Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Google search hijack from 85.255.117.2

Started by Gladius , Jan 16 2006 08:24 AM

Please log in to reply

#1
Gladius

Posted 16 January 2006 - 08:24 AM

Member

Member
29 posts

Hello all... I've got a feeling even the experts here will have problems helping me with this.

I've tried every single thing listed on the to-do before posting here, with 0 results. Or, rather, all those programs have picked up only some spyware and adware that never bothered me at all. *sigh*

The problem is that I seem to have partially removed the damned thing myself already. With HT I've found a registry entry with the IP 85.255.117.2 that hijacks my Google searches and funnels them to one of a number of other crap/fake search engines (abcsearch.com among them) and removed it... however, the IE hijacking persists. And it's now not detected by anything any more. Even a registry search for that IP comes up blank. Blocking that IP and abcsearch.com in the hosts file doesn't work either. (Hosts is clean otherwise).

So I'm at a loss... I'll post a HT log, but it probably won't do you any good, since it's clean as far as I can tell:

Logfile of HijackThis v1.99.1
Scan saved at 15:14:31, on 16.1.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Miranda IM\miranda32.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\Smartscaps.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.co...mlsBHNlYwN0bg--
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Miranda IM.lnk = C:\Program Files\Miranda IM\miranda32.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VersionBackupRun.lnk = C:\Program Files\VersionBackup\VBackRun.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartTrust Smart Card Server (Smartscaps) - SmartTrust - C:\WINDOWS\system32\Smartscaps.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#2
Metallica

Posted 20 January 2006 - 07:38 AM

Spyware Veteran

GeekU Moderator
33,101 posts

Download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:

Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
Use the arrow keys to select the Safe Mode menu item.
Press the Enter key.

Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder)

Regards,

#3
Gladius

Posted 20 January 2006 - 09:37 AM

Member

Topic Starter
Member
29 posts

Here it is:

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
aspack 25.9.2005 15:59:20 192000 C:\WINDOWS\citysplendor_SS.scr
aspack 31.7.2005 18:48:08 192000 C:\WINDOWS\Elsdaughter_SS.scr
aspack 11.10.2005 23:46:02 545280 C:\WINDOWS\flashax.exe
aspack 11.10.2005 23:46:06 192000 C:\WINDOWS\witch_SS.scr

Checking %System% folder...
UPX! 20.12.2005 13:21:38 481280 C:\WINDOWS\SYSTEM32\aswBoot.exe
UPX! 9.6.2004 13:17:42 33792 C:\WINDOWS\SYSTEM32\cpwiuy.dll
PEC2 23.8.2001 13:00:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
FSG! 13.1.2006 16:14:52 705 C:\WINDOWS\SYSTEM32\dgprpsetup.exe
UPX! 12.8.2004 12:54:46 35840 C:\WINDOWS\SYSTEM32\ecesq.dll
Umonitor 29.8.2002 2:41:10 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 30.4.2004 20:46:24 28672 C:\WINDOWS\SYSTEM32\t3odm.dll
UPX! 26.3.2004 15:32:36 99328 C:\WINDOWS\SYSTEM32\t5rdv.dll
winsync 23.8.2001 13:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
20.1.2006 16:24:02 S 2048 C:\WINDOWS\bootstat.dat
9.1.2006 16:20:40 H 54156 C:\WINDOWS\QTFont.qfn
20.1.2006 13:12:34 H 35880 C:\WINDOWS\system32\vsconfig.xml
28.12.2005 15:05:16 H 4212 C:\WINDOWS\system32\zllictbl.dat
3.1.2006 0:09:36 S 11223 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
20.1.2006 16:23:56 H 8192 C:\WINDOWS\system32\config\default.LOG
20.1.2006 16:24:44 H 1024 C:\WINDOWS\system32\config\SAM.LOG
20.1.2006 16:24:04 H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
20.1.2006 16:25:14 H 110592 C:\WINDOWS\system32\config\software.LOG
20.1.2006 16:24:02 H 876544 C:\WINDOWS\system32\config\system.LOG
14.12.2005 5:13:36 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\43f41903-88a4-48c4-a695-1be1564beb01
14.12.2005 5:13:36 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
20.1.2006 16:23:00 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
19.8.2003 8:20:04 180224 C:\WINDOWS\SYSTEM32\ac3filter.cpl
Microsoft Corporation 23.8.2001 13:00:00 66048 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 28.4.2004 16:19:38 14263296 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 29.8.2002 2:41:28 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 29.8.2002 2:41:28 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 23.8.2001 13:00:00 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Ahead Software AG 26.5.2003 13:12:14 57344 C:\WINDOWS\SYSTEM32\ImageDrive.cpl
Microsoft Corporation 29.8.2002 2:41:28 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 29.8.2002 2:41:28 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 29.8.2002 2:41:28 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 23.8.2001 13:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 23.8.2001 13:00:00 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 23.8.2001 13:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 23.8.2001 13:00:00 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 15.7.2004 10:42:00 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 23.8.2001 13:00:00 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 23.8.2001 13:00:00 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 23.8.2001 13:00:00 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 29.8.2002 2:41:28 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 23.8.2001 13:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 23.8.2001 13:00:00 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 23.8.2001 13:00:00 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 29.8.2002 2:41:28 578560 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 29.8.2002 2:41:28 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 23.8.2001 13:00:00 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 29.8.2002 2:41:28 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 29.8.2002 2:41:28 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 29.8.2002 2:41:28 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 23.8.2001 13:00:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 23.8.2001 13:00:00 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 23.8.2001 13:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 23.8.2001 13:00:00 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 23.8.2001 13:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 23.8.2001 13:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 23.8.2001 13:00:00 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 29.8.2002 2:41:28 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 29.8.2002 2:41:28 268288 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 23.8.2001 13:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 23.8.2001 13:00:00 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
NVIDIA Corporation 6.10.2003 13:16:00 73728 C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFiles\nvtuicpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
18.6.2004 14:37:20 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
18.6.2004 16:41:48 893 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check.lnk
18.6.2004 16:11:44 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
18.6.2004 21:09:48 1623 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VersionBackupRun.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
18.6.2004 16:17:22 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
18.6.2004 14:37:20 HS 84 C:\Documents and Settings\Sorcerer\Start Menu\Programs\Startup\desktop.ini
27.5.2005 12:59:24 713 C:\Documents and Settings\Sorcerer\Start Menu\Programs\Startup\Miranda IM.lnk

Checking files in %USERPROFILE%\Application Data folder...
18.6.2004 16:17:22 HS 62 C:\Documents and Settings\Sorcerer\Application Data\desktop.ini
3.4.2005 22:07:40 41080 C:\Documents and Settings\Sorcerer\Application Data\GDIPFONTCACHEV1.DAT
29.5.2005 19:14:00 12 C:\Documents and Settings\Sorcerer\Application Data\uns.tmp

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{9455301C-CF6B-11D3-A266-00C04F689C50}
Encarta &Researcher = C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9455301C-CF6B-11D3-A266-00C04F689C50}
ButtonText = Researcher :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
USRpdA C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
SoundMan SOUNDMAN.EXE
zBrowser Launcher C:\Program Files\Logitech\iTouch\iTouch.exe
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
avast! C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
NvMediaCenter RunDLL32.exe NvMCTray.dll,NvTaskbarInit
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
CloneCDTray "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\System32\ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun ±
NoBandCustomize 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

#4
Metallica

Posted 20 January 2006 - 10:03 AM

Spyware Veteran

GeekU Moderator
33,101 posts

Right click My Computer > Hardware tab > device manager
Select View from the menu
Under view, select *Show Hidden Devices*
Then go down to and expand (+)
*Non-Plug and Play Drivers*
Look for this entry:
msdirectx
Disable it (and reboot if prompted)

Let me know if it was present so we can clean up the rest.

Regards,

#5
Gladius

Posted 20 January 2006 - 10:37 AM

Member

Topic Starter
Member
29 posts

Nope, not there... a bunch of other suspicious stuff is, however...

Screenshot attached.

Attached Thumbnails

#6
Metallica

Posted 20 January 2006 - 11:22 AM

Spyware Veteran

GeekU Moderator
33,101 posts

If you don't know what you are looking at, everything in there looks suspicious :tazz:

Download, install and run UnHackMe:
http://www.greatis.com/unhackme/

If it finds everything please make notes of the results, so we will know what exactly was found and removed.

Regards,

#7
Gladius

Posted 20 January 2006 - 12:07 PM

Member

Topic Starter
Member
29 posts

Actually, it found a grand total of nothing. Neither regularly, nor in safe mode...

#8
Metallica

Posted 20 January 2006 - 01:16 PM

Spyware Veteran

GeekU Moderator
33,101 posts

OK. Then I'll assume the rootkit was partly removed by all the scanners you used.

Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip

Copy the code below into notepad and save it as move.bfu
Set Filetype to "All files" and save it to the same folder as BFU.exe

FolderCreate C:\samples
OptionUnloadShell
FileMove C:\WINDOWS\SYSTEM32\ecesq.dll|C:\samples
FileMove C:\WINDOWS\SYSTEM32\cpwiuy.dll|C:\samples
FileMove C:\WINDOWS\SYSTEM32\ecesq.dll|C:\samples
FileMove C:\WINDOWS\SYSTEM32\t3odm.dll|C:\samples
FileMove C:\WINDOWS\SYSTEM32\t5rdv.dll|C:\samples
SystemRestart Let the computer reboot now|1

In BFU click the explorer button and navigate to and select move.bfu
Execute the script by clicking the Execute button.

Close as many programs as possible since the script will reboot your computer.

If you have any questions about the use of BFU please read here:
http://metallica.gee...structions.html

Let me know if it helped.

Regards,

#9
Gladius

Posted 20 January 2006 - 03:52 PM

Member

Topic Starter
Member
29 posts

Well, it seems to have removed the google hijack... I've tried using google several times, and I don't get redirected any more. However, I now have a whole bunch of problems I didn't have before.

For starters, I keep having issues accessing geekstogo.com... I've been trying for 2 hours now and it didn't work before no matter what (I could access other sites just fine). But now I can access it again all of a sudden. Hosts file is fine; pinging the site gave me timeouts when I couldn't access it. Network settings are fine (automatic, no proxy). !#$%#!&%$#&%$#/ (I should note that I've been getting sporadic timeouts accessing the site before as well, but it usually worked after a few reloads).

Then IE and Firefox... both now take about 2 minutes after I run them before I can start using them... it's as if they were frozen for 2 minutes every time I open a new window. I suspect any of the dozen or so anti-spyware or whatever programs I have installed by now, but I've had them for about 3 days now and it only got so bad in the last few hours. I tried killing the Spy Sweeper process and ewido since this was also happening in safe mode, but it made no difference... browsers were still crawling. The same thing happens with XP now once I start it too - it's nearly frozen for 2 minutes after it starts. Opera runs normally, however.

Any suggestions?

I ran a sweep with SS, and it found a bunch of stuff (I don't know if any of it is still active). Unfortunately I can't remove any of it with the trial version. :tazz:

Screenshot's attached. Thanks for your help.

Attached Thumbnails

#10
Metallica

Posted 21 January 2006 - 04:55 AM

Spyware Veteran

GeekU Moderator
33,101 posts

I think we found the evil one. :tazz:

Most of the files found are in your Restore Points.
We will clean those out once your computer is working as it should.

Can you go back to the drivers section you made a screenshot of earlier.

There is one at the bottom with an exclamation mark beside it, named ZPMODEMSYSNTDRVNT
Disable that one and reboot.
Then find and delete these files (if present):
c:\windows\system32\drivers\zpmodemnt.sys
c:\windows\system32\idemlog.exe
c:\windows\system32\idesk.conf

Let me know if that solves the issue.

Regards,

#11
Gladius

Posted 21 January 2006 - 05:50 AM

Member

Topic Starter
Member
29 posts

Nope, didn't help with the slowdowns. But I have noticed that apparently the slowdowns in browsers only happen when I want to check Favourites or bookmarks.... or primarily there anyway. I can use IE fine otherwise, but when I click on Favourites, the whole thing freezes for a while. I suspected that Spy Sweeper IE favourites shield, but I've had it off from the get go... and it still happens even if I kill the SS process.

Also, I don't know if this is relevant or not, but for the last few days I've been getting error windows at shutdown or restart about this:

C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe

(one of those anyway I think). I can't take a screenshot of that, so I'll write it down next time it happens. I've never had that show up before, but I think it started happening after I installed that MS wmv exploit fix, so it might be related to that.

Only c:\windows\system32\drivers\zpmodemnt.sys was present; I've deleted the rest before.

#12
Metallica

Posted 21 January 2006 - 06:33 AM

Spyware Veteran

GeekU Moderator
33,101 posts

OK.

The errors seem to point at your modem:
http://www.auditmypc...ss/usrmlnka.asp

It may help to re-install the drivers for that.

Can you open a explorer windows and click your way to this folder:
C:\Documents and Settings\Sorcerer\Favorites

Let me know if explorer freezes up as well when you look in there.
If it does, it may be best to empty it all out.

Regards,

#13
Gladius

Posted 21 January 2006 - 07:21 AM

Member

Topic Starter
Member
29 posts

I don't really use that modem for anything; it's just a legacy I need to keep for some banking software to work. My actual Internet connection is ADSL.

I've never actually even installed any drivers for that USR modem...

I've tried accessing favourites like you suggested, and it did freeze up, but for a very short time... a few seconds only. It takes substantially longer in IE. I've checked and I have about 1520 bookmarks atm... too much for IE to handle?

I could clean it up a bit, but not beyond maybe 100 less...

#14
Metallica

Posted 21 January 2006 - 07:42 AM

Spyware Veteran

GeekU Moderator
33,101 posts

With that number of favorites it might prove hard to find one bad apple.

Maybe you can sort them by date and remove the ones that were added around the date when this problem started.

Regards,

#15
Gladius

Posted 21 January 2006 - 08:00 AM

Member

Topic Starter
Member
29 posts

I've looked through everything added in the last two weeks (there wasn't that much), and it's all fine... nothing there that I didn't put there. Do you think this could be just due to the number of them? It just seems strange that it'd start slowing things down so right now, while it was perfectly ok before...