Author Topic: please help: browser hijacked by "allstarsearch" (Read 4921 times)

twinpeaks · « **on:** May 28, 2005, 05:07:48 PM »

i need some help.

my IE browser has been hijacked and keeps redirecting my home page to allstarsearch.net and then downloads a bunch of nasties. i've run ad-aware and spysweeper, and both detect the infection and then "remove" it, but it keeps coming back. please help me clean out my system! below is my HJT scanlog. many thanks.

Logfile of HijackThis v1.99.1
Scan saved at 3:07:48 PM, on 5/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\apvxdwin.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\web.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\vxgame3.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\vxgame3.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\vxgamet2.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allstarsearch.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB002" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Register Intellihance Pro 4.0.lnk = C:\Program Files\Extensis\Intellihance\Register Intellihance Pro 4.0.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O13 - DefaultPrefix: http://allstarsearch.net/gall.php?url=
O13 - WWW Prefix: http://allstarsearch.net/gall.php?url=
O13 - Home Prefix: http://allstarsearch.net/gall.php?url=
O13 - Mosaic Prefix: http://allstarsearch.net/gall.php?url=
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {027AD36E-87AA-7653-2537-224B325BB7D5} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {35D5BD24-ECB7-373F-349E-3F5548BD8259} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {3D720B9E-A235-7985-A0BA-250A60F8D85B} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {4BDB8B88-D5C1-74DA-F238-470146CD0B1B} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {73058670-1488-7DB6-F39A-7BBC799F538A} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {74FE4A5A-1DA5-6B10-3A35-5D66466E2A68} - http://69.50.182.94/1/rdgUS1953.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

guestolo · « **Reply #1 on:** May 29, 2005, 12:19:43 AM »

Sorry for the delay

Can you do the following please

Download Silent Runners.vbs
http://www.cs.nyu.edu/~vs667/articles/hoto...lentRunners.zip

UNZIP the contents too desktop
Double click to Run Silent Runners
WAIT for the scan to finish, It will notify you when it's complete

Post back the log that's produced

Also post a fresh Hijackthis log

twinpeaks · « **Reply #2 on:** May 29, 2005, 12:39:39 AM »

Thanks and here are the logs:

"Silent Runners.vbs", revision 35, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NVIEW" = "rundll32.exe nview.dll,nViewLoadHook" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"PPMemCheck" = "c:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [null data]
"PestPatrol Control Center" = "c:\PROGRA~1\PESTPA~1\PPControl.exe" ["Computer Associates International"]
"CookiePatrol" = "c:\PROGRA~1\PESTPA~1\CookiePatrol.exe" ["Computer Associates International"]
"WinPatrol" = ""C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"" ["BillP Studios"]
"TM Outbreak Agent" = ""C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run" [file not found]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"Share-to-Web Namespace Daemon" = "c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" ["Hewlett-Packard"]
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE" [empty string]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"PS2" = "C:\WINDOWS\system32\ps2.exe" ["Hewlett-Packard Company"]
"PCClient.exe" = ""C:\Program Files\Trend Micro\Internet Security\PCClient.exe"" [file not found]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"KBD" = "C:\HP\KBD\KBD.EXE" ["Hewlett-Packard Company"]
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"EPSON Stylus Photo R800" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB002" /M "Stylus Photo R800"" ["SEIKO EPSON CORPORATION"]
"CamMonitor" = "c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [empty string]
"AlcxMonitor" = "ALCXMNTR.EXE" ["Realtek Semiconductor Corp."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" ["Sun Microsystems, Inc."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"AvLiteBr" = (no data)

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{2E246FAE-8420-11D9-870D-000C2917DE7F}\(Default) = "Loader Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\Loader.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Share-to-Web Upload Folder"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL" ["Hewlett-Packard"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{CCFE56EE-C7DE-44EE-A160-4553A5A912C9}" = "OmniPass Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Softex\OmniPass\opshelle.dll" ["Softex Incorporated"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{0E6C58A9-F592-4862-B35F-CA45E24003B3}" = "CloneCD"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Elaborate Bytes\CloneCD\ElbyVCDShell.dll" ["Elaborate Bytes"]
"{C56C4E21-706D-11d0-AFC5-444553540002}" = "My Digital Camera"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\FotoNation\camview.dll" ["FotoNation Inc."]
"{EE337094-9F50-4B8C-9B53-C00F52A3289B}" = "GF Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\LizardTech Shared\lt_lib_gf_iconShellEx.dll" ["LizardTech Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{596AB062-B4D2-4215-9F74-E9109B0A8153}" = "Previous Versions Property Page"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [file not found]
"{9DB7A13C-F208-4981-8353-73CC61AE2783}" = "Previous Versions"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [file not found]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
"{203B1C4D9-BC71-8916-38AD-9DEA5D213614}" = ** INVALID DATA (not CLSID) **

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
INFECTION WARNING! OPXPGina\DLLName = "C:\Program Files\Softex\OmniPass\opxpgina.dll" [null data]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCU\Control Panel\Desktop\
"Wallpaper" = "%USERPROFILE%\Application Data\Microsoft\Wallpaper1.bmp"

Autostart via AUTORUN.INF on local fixed drives:
------------------------------------------------

INFECTION WARNING! D:\AUTORUN.INF -> "OPEN=Info.exe folder.htt 480 480" ["XSS"]

Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\Owner\Start Menu\Programs\Startup
"WordWeb Pro" -> shortcut to: "C:\Program Files\WordWeb\wweb32.exe" ["Antony Lewis"]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"DriveSelect" -> shortcut to: "C:\Program Files\321Studios\Xpress\DriveSelect.exe" [empty string]
"Microsoft Broadband Networking" -> shortcut to: "C:\WINDOWS\Installer\{8CC15633-2327-43F4-BA85-B83FDB4B59BE}\_18be6784.exe" [null data]

Enabled Scheduled Tasks:
------------------------

"1-Click Maintenance" -> launches: "C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe /schedulestart" [file not found]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{8F4902B6-6C04-4ADE-8052-AA58578A21BD}\
-> {CLSID}\(Default) = "hp toolkit"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{3DC8D6D6-AFF0-45CC-A847-E5012F60BA57}\
(Default) = "Instant Source"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\Program Files\Instant Source\isrc.dll" ["Blazing Tools Software"]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\
(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll" ["Sun Microsystems, Inc."]

Internet Explorer Address Prefixes:
-----------------------------------

Prefix for bare domain ("domain-name-here.com")

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Default Prefix\
HIJACK WARNING! (Default) = "http://allstarsearch.net/gall.php?url="

Prefix for specific service (i.e., "www")

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\
HIJACK WARNING! "home" = "http://allstarsearch.net/gall.php?url="
HIJACK WARNING! "mosaic" = "http://allstarsearch.net/gall.php?url="
HIJACK WARNING! "www" = "http://allstarsearch.net/gall.php?url="

HOSTS file
----------

C:\WINDOWS\system32\Drivers\Etc\HOSTS

maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
gearsec, gearsec, "C:\WINDOWS\System32\gearsec.exe" ["GEAR Software"]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
ScsiAccess, ScsiAccess, "C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe" [null data]
Softex OmniPass Service, omniserv, "C:\Program Files\Softex\OmniPass\Omniserv.exe" [null data]

----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
----------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:38:46 PM, on 5/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\vxgame3.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\vxgame3.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\PAVW.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allstarsearch.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB002" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O13 - DefaultPrefix: http://allstarsearch.net/gall.php?url=
O13 - WWW Prefix: http://allstarsearch.net/gall.php?url=
O13 - Home Prefix: http://allstarsearch.net/gall.php?url=
O13 - Mosaic Prefix: http://allstarsearch.net/gall.php?url=
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {027AD36E-87AA-7653-2537-224B325BB7D5} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {343348AA-A0B1-15EB-A494-4EF2190ECE42} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {35D5BD24-ECB7-373F-349E-3F5548BD8259} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {3D720B9E-A235-7985-A0BA-250A60F8D85B} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {42DC7EFD-083D-304C-FAD4-2A5D297ACDFA} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {4A5C2DAF-B7D1-6706-3809-05BD1D2A43FA} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {4BDB8B88-D5C1-74DA-F238-470146CD0B1B} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {5C144B78-188D-6604-43B1-57873FF4704C} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {5E3DCBC5-B4E7-27F3-45D2-4D370902C826} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {5EC22133-B63B-33DB-6A1D-1BD40536C40B} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {6FF08C3B-3CFF-6FD2-18A2-01942D2FABCC} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {73058670-1488-7DB6-F39A-7BBC799F538A} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {74FE4A5A-1DA5-6B10-3A35-5D66466E2A68} - http://69.50.182.94/1/rdgUS1953.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

guestolo · « **Reply #3 on:** May 29, 2005, 01:13:39 AM »

I see you have Ewido installed now, it should take care of a few bad files on your computer
Can you do the following please

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup
Give the link time to load or try it twice, it may be busy
Alternate Download link
We'll need this later

==Download and Unzip to a folder Hoster.zip

==Download and save to deskop or a folder
DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf
We'll need this later>>If using a Mozilla browser, right click on that link and SAVE Link As

==Download and UNZIP to desktop IEFix.zip
So you now have IEFix.reg on the desktop
[attachment=246:attachment]

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation

In Safe mode

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off when scan is done

====Open Ewido trojan scanner
Click on the Scanner button in the left menu, then click on the Start button. This scan can take a while, so give it time to run
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.
Save the report

Do another scan with Hijackthis and put a check next to these entries:
Not all may be found, but fix what exists

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allstarsearch.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O1 - Hosts: auto.search.msn.com 127.0.0.1

O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll

O13 - DefaultPrefix: http://allstarsearch.net/gall.php?url=
O13 - WWW Prefix: http://allstarsearch.net/gall.php?url=
O13 - Home Prefix: http://allstarsearch.net/gall.php?url=
O13 - Mosaic Prefix: http://allstarsearch.net/gall.php?url=
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {027AD36E-87AA-7653-2537-224B325BB7D5} - http://69.50.182.94/1/rdgUS1953.exe

O16 - DPF: {343348AA-A0B1-15EB-A494-4EF2190ECE42} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {35D5BD24-ECB7-373F-349E-3F5548BD8259} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {3D720B9E-A235-7985-A0BA-250A60F8D85B} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {42DC7EFD-083D-304C-FAD4-2A5D297ACDFA} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {4A5C2DAF-B7D1-6706-3809-05BD1D2A43FA} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {4BDB8B88-D5C1-74DA-F238-470146CD0B1B} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {5C144B78-188D-6604-43B1-57873FF4704C} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {5E3DCBC5-B4E7-27F3-45D2-4D370902C826} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {5EC22133-B63B-33DB-6A1D-1BD40536C40B} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {6FF08C3B-3CFF-6FD2-18A2-01942D2FABCC} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {73058670-1488-7DB6-F39A-7BBC799F538A} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {74FE4A5A-1DA5-6B10-3A35-5D66466E2A68} - http://69.50.182.94/1/rdgUS1953.exe

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Double click on IEFix.reg and allow to add or Merge to the registry

RESTART back to Normal mode

Back in Windows

Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Reset home page

IF prompted at anytime by any of your Security software such as WinPatrol
ALLOW the changes so they won't interfere with any fixes we are trying

Open Hoster and click on "Restore Original Hosts"
OK it and exit

==Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

Run another scan with Hijackthis and post a fresh log
Also post the Report from Ewidos

Could you also do the following

Download: Registry Search Tool from this link
http://billsway.com/vbspage/

Unzip and double-click "RegSrch.vbs"
Note: if your Antivirus or another program prompts about running a ".vbs" file, allow the script to run

In the open field copy and paste the below in bold then hit OK

{203B1C4D9-BC71-8916-38AD-9DEA5D213614}

Wait for the results and post them back here

twinpeaks · « **Reply #4 on:** May 29, 2005, 01:31:37 AM »

Thank you again. I'm a little reluctant to reboot. Last time I had an infection like this, when I tried to reboot, the infection got worse, and I was soon unable to boot up at all without extensive and expensive help from Microsoft tech support. Are you fairly confident, based on what you're seeing about my current infections, that I will be able to reboot in safe mode without a problem? By the way, I was unable to update ewido. It saif I have to reboot first.

What do you think?

guestolo · « **Reply #5 on:** May 29, 2005, 01:35:07 AM »

Not sure what you mean by the last time you had an infection like this
When was that?

I don't see why you would have a problem rebooting
Except I see a few problems in your running processes

twinpeaks · « **Reply #6 on:** May 29, 2005, 10:26:39 AM »

You helped me eliminate the SmartSecurity infection from my computer a couple months ago.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Anyway, not to worry, the reboot went fine. Here are the logs:

Logfile of HijackThis v1.99.1
Scan saved at 8:26:04 AM, on 5/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB002" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "{203B1C4D9-BC71-8916-38AD-9DEA5D213614}" 5/29/2005 8:23:36 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{203B1C4D9-BC71-8916-38AD-9DEA5D213614}"="OLE Module"

[HKEY_USERS\S-1-5-21-818225494-2651060331-2636784919-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}]

[HKEY_USERS\S-1-5-21-818225494-2651060331-2636784919-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}\InProcServer32]

[HKEY_USERS\S-1-5-21-818225494-2651060331-2636784919-1003\Software\Classes\CLSID\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}]

[HKEY_USERS\S-1-5-21-818225494-2651060331-2636784919-1003\Software\Classes\CLSID\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}\InProcServer32]

[HKEY_USERS\S-1-5-21-818225494-2651060331-2636784919-1003_Classes\CLSID\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}]

[HKEY_USERS\S-1-5-21-818225494-2651060331-2636784919-1003_Classes\CLSID\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}\InProcServer32]

Now what?

guestolo · « **Reply #7 on:** May 29, 2005, 10:37:59 AM »

Could you possibly supply me with the report that Ewido made
I would like to make sure a few files were removed

twinpeaks · « **Reply #8 on:** May 29, 2005, 10:39:17 AM »

Sorry about that. Here it is:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         7:55:43 AM, 5/29/2005
+ Report-Checksum:      6D5800BD

+ Date of database:      5/29/2005
+ Version of scan engine:   v3.0

+ Duration:            419 min
+ Scanned Files:         243563
+ Speed:            9.69 Files/Second
+ Infected files:         11
+ Removed files:         9
+ Files put in quarantine:      9
+ Files that could not be opened:   0
+ Files that could not be cleaned:   2

+ Binder:      Yes
+ Crypter:      Yes
+ Archives:      Yes

+ Scanned items:
   C:\

+ Scan result:
   C:\Program Files\PestPatrol\Quarantine\20050406113759.zip/Documents and Settings/Owner/Cookies/owner@com[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
   C:\Program Files\PestPatrol\Quarantine\20050406113759.zip/Documents and Settings/Owner/Cookies/owner@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
   C:\WINDOWS\system\Loader.dll -> TrojanDownloader.Agent.li -> Cleaned with backup
   C:\WINDOWS\system\svchost.exe -> TrojanDropper.Agent.kz -> Cleaned with backup
   C:\WINDOWS\system32\init32m.exe -> TrojanDownloader.Agent.ho -> Cleaned with backup
   C:\WINDOWS\system32\rch.dll -> Trojan.GSearch -> Cleaned with backup
   C:\WINDOWS\system32\rdrlib.dll -> Spyware.Redir.b -> Cleaned with backup
   C:\WINDOWS\system32\vxgame3.exe -> TrojanDownloader.Agent.ho -> Cleaned with backup
   C:\WINDOWS\system32\vxgamet1.exe -> TrojanDownloader.Small.aqt -> Cleaned with backup
   C:\WINDOWS\system32\vxh8jkdq1.exe -> TrojanDropper.Small.wp -> Cleaned with backup
   C:\WINDOWS\system32\vxh8jkdq8.exe -> TrojanDropper.Small.wp -> Cleaned with backup

::Report End

guestolo · « **Reply #9 on:** May 29, 2005, 11:34:14 AM »

Can you make sure that this file doesn't exist
If it does, remove it
C:\WINDOWS\System32\vxgame4.exe <-file

I can't pinpoint what that CLSID is related too

Can you do the following please

Go to MyDocuments folder and create a new folder
Right click an empty spot and select NEW>>Folder
Name it Backups

Next enter your Registry
START>>RUN>>type in regedit
Hit OK

In the registry
Navigate to the following key
HKEY_USERS\S-1-5-21-818225494-2651060331-2636784919-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}

You can do that by expanding(+) on the following
+HKEY_USERS
+S-1-5-21-818225494-2651060331-2636784919-1003
+Software
+Microsoft
+Windows
+CurrentVersion
+Explorer
+CLSID

Left click and Highlight {203B1C4D9-BC71-8916-38AD-9DEA5D213614}
and then right click on it and choose EXPORT
Name the key and Export to the Backups folder
and then right click on it and choose DELETE

Do the same for these entries in bold
HKEY_USERS\S-1-5-21-818225494-2651060331-2636784919-1003\Software\Classes\CLSID\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}
HKEY_USERS\S-1-5-21-818225494-2651060331-2636784919-1003_Classes\CLSID\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}

The next one
Go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
EXPORT SharedTaskScheduler but DON'T delete it
Instead look on the right hand side for {203B1C4D9-BC71-8916-38AD-9DEA5D213614}

And right click on that entry and delete it

Now we have backups of that Clsid if we need them
but there no longer in the registry

After that
Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart the computer

Let me know how everythings running
Keep those backups of the registry in the Backups folder for awhile
Let's make sure everything is running smooth and ensure there not needed

You said you ran Ad-Aware
If your running the free version, it has just been updated
I would suggest that you uninstall your version from Add/Remove programs
and download the newest version
You can get it here
http://www.download.com/3000-2144-10045910.html

Run a full system scan after it's installed and remove all Criticals
Restart the computer if anything cleaned

Post back one last hijackthis log and let me know how things are going

You said I helped you a while back, I usually suggest installing some tools after your clean to help prevent these types of infections
What tools did you download for prevention?

Guest · « **Reply #10 on:** May 29, 2005, 01:18:56 PM »

[quote name=\'guestolo\' date=\'May 29 2005, 10:34 AM\']Can you make sure that this file doesn't exist
If it does, remove it
C:\WINDOWS\System32\vxgame4.exe <-file

I can't pinpoint what that CLSID is related too

That file does not exist

Can you do the following please

Go to MyDocuments folder and create a new folder
Right click an empty spot and select NEW>>Folder
Name it Backups

Next enter your Registry
START>>RUN>>type in regedit
Hit OK

In the registry
Navigate to the following key
HKEY_USERS\S-1-5-21-818225494-2651060331-2636784919-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}

You can do that by expanding(+) on the following
+HKEY_USERS
+S-1-5-21-818225494-2651060331-2636784919-1003
+Software
+Microsoft
+Windows
+CurrentVersion
+Explorer
+CLSID

Left click and Highlight {203B1C4D9-BC71-8916-38AD-9DEA5D213614}
and then right click on it and choose EXPORT
Name the key and Export to the Backups folder
and then right click on it and choose DELETE

Do the same for these entries in bold
HKEY_USERS\S-1-5-21-818225494-2651060331-2636784919-1003\Software\Classes\CLSID\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}
HKEY_USERS\S-1-5-21-818225494-2651060331-2636784919-1003_Classes\CLSID\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}

I could not locate that last one ^^^^^^^

The next one
Go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
EXPORT SharedTaskScheduler but DON'T delete it
Instead look on the right hand side for {203B1C4D9-BC71-8916-38AD-9DEA5D213614}

And right click on that entry and delete it

Now we have backups of that Clsid if we need them
but there no longer in the registry

After that
Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart the computer

Let me know how everythings running

Everything seems to be running well again. Thank you!

Keep those backups of the registry in the Backups folder for awhile
Let's make sure everything is running smooth and ensure there not needed

You said you ran Ad-Aware
If your running the free version, it has just been updated
I would suggest that you uninstall your version from Add/Remove programs
and download the newest version
You can get it here
http://www.download.com/3000-2144-10045910.html

Run a full system scan after it's installed and remove all Criticals
Restart the computer if anything cleaned

I will do this today.

Post back one last hijackthis log and let me know how things are going

You said I helped you a while back, I usually suggest installing some tools after your clean to help prevent these types of infections
What tools did you download for prevention?

[post=\"43118\"]<{POST_SNAPBACK}>[/post]

[/quote]

Could you re-advise what would be good for me to use? I have AVG running now. What more do you suggest? Many thanks. You're a lifesaver!

guestolo · « **Reply #11 on:** May 29, 2005, 01:22:16 PM »

Run the newer Ad-Aware and restart the computer after cleaning

Post the final hijackthis log and we'll take it from there

I use AVG on this computer and don't have any problems

But we'll get some preventive tools on your computer later

twinpeaks · « **Reply #12 on:** May 29, 2005, 02:10:38 PM »

here is the log after running ad-aware and restarting;

Logfile of HijackThis v1.99.1
Scan saved at 12:10:02 PM, on 5/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\WordWeb\wweb32.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB002" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

thanks again.

guestolo · « **Reply #13 on:** May 29, 2005, 02:20:05 PM »

Looks good

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply Click the "enable all protection"

If your version of Windows is legit, you may think about visiting Windows updates and updating to Service Pack 2

P.S. You may choose to hold onto Ewido also, that's up to you
It will become a limited version in a couple weeks, but still performs quite well

NOTE>>>Even if you already have SpywareBlaster 3.4 or IE-Spyad installed
You will have to reenable the protection as we removed entries from the registry earlier with DelDomains.inf

twinpeaks · « **Reply #14 on:** May 29, 2005, 06:15:15 PM »

it appears we haven't fully cleaned up my system. i'm still getting a little explorer dialogue box popping up every 10 minutes or so. there's a yellow warning triangle, followed by this text: "For Your Instant Access please Click Yes" then there's an OK button which, needless to say, i have not clicked. i just close the box every time it appears, then it reappears about ten minutes later. i've only been getting this since i got infected yesterday. all the other infection symptons still seem to be corrected.

any ideas?

guestolo · « **Reply #15 on:** May 29, 2005, 09:38:09 PM »

I want to check on something please

Can you do the following please

Download and UNZIP to desktop DPF.zip
So you now have dpf.bat extracted to desktop

Double click on dpf.bat and a text file will open

Can you copy and paste that info back here, thanks

twinpeaks · « **Reply #16 on:** May 29, 2005, 10:11:01 PM »

olume in drive C is HP_PAVILION
Volume Serial Number is 7888-AAB4

Directory of C:\WINDOWS\Downloaded Program Files

05/28/2005 02:12 PM <DIR> BUILTIN\Administrators .
05/28/2005 02:12 PM <DIR> BUILTIN\Administrators ..
04/09/2003 10:17 PM 65 BUILTIN\Administrators desktop.ini
10/15/1997 01:52 AM 697 BUILTIN\Administrators DirectAnimation Java Classes.osd
09/05/2001 05:22 AM 24,576 STEVEMAIN\Owner iSetup.dll
09/05/2001 05:21 AM 159,744 STEVEMAIN\Owner iSetup.exe
09/05/2001 05:22 AM 411 STEVEMAIN\Owner isetup.inf
08/25/2003 06:12 PM 1,096 STEVEMAIN\Owner iuctl.inf
02/23/2004 04:37 PM 740 STEVEMAIN\Owner jinstall-1_4_2_04.inf
01/20/2000 03:25 PM 1,162 BUILTIN\Administrators Microsoft XML Parser for Java.osd
10/09/2003 11:32 AM 144 STEVEMAIN\Owner QTPlugin.inf
11/10/2003 02:29 PM 5,555,056 STEVEMAIN\Owner QuickTimeInstallCache.qdat
12/08/2003 02:58 PM 3,759 STEVEMAIN\Owner swflash.inf
05/03/2005 11:42 AM 2,144 STEVEMAIN\Owner xscan60.inf
05/03/2005 11:45 AM 475,190 STEVEMAIN\Owner xscan60.ocx
08/07/2003 01:36 PM 530 STEVEMAIN\Owner Yahoo! Chess.osd
14 File(s) 6,225,314 bytes
2 Dir(s) 6,799,147,008 bytes free

guestolo · « **Reply #17 on:** May 29, 2005, 11:01:31 PM »

You said this just started happening?
What have you installed recently besides the tools I asked of you?

Can you do the following
Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- Messenger <--this is not MSN Messenger for your information

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled

Do the same for this one too
Alerter

Post a fresh hijackthis log and let me know if you get any more popups

Could you also do the following
Open Hijackthis>>Open Misc tools section
Check both
List all minor sections(full)
List empty sections (complete)
Then click the "Generate Startuplist log" button
A text file will open
Copy and paste back the whole contents of this log too

twinpeaks · « **Reply #18 on:** May 29, 2005, 11:32:41 PM »

It was happening ever since the allstarsearch infection began yesterday.

I haven't installed anything since then.

Logfile of HijackThis v1.99.1
Scan saved at 9:31:57 PM, on 5/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\WordWeb\wweb32.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Adobe\Photoshop CS\Photoshop.exe
C:\Program Files\IrfanView\I_VIEW32.EXE
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB002" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O16 - DPF: {01B05E0F-7044-1A45-2086-5EE12442047C} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {40A37E2C-C667-1CB0-86A1-71266ECE8B71} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {4665A2C5-F020-09F6-803F-0BF87AA64B90} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {4BDED2AF-44DC-4EE8-C6E7-6A0406D10AE1} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {4CD6CEC0-F49E-420F-8C1F-324017A60D78} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {75D15F2B-5377-7B4E-0200-28FE58C735F7} - http://69.50.182.94/1/rdgUS1953.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

twinpeaks · « **Reply #19 on:** May 30, 2005, 12:13:58 AM »

i am still getting the popup.

News:

Author Topic: please help: browser hijacked by "allstarsearch" (Read 4921 times)

Guest