaned with backup
   C:\WINDOWS\system32\rch.dll -> Trojan.GSearch -> Cleaned with backup
   C:\WINDOWS\system32\rdrlib.dll -> Spyware.Redir.b -> Cleaned with backup
   C:\WINDOWS\system32\vxgame3.exe -> TrojanDownloader.Agent.ho -> Cleaned with backup
   C:\WINDOWS\system32\vxgamet1.exe -> TrojanDownloader.Small.aqt -> Cleaned with backup
   C:\WINDOWS\system32\vxh8jkdq1.exe -> TrojanDropper.Small.wp -> Cleaned with backup
   C:\WINDOWS\system32\vxh8jkdq8.exe -> TrojanDropper.Small.wp -> Cleaned with backup


::Report End

Title: please help: browser hijacked by "allstarsearch"
Post by: guestolo on May 29, 2005, 11:34:14 AM

Can you make sure that this file doesn't exist
If it does, remove it
C:\WINDOWS\System32\vxgame4.exe <-file

I can't pinpoint what that CLSID is related too

Can you do the following please

Go to MyDocuments folder and create a new folder
Right click an empty spot and select NEW>>Folder
Name it Backups

Next enter your Registry
START>>RUN>>type in regedit
Hit OK

In the registry
Navigate to the following key
HKEY_USERS\S-1-5-21-818225494-2651060331-2636784919-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}

You can do that by expanding(+) on the following
+HKEY_USERS
+S-1-5-21-818225494-2651060331-2636784919-1003
+Software
+Microsoft
+Windows
+CurrentVersion
+Explorer
+CLSID

Left click and Highlight {203B1C4D9-BC71-8916-38AD-9DEA5D213614}
and then right click on it and choose EXPORT
Name the key and Export to the Backups folder
and then right click on it and choose DELETE

Do the same for these entries in bold
HKEY_USERS\S-1-5-21-818225494-2651060331-2636784919-1003\Software\Classes\CLSID\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}
HKEY_USERS\S-1-5-21-818225494-2651060331-2636784919-1003_Classes\CLSID\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}

The next one
Go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
EXPORT SharedTaskScheduler but DON'T delete it
Instead look on the right hand side for {203B1C4D9-BC71-8916-38AD-9DEA5D213614}

And right click on that entry and delete it

Now we have backups of that Clsid if we need them
but there no longer in the registry

After that
Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart the computer

Let me know how everythings running
Keep those backups of the registry in the Backups folder for awhile
Let's make sure everything is running smooth and ensure there not needed

You said you ran Ad-Aware
If your running the free version, it has just been updated
I would suggest that you uninstall your version from Add/Remove programs
and download the newest version
You can get it here
http://www.download.com/3000-2144-10045910.html (http://\"http://www.download.com/3000-2144-10045910.html\")

Run a full system scan after it's installed and remove all Criticals
Restart the computer if anything cleaned

Post back one last hijackthis log and let me know how things are going

You said I helped you a while back, I usually suggest installing some tools after your clean to help prevent these types of infections
What tools did you download for prevention?

Title: please help: browser hijacked by "allstarsearch"
Post by: Guest on May 29, 2005, 01:18:56 PM

[quote name=\'guestolo\' date=\'May 29 2005, 10:34 AM\']Can you make sure that this file doesn't exist
If it does, remove it
C:\WINDOWS\System32\vxgame4.exe <-file

I can't pinpoint what that CLSID is related too

That file does not exist

Can you do the following please

Go to MyDocuments folder and create a new folder
Right click an empty spot and select NEW>>Folder
Name it Backups

Next enter your Registry
START>>RUN>>type in regedit
Hit OK

In the registry
Navigate to the following key
HKEY_USERS\S-1-5-21-818225494-2651060331-2636784919-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}

You can do that by expanding(+) on the following
+HKEY_USERS
+S-1-5-21-818225494-2651060331-2636784919-1003
+Software
+Microsoft
+Windows
+CurrentVersion
+Explorer
+CLSID

Left click and Highlight {203B1C4D9-BC71-8916-38AD-9DEA5D213614}
and then right click on it and choose EXPORT
Name the key and Export to the Backups folder
and then right click on it and choose DELETE

Do the same for these entries in bold
HKEY_USERS\S-1-5-21-818225494-2651060331-2636784919-1003\Software\Classes\CLSID\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}
HKEY_USERS\S-1-5-21-818225494-2651060331-2636784919-1003_Classes\CLSID\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}

I could not locate that last one ^^^^^^^

The next one
Go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
EXPORT SharedTaskScheduler but DON'T delete it
Instead look on the right hand side for {203B1C4D9-BC71-8916-38AD-9DEA5D213614}

And right click on that entry and delete it

Now we have backups of that Clsid if we need them
but there no longer in the registry

After that
Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart the computer

Let me know how everythings running


Everything seems to be running well again. Thank you!


Keep those backups of the registry in the Backups folder for awhile
Let's make sure everything is running smooth and ensure there not needed

You said you ran Ad-Aware
If your running the free version, it has just been updated
I would suggest that you uninstall your version from Add/Remove programs
and download the newest version
You can get it here
http://www.download.com/3000-2144-10045910.html (http://\"http://www.download.com/3000-2144-10045910.html\")

Run a full system scan after it's installed and remove all Criticals
Restart the computer if anything cleaned

I will do this today.

Post back one last hijackthis log and let me know how things are going

You said I helped you a while back, I usually suggest installing some tools after your clean to help prevent these types of infections
What tools did you download for prevention?

[post=\"43118\"]<{POST_SNAPBACK}>[/post]

[/quote]

Could you re-advise what would be good for me to use? I have AVG running now. What more do you suggest? Many thanks. You're a lifesaver!

Title: please help: browser hijacked by "allstarsearch"
Post by: guestolo on May 29, 2005, 01:22:16 PM

Run the newer Ad-Aware and restart the computer after cleaning

Post the final hijackthis log and we'll take it from there

I use AVG on this computer and don't have any problems

But we'll get some preventive tools on your computer later

Title: please help: browser hijacked by "allstarsearch"
Post by: twinpeaks on May 29, 2005, 02:10:38 PM

here is the log after running ad-aware and restarting;

Logfile of HijackThis v1.99.1
Scan saved at 12:10:02 PM, on 5/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\WordWeb\wweb32.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm (http://\"http://search.msn.com/spbasic.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s (http://\"http://home.microsoft.com/access/autosearch.asp?p=%s\")
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB002" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab (http://\"http://housecall60.trendmicro.com/housecall/xscan60.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe



thanks again.

Title: please help: browser hijacked by "allstarsearch"
Post by: guestolo on May 29, 2005, 02:20:05 PM

Looks good

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster 3.4 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer


IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply Click the "enable all protection"

If your version of Windows is legit, you may think about visiting Windows updates and updating to Service Pack 2

P.S. You may choose to hold onto Ewido also, that's up to you
It will become a limited version in a couple weeks, but still performs quite well

NOTE>>>Even if you already have SpywareBlaster 3.4 or IE-Spyad installed
You will have to reenable the protection as we removed entries from the registry earlier with DelDomains.inf

Title: please help: browser hijacked by "allstarsearch"
Post by: twinpeaks on May 29, 2005, 06:15:15 PM

it appears we haven't fully cleaned up my system. i'm still getting a little explorer dialogue box popping up every 10 minutes or so. there's a yellow warning triangle, followed by this text: "For Your Instant Access please Click Yes" then there's an OK button which, needless to say, i have not clicked. i just close the box every time it appears, then it reappears about ten minutes later. i've only been getting this since i got infected yesterday. all the other infection symptons still seem to be corrected.

any ideas?

Title: please help: browser hijacked by "allstarsearch"
Post by: guestolo on May 29, 2005, 09:38:09 PM

I want to check on something please

Can you do the following please

Download and UNZIP to desktop DPF.zip
So you now have dpf.bat extracted to desktop

Double click on dpf.bat and a text file will open

Can you copy and paste that info back here, thanks

Title: please help: browser hijacked by "allstarsearch"
Post by: twinpeaks on May 29, 2005, 10:11:01 PM

olume in drive C is HP_PAVILION
 Volume Serial Number is 7888-AAB4

 Directory of C:\WINDOWS\Downloaded Program Files

05/28/2005  02:12 PM    <DIR>          BUILTIN\Administrators .
05/28/2005  02:12 PM    <DIR>          BUILTIN\Administrators ..
04/09/2003  10:17 PM                65 BUILTIN\Administrators desktop.ini
10/15/1997  01:52 AM               697 BUILTIN\Administrators DirectAnimation Java Classes.osd
09/05/2001  05:22 AM            24,576 STEVEMAIN\Owner        iSetup.dll
09/05/2001  05:21 AM           159,744 STEVEMAIN\Owner        iSetup.exe
09/05/2001  05:22 AM               411 STEVEMAIN\Owner        isetup.inf
08/25/2003  06:12 PM             1,096 STEVEMAIN\Owner        iuctl.inf
02/23/2004  04:37 PM               740 STEVEMAIN\Owner        jinstall-1_4_2_04.inf
01/20/2000  03:25 PM             1,162 BUILTIN\Administrators Microsoft XML Parser for Java.osd
10/09/2003  11:32 AM               144 STEVEMAIN\Owner        QTPlugin.inf
11/10/2003  02:29 PM         5,555,056 STEVEMAIN\Owner        QuickTimeInstallCache.qdat
12/08/2003  02:58 PM             3,759 STEVEMAIN\Owner        swflash.inf
05/03/2005  11:42 AM             2,144 STEVEMAIN\Owner        xscan60.inf
05/03/2005  11:45 AM           475,190 STEVEMAIN\Owner        xscan60.ocx
08/07/2003  01:36 PM               530 STEVEMAIN\Owner        Yahoo! Chess.osd
              14 File(s)      6,225,314 bytes
               2 Dir(s)   6,799,147,008 bytes free

Title: please help: browser hijacked by "allstarsearch"
Post by: guestolo on May 29, 2005, 11:01:31 PM

You said this just started happening?
What have you installed recently besides the tools I asked of you?

Can you do the following
Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- Messenger <--this is not MSN Messenger for your information

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled

Do the same for this one too
Alerter

Post a fresh hijackthis log and let me know if you get any more popups

Could you also do the following
Open Hijackthis>>Open Misc tools section
Check both
List all minor sections(full)
List empty sections (complete)
Then click the "Generate Startuplist log" button
A text file will open
Copy and paste back the whole contents of this log too

Title: please help: browser hijacked by "allstarsearch"
Post by: twinpeaks on May 29, 2005, 11:32:41 PM

It was happening ever since the allstarsearch infection began yesterday.

I haven't installed anything since then.

Logfile of HijackThis v1.99.1
Scan saved at 9:31:57 PM, on 5/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\WordWeb\wweb32.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Adobe\Photoshop CS\Photoshop.exe
C:\Program Files\IrfanView\I_VIEW32.EXE
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm (http://\"http://search.msn.com/spbasic.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s (http://\"http://home.microsoft.com/access/autosearch.asp?p=%s\")
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB002" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O16 - DPF: {01B05E0F-7044-1A45-2086-5EE12442047C} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab (http://\"http://housecall60.trendmicro.com/housecall/xscan60.cab\")
O16 - DPF: {40A37E2C-C667-1CB0-86A1-71266ECE8B71} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {4665A2C5-F020-09F6-803F-0BF87AA64B90} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {4BDED2AF-44DC-4EE8-C6E7-6A0406D10AE1} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {4CD6CEC0-F49E-420F-8C1F-324017A60D78} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {75D15F2B-5377-7B4E-0200-28FE58C735F7} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

Title: please help: browser hijacked by "allstarsearch"
Post by: twinpeaks on May 30, 2005, 12:13:58 AM

i am still getting the popup.

Title: please help: browser hijacked by "allstarsearch"
Post by: guestolo on May 30, 2005, 12:30:34 AM

Can I have you do the following
Some 016 entries in your log are returning

Can you disable PestPatrols and WinPatrols real time protection
They may be getting in the way of fixing this thing

Keep them disabled until we have you clean

Do another scan with Hijackthis and put a check next to these entries:

O16 - DPF: {01B05E0F-7044-1A45-2086-5EE12442047C} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")

O16 - DPF: {40A37E2C-C667-1CB0-86A1-71266ECE8B71} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {4665A2C5-F020-09F6-803F-0BF87AA64B90} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {4BDED2AF-44DC-4EE8-C6E7-6A0406D10AE1} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {4CD6CEC0-F49E-420F-8C1F-324017A60D78} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {75D15F2B-5377-7B4E-0200-28FE58C735F7} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer

Run another scan with Hijackthis and post a fresh log afterwards

Could you also supply that startup list I asked for earlier
Here's the instructions again

Code: [Select]

Open Hijackthis>>Open Misc tools section
Check both
List all minor sections(full)
List empty sections (complete)
Then click the "Generate Startuplist log" button
A text file will open
Copy and paste back the whole contents of this log too
One final request
I won't see your logs until tomorrow some time
In the mean time
Can you run an Online virus scan at Panda's and save the report afterwards and post it back here
http://www.pandasoftware.com/products/acti...n_principal.htm (http://\"http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm\")

Title: please help: browser hijacked by "allstarsearch"
Post by: twinpeaks on May 30, 2005, 11:08:01 AM

StartupList report, 5/30/2005, 9:07:05 AM
StartupList version: 1.52.2
Started from : C:\HJT\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
Microsoft Broadband Networking.lnk = ?

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

TM Outbreak Agent = "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
Share-to-Web Namespace Daemon = c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
PS2 = C:\WINDOWS\system32\ps2.exe
PCClient.exe = "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
nwiz = nwiz.exe /install
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
NeroCheck = C:\WINDOWS\system32\NeroCheck.exe
KBD = C:\HP\KBD\KBD.EXE
hpsysdrv = c:\windows\system\hpsysdrv.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
EPSON Stylus Photo R800 = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB002" /M "Stylus Photo R800"
CamMonitor = c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AVG7_EMC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

NVIEW = rundll32.exe nview.dll,nViewLoadHook

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=*Registry value not found*

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[{046B2BD2-F0F5-7EBC-7CAB-280F46230C4A}]
CODEBASE = http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan60.ocx
CODEBASE = http://housecall60.trendmicro.com/housecall/xscan60.cab (http://\"http://housecall60.trendmicro.com/housecall/xscan60.cab\")

[{0869DA11-E03A-3630-70A4-388932D4ABFF}]
CODEBASE = http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")

[{101593E8-67D0-05BC-A691-13D93F08A799}]
CODEBASE = http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")

[{129857D2-6060-789A-9BE7-1B4B09B5B098}]
CODEBASE = http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")

[{1A154923-28CF-093F-241C-31E85458AA72}]
CODEBASE = http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")

[{23C861D4-81F4-1CBE-1364-64156D8F4EFF}]
CODEBASE = http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")

[{3D8BBDA2-892E-048F-8FCE-31724E2ABC13}]
CODEBASE = http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")

[{3E551B96-95F3-4EDD-5DB8-24ED1980A3E3}]
CODEBASE = http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")

[{4F8D50A7-3F6A-2D8D-FACE-4A5B0C6A9084}]
CODEBASE = http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")

[{5ECB89BD-B6D0-1EDC-2BD4-290240ECD6FC}]
CODEBASE = http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")

[{6724554E-696A-372D-35FA-023A28B6A8AC}]
CODEBASE = http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")

[{75E41ADE-74FE-38CD-B7C5-47305F2D71C8}]
CODEBASE = http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")

[Java Plug-in 1.5.0_03]
InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab\")

[Java Plug-in 1.4.2_05]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
CODEBASE = http://java.sun.com/products/plugin/autodl...indows-i586.cab (http://\"http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab\")

[Java Plug-in 1.4.2_06]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
CODEBASE = http://java.sun.com/products/plugin/autodl...indows-i586.cab (http://\"http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab\")

[Java Plug-in 1.5.0_03]
InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab\")

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Adobe LM Service: "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Service for WDM 3D Audio Driver: system32\drivers\ALCXSENS.SYS (manual start)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD K7 Processor Driver: System32\DRIVERS\amdk7.sys (system)
AnyDVD: System32\Drivers\AnyDVD.sys (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
Aspi32: System32\drivers\aspi32.sys (autostart)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
AVG Network Redirector: \??\C:\WINDOWS\System32\Drivers\avgtdi.sys (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
MAC Bridge: System32\DRIVERS\bridge.sys (manual start)
MAC Bridge Miniport: System32\DRIVERS\bridge.sys (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
drvmcdb: System32\DRIVERS\drvmcdb.sys (system)
ElbyCDFL: System32\Drivers\ElbyCDFL.sys (manual start)
ElbyCDIO Driver: System32\Drivers\ElbyCDIO.sys (autostart)
ElbyDelay: System32\Drivers\ElbyDelay.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
fasttx2k: System32\DRIVERS\fasttx2k.sys (system)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
GEAR CDRom Filter: SYSTEM32\DRIVERS\GEARAspiWDM.sys (manual start)
gearsec: C:\WINDOWS\System32\gearsec.exe (autostart)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
hardlock: \??\C:\WINDOWS\System32\drivers\hardlock.sys (autostart)
Haspnt: \??\C:\WINDOWS\System32\drivers\Haspnt.sys (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
Imagedrv: System32\DRIVERS\imagedrv.sys (system)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: \SystemRoot\System32\DRIVERS\intelide.sys (disabled)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: System32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Lucent Modem Driver: System32\DRIVERS\ltmdmnt.sys (manual start)
Macromedia Licensing Service: "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe" (manual start)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
NVIDIA nForce AGP Bus Filter: System32\DRIVERS\nv_agp.sys (system)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Texas Instruments OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
Softex OmniPass Service: C:\Program Files\Softex\OmniPass\Omniserv.exe (autostart)
Office Source Engine: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (manual start)
Phase One 1394 Camera Driver: \SystemRoot\System32\Drivers\p1c1394.sys (autostart)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
Pcatip: System32\DRIVERS\PcAtip.sys (manual start)
Pcdr Helper Driver: \??\C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Low level access layer for CD devices: System32\Drivers\Pcouffin.sys (manual start)
Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
PS2: System32\DRIVERS\PS2.sys (manual start)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver: System32\DRIVERS\RTL8139.SYS (manual start)
S3Psddr: System32\DRIVERS\s3gnbm.sys (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
ScsiAccess: C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SiS315: System32\DRIVERS\sisgrp.sys (manual start)
SiS AGP Filter: System32\DRIVERS\SISAGPX.sys (system)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{3E638203-9A6E-493D-B94E-E207BFC163BC} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
uscbs108: System32\DRIVERS\uscbs108.sys (manual start)
uscsc108: System32\DRIVERS\uscsc108.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Filter: System32\DRIVERS\viaagp1.sys (system)
ViaIde: \SystemRoot\System32\DRIVERS\viaide.sys (disabled)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Intel® Graphics Platform (SoftBIOS) Driver: system32\drivers\ialmsbw.sys (manual start)
Intel® Graphics Chipset (KCH) Driver: system32\drivers\ialmkchw.sys (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute =

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 35,301 bytes
Report generated in 0.141 seconds

Command line options:
   /verbose  - to add additional info on each section
   /complete - to include empty sections and unsuspicious data
   /full     - to include several rarely-important sections
   /force9x  - to include Win9x-only startups even if running on WinNT
   /forcent  - to include WinNT-only startups even if running on Win9x
   /forceall - to include all Win9x and WinNT startups, regardless of platform
   /history  - to list version history only











Logfile of HijackThis v1.99.1
Scan saved at 9:08:21 AM, on 5/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\notepad.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm (http://\"http://search.msn.com/spbasic.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s (http://\"http://home.microsoft.com/access/autosearch.asp?p=%s\")
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB002" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O16 - DPF: {046B2BD2-F0F5-7EBC-7CAB-280F46230C4A} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab (http://\"http://housecall60.trendmicro.com/housecall/xscan60.cab\")
O16 - DPF: {0869DA11-E03A-3630-70A4-388932D4ABFF} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {101593E8-67D0-05BC-A691-13D93F08A799} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {129857D2-6060-789A-9BE7-1B4B09B5B098} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {1A154923-28CF-093F-241C-31E85458AA72} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {23C861D4-81F4-1CBE-1364-64156D8F4EFF} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {3D8BBDA2-892E-048F-8FCE-31724E2ABC13} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {3E551B96-95F3-4EDD-5DB8-24ED1980A3E3} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {4F8D50A7-3F6A-2D8D-FACE-4A5B0C6A9084} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {5ECB89BD-B6D0-1EDC-2BD4-290240ECD6FC} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {6724554E-696A-372D-35FA-023A28B6A8AC} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {75E41ADE-74FE-38CD-B7C5-47305F2D71C8} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe




Panda Online Scan:




Incident                      Status                        Location                                                                                                                                                                                                                                                        

Spyware:Spyware/BargainBuddy  No disinfected                Windows Registry                                                                                                                                                                                                                                                
Adware:Adware/nCase           No disinfected                C:\WINDOWS\180ax.log                                                                                                                                                                                                                                            
Virus:Bck/Haxdoor.A           Disinfected                   Operating system                                                                                                                                                                                                                                                
Adware:Adware/MediaTickets    No disinfected                Windows Registry                                                                                                                                                                                                                                                
Adware:Adware/Adsmart         No disinfected                C:\WINDOWS\System32\vx.tll                                                                                                                                                                                                                                      
Virus:Trj/Downloader.BWL      Disinfected                   Operating system                                                                                                                                                                                                                                                
Adware:Adware/Nowfind         No disinfected                C:\WINDOWS\System32\hst32.dll                                                                                                                                                                                                                                  
Virus:Exploit/CodeBase.S      No disinfected                C:\adwxx.chm[1.htm]                                                                                                                                                                                                                                            
Spyware:Spyware/Fstb          No disinfected                C:\adwxx.chm[htm2chm_explorer]                                                                                                                                                                                                                                  
Virus:Exploit/ByteVerify      Disinfected                   C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-a5399d2-322ec9ef.zip[Dummy.class]                                                                                                                        
Virus:Trj/Shinwow.E           Disinfected                   C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv645.jar-65ce6fc0-1daf0b55.zip[Matrix.class]                                                                                                                
Virus:Exploit/ByteVerify      Disinfected                   C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv645.jar-65ce6fc0-1daf0b55.zip[Counter.class]                                                                                                                
Virus:Exploit/ByteVerify      Disinfected                   C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv645.jar-65ce6fc0-1daf0b55.zip[Dummy.class]                                                                                                                  
Virus:Exploit/ByteVerify      Disinfected                   C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv645.jar-65ce6fc0-1daf0b55.zip[Parser.class]                                                                                                                
Virus:Exploit/LoadImage       Disinfected                   C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GXQFW9QN\sploit[1].anr                                                                                                                                                      
Virus:Exploit/HHelp           Disinfected                   C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\X7HXJ2FJ\index[5].htm                                                                                                                                                      
Virus:Eicar.Mod               No disinfected                C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]                                                                                                                                                                                                
Adware:Adware/nCase           No disinfected                C:\WINDOWS\180ax.log                                                                                                                                                                                                                                            
Adware:Adware/nCase           No disinfected                C:\WINDOWS\180axau.dat                                                                                                                                                                                                                                          
Adware:Adware/Nowfind         No disinfected                C:\WINDOWS\system32\hst32.dll                                                                                                                                                                                                                                  
Adware:Adware/Adsmart         No disinfected                C:\WINDOWS\system32\thun.dll                                                                                                                                                                                                                                    
Adware:Adware/Adsmart         No disinfected                C:\WINDOWS\system32\vx.tll                                                                                                                                                                                                                                      
Adware:Adware/SpywareNo       No disinfected                C:\WINDOWS\system32\vxh8jkdq2.exe                                                                                                                                                                                                                              
Virus:Trj/Downloader.CRY      Disinfected                   C:\WINDOWS\system32\vxh8jkdq6.exe                                                                                                                                                                                                                              
Virus:Trj/Downloader.CWI      Disinfected                   C:\WINDOWS\system32\vxh8jkdq7.exe                                                                                                                                                                                                                              
Adware:Adware/Nowfind         No disinfected                C:\WINDOWS\system32\wcnl32.dll                                                                                                                                                                                                                                  



as you can see, the panda scan found quite a bit, but was only able to disinfect some of the items. what do you suggest/

Title: please help: browser hijacked by "allstarsearch"
Post by: guestolo on May 30, 2005, 10:15:48 PM

Hello again, let's hopefully remove these bad files for you

Can you do the following please

==Download the Killbox by Option^Explicit (http://\"http://www.downloads.subratam.org/KillBox.zip\"). [color=\"red\"]*In the event you already have Killbox, this is a new version that I need you to download[/color].
* UNZIP it to your desktop or a folder

Open a Notepad file..Go to START>>RUN>>Type in notepad
Hit OK
Please copy and paste the rest of these instructions to that notepad file and save this too your desktop

Restart your computer into SAFE MODE

double-click Killbox.exe to run it.
* Select "Delete on Reboot".

* Open the Notepad file where you saved these instructions
I need you to Copy and paste the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

[color=\"purple\"]Killbox file paths to copy and paste to Clipboard between dotted lines[/color]
===========================================
C:\WINDOWS\System32\syst2.exe
C:\WINDOWS\System32\cidft.dll
C:\WINDOWS\System32\cidpoq32.dll
C:\WINDOWS\System32\gupd.dll
C:\WINDOWS\System32\hst32.dll
C:\WINDOWS\System32\icnfe.dll
C:\WINDOWS\System32\icqrt.dll
C:\WINDOWS\System32\icvbr.dll
C:\WINDOWS\System32\sdfup.dll
C:\WINDOWS\System32\thun.dll
C:\WINDOWS\System32\wcnl32.dll
C:\WINDOWS\System32\wecxg32.dll
C:\WINDOWS\System32\wirl.dll
C:\WINDOWS\System32\xcwer32.dll
C:\WINDOWS\System32\zxmsn.dll
C:\WINDOWS\180ax.log
C:\WINDOWS\System32\vx.tll
C:\adwxx.chm
C:\adwxx.chm[1.htm]
C:\adwxx.chm[htm2chm_explorer]
C:\WINDOWS\180axau.dat
C:\WINDOWS\system32\vxh8jkdq2.exe

===================================================
*  Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button.  Click "Yes" at the Delete on Reboot prompt.  Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.  

Back in Windows
Don't open a browser yet

Instead
Open HOSTER and click the "Restore Original Hosts"

Do another scan with Hijackthis and put a check next to these entries:

O16 - DPF: {046B2BD2-F0F5-7EBC-7CAB-280F46230C4A} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {0869DA11-E03A-3630-70A4-388932D4ABFF} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {101593E8-67D0-05BC-A691-13D93F08A799} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {129857D2-6060-789A-9BE7-1B4B09B5B098} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {1A154923-28CF-093F-241C-31E85458AA72} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {23C861D4-81F4-1CBE-1364-64156D8F4EFF} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {3D8BBDA2-892E-048F-8FCE-31724E2ABC13} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {3E551B96-95F3-4EDD-5DB8-24ED1980A3E3} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {4F8D50A7-3F6A-2D8D-FACE-4A5B0C6A9084} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {5ECB89BD-B6D0-1EDC-2BD4-290240ECD6FC} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {6724554E-696A-372D-35FA-023A28B6A8AC} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {75E41ADE-74FE-38CD-B7C5-47305F2D71C8} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer again

Back in Windows
Run another scan with Hijackthis and post a fresh log

Title: please help: browser hijacked by "allstarsearch"
Post by: twinpeaks on May 31, 2005, 12:41:10 AM

Thanks again for all your excellent assistance.

After following your latest instructions, here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 10:40:11 PM, on 5/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe
C:\Program Files\Microsoft Broadband Networking\MSBNUpdate.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm (http://\"http://search.msn.com/spbasic.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s (http://\"http://home.microsoft.com/access/autosearch.asp?p=%s\")
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB002" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab (http://\"http://housecall60.trendmicro.com/housecall/xscan60.cab\")
O16 - DPF: {0C7463BC-C443-7FC6-B819-29876C07CD6D} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {2D0D072D-CEF0-7044-2FEF-0C6A0327C365} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {31846D16-AB23-7A39-7F1C-77964DCE3CFA} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {347AEC2C-17A4-3625-C36B-2C3C597F5DD1} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {3A6BB3BE-846F-7746-1574-76AB149A6707} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {45AD0F0F-16E1-2A0E-AB27-01F74E7203C0} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {47566371-DCAC-0DB8-5427-0BFF051E599F} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {4B181A22-8465-4428-BBD0-457168E8346D} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {745B5DBF-6EFC-538F-6DB6-5D65316C40D9} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe



What do you think?

Title: please help: browser hijacked by "allstarsearch"
Post by: guestolo on May 31, 2005, 12:53:47 AM

Can you make sure that you have hijackthis fix these ones too
You can tell there very identical to the last entries we just killed

Do another scan with Hijackthis and put a check next to these entries:

O16 - DPF: {0C7463BC-C443-7FC6-B819-29876C07CD6D} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {2D0D072D-CEF0-7044-2FEF-0C6A0327C365} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {31846D16-AB23-7A39-7F1C-77964DCE3CFA} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {347AEC2C-17A4-3625-C36B-2C3C597F5DD1} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {3A6BB3BE-846F-7746-1574-76AB149A6707} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {45AD0F0F-16E1-2A0E-AB27-01F74E7203C0} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {47566371-DCAC-0DB8-5427-0BFF051E599F} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {4B181A22-8465-4428-BBD0-457168E8346D} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")
O16 - DPF: {745B5DBF-6EFC-538F-6DB6-5D65316C40D9} - http://69.50.182.94/1/rdgUS1953.exe (http://\"http://69.50.182.94/1/rdgUS1953.exe\")

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer

Run another scan with Hijackthis and post a fresh log

Title: please help: browser hijacked by "allstarsearch"
Post by: twinpeaks on May 31, 2005, 02:12:21 AM

Logfile of HijackThis v1.99.1
Scan saved at 12:12:17 AM, on 5/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\WordWeb\wweb32.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm (http://\"http://search.msn.com/spbasic.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s (http://\"http://home.microsoft.com/access/autosearch.asp?p=%s\")
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB002" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab (http://\"http://housecall60.trendmicro.com/housecall/xscan60.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

Title: please help: browser hijacked by "allstarsearch"
Post by: twinpeaks on May 31, 2005, 10:24:04 AM

amazingly, after all the above, i am still getting the popup!

Title: please help: browser hijacked by "allstarsearch"
Post by: guestolo on June 08, 2005, 05:38:43 PM

Locking this topic
Note to myself, user emailed me a log of all files in system32 folder
Replied and had user remove some other bad files
Assume everything is ok now, but no response in about a week

Part of that log, not all files are bad

Code: [Select]

04/03/28980  02:41 AM             3,120 RE13T8JS.ocx
04/03/28980  02:41 AM             3,120 N384F3HU.ocx
05/28/2005  11:50 PM                39 mscnf.dll
05/28/2005  11:50 PM             9,728 trf32.dll
05/28/2005  05:49 PM                13 rch32.dll
05/28/2005  09:44 AM                26 $$$_.log
05/28/2005  09:42 AM                38 bre32.dll
05/17/2005  08:51 PM             1,158 wpa.dbl
05/07/2005  03:46 PM             3,402 jupdate-1.5.0_03-b07.log
04/13/2005  03:48 AM           127,078 javaws.exe
04/13/2005  03:48 AM            49,265 jpicpl32.cpl
04/13/2005  02:20 AM            49,250 javaw.exe
04/13/2005  02:19 AM            49,248 java.exe
04/08/2005  07:11 PM           499,712 msvcp71.dll
04/04/2005  05:52 PM           365,076 perfh009.dat
04/04/2005  05:52 PM            46,080 perfc009.dat
04/04/2005  05:52 PM           416,732 PerfStringBackup.INI
03/31/2005  10:34 AM           308,586 AdobeFnt.lst
03/15/2005  08:27 AM             3,032 jupdate-1.4.2_06-b03.log
01/12/2005  09:42 AM            99,480 FWSVPN.DLL