Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Crimea.ua [CLOSED]

Started by mra , Nov 30 2005 03:38 PM

This topic is locked

#1
mra

Posted 30 November 2005 - 03:38 PM

New Member

Member
4 posts

When I fill out an html form that has a field for a URL on it, if I leave the field blank a link to a [bleep]/viagrra/discount drug site is inserted (url always starts with http://vvvvvv.crimea.ua)

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:56:10 AM, 11/30/2005
+ Report-Checksum: 4144365A

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{262277EC-5BB5-4849-8BF2-1824330C9CAC} -> Spyware.NauPointBar : Cleaned with backup
HKU\S-1-5-21-2237618801-2473158327-1041436101-1008\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4E7BD74F-2B8D-469E-95BE-B378BA9CB52D} -> Spyware.NauPointBar : Cleaned with backup
HKU\S-1-5-21-2237618801-2473158327-1041436101-1008\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{1028F737-81E7-452B-A860-E50CAD90A08C} -> Spyware.SpyAssassin : Cleaned with backup
HKU\S-1-5-21-2237618801-2473158327-1041436101-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6375B3AD-4440-4C1F-95E5-A24198ED671C} -> Spyware.Naupoint : Cleaned with backup
HKU\S-1-5-21-2237618801-2473158327-1041436101-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{262277EC-5BB5-4849-8BF2-1824330C9CAC} -> Spyware.NauPointBar : Cleaned with backup
HKU\S-1-5-21-2237618801-2473158327-1041436101-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44FD0AF8-9D30-4E96-8ECE-306446B5E0D3} -> Spyware.NauPointBar : Cleaned with backup
HKU\S-1-5-21-2237618801-2473158327-1041436101-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{60261C06-81B0-4DE0-9313-E5BA203A64E9} -> Spyware.NauPointBar : Cleaned with backup
HKU\S-1-5-21-2237618801-2473158327-1041436101-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6375B3AD-4440-4C1F-95E5-A24198ED671C} -> Spyware.Naupoint : Cleaned with backup
[688] C:\WINDOWS\system32\g46mg.dll -> TrojanDownloader.Small.acw : Error during cleaning
:mozilla.7:C:\Documents and Settings\malessio\Application Data\Mozilla\Profiles\default\uzbxt6gs.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.8:C:\Documents and Settings\malessio\Application Data\Mozilla\Profiles\default\uzbxt6gs.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\malessio\Application Data\Qualcomm\Eudora\attach\Health_and_knowledge.zip/t_535475.exe -> TrojanProxy.Mitglieder.dx : Cleaned with backup
C:\Documents and Settings\malessio\Application Data\Qualcomm\Eudora\attach\newprice.zip/price.cpl -> Worm.Bagle.ct : Cleaned with backup
C:\Documents and Settings\malessio\Application Data\Qualcomm\Eudora\attach\Valentyne.zip/1.exe -> TrojanDownloader.Bagle.d : Cleaned with backup
C:\Documents and Settings\malessio\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\malessio\Cookies\malessio@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\malessio\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\malessio\Cookies\malessio@itrack[1].txt -> Spyware.Cookie.Itrack : Cleaned with backup
C:\Documents and Settings\malessio\Local Settings\Temporary Internet Files\Content.IE5\ZV5FVHKW\mm[1].js -> Spyware.Chitika : Cleaned with backup
C:\RECYCLER\S-1-5-21-2237618801-2473158327-1041436101-1008\Dc1\CWrapper.dll -> Adware.PSGuard : Cleaned with backup
C:\RECYCLER\S-1-5-21-2237618801-2473158327-1041436101-1008\Dc1\WinHound.exe -> Adware.PSGuard : Cleaned with backup
C:\RECYCLER\S-1-5-21-2237618801-2473158327-1041436101-1008\Dc2.virus\CWrapper.dll -> Adware.PSGuard : Cleaned with backup
C:\RECYCLER\S-1-5-21-2237618801-2473158327-1041436101-1008\Dc2.virus\WinHound.exe.virus -> Adware.PSGuard : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP277\A0036083.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP316\A0042377.dll -> Spyware.FreeComm : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP338\A0045447.dll -> Adware.PSGuard : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP338\A0045452.exe -> Adware.PSGuard : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP348\A0046505.dll -> TrojanDownloader.Small.acw : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP348\A0046506.dll -> TrojanDownloader.Small.acw : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\pdfmgr.dll -> Spyware.MegaSearch : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
C:\WINDOWS\SYSTEM32\__delete_on_reboot__g46mg.dll -> TrojanDownloader.Small.acw : Cleaned with backup
:mozilla.6:E:\Documents and Settings\Michael Alessio\Application Data\Mozilla\Profiles\default\3qebfnoz.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.7:E:\Documents and Settings\Michael Alessio\Application Data\Mozilla\Profiles\default\3qebfnoz.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.13:E:\Documents and Settings\Michael Alessio\Application Data\Mozilla\Profiles\default\3qebfnoz.slt\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.17:E:\Documents and Settings\Michael Alessio\Application Data\Mozilla\Profiles\default\3qebfnoz.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.18:E:\Documents and Settings\Michael Alessio\Application Data\Mozilla\Profiles\default\3qebfnoz.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.19:E:\Documents and Settings\Michael Alessio\Application Data\Mozilla\Profiles\default\3qebfnoz.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.20:E:\Documents and Settings\Michael Alessio\Application Data\Mozilla\Profiles\default\3qebfnoz.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.21:E:\Documents and Settings\Michael Alessio\Application Data\Mozilla\Profiles\default\3qebfnoz.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.22:E:\Documents and Settings\Michael Alessio\Application Data\Mozilla\Profiles\default\3qebfnoz.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.23:E:\Documents and Settings\Michael Alessio\Application Data\Mozilla\Profiles\default\3qebfnoz.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.24:E:\Documents and Settings\Michael Alessio\Application Data\Mozilla\Profiles\default\3qebfnoz.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
E:\Documents and Settings\Michael Alessio\Cookies\michael alessio@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
E:\Documents and Settings\Michael Alessio\Cookies\michael alessio@goldenpalace[1].txt -> Spyware.Cookie.Goldenpalace : Cleaned with backup
E:\Documents and Settings\Michael Alessio\Cookies\michael alessio@specificpop[2].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
E:\Documents and Settings\Michael Alessio\Cookies\michael [email protected][1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
E:\Documents and Settings\Michael Alessio\Local Settings\Temporary Internet Files\Content.IE5\HKOBT5KP\wmp[1].htm -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup
E:\Documents and Settings\Trudi Seiwald\Cookies\trudi seiwald@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
E:\Documents and Settings\Trudi Seiwald\Cookies\trudi seiwald@specificpop[2].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
E:\Documents and Settings\Trudi Seiwald\Cookies\trudi [email protected][1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
E:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.RiskWare.Downloader.PopCap.a : Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 1:15:55 PM, on 11/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Alias\Maya6.0\docs\jre\bin\java.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Perforce\P4Webs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\malessio\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://computer.perforce.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://eessl3.webex...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E66B1443-4E27-4791-BF53-A8E36E169E7B}: NameServer = 10.0.0.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = perforce.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{E66B1443-4E27-4791-BF53-A8E36E169E7B}: NameServer = 10.0.0.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = perforce.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: iexplore - g46mg.dll (file missing)
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe" -s "C:\Program Files\Alias\Maya6.0\docs/Wrapper.conf (file missing)
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: P4Demo - Unknown owner - c:\P4Demo\p4s.exe (file missing)
O23 - Service: P4Demo2005.1 - Unknown owner - c:\P4DemoRoot\P4Server\p4s.exe
O23 - Service: Perforce - Unknown owner - C:\P42005.1\p4s.exe (file missing)
O23 - Service: Perforce Web - Unknown owner - C:\PROGRA~1\Perforce\P4Webs.exe

#2
andydf

Posted 05 December 2005 - 03:09 PM

Visiting Staff

Visiting Consultant
1,660 posts

Hi, mra
Welcome to Geeks to go

Sorry about the delay in replying to your post, the forums have been very busy lately. As it's been a few days since your origional post, please could you post a new HJT log for me to see.

If you have resolved your issues, please let us know.

Andy :tazz:

#3
mra

Posted 06 December 2005 - 02:59 PM

New Member

Topic Starter
Member
4 posts

Thanks Andy!

There's a pint of Flowers in it for you if you can make my problem die a horrible death. :-)

Cheers,
MRA

Logfile of HijackThis v1.99.1
Scan saved at 12:56:54 PM, on 12/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alias\Maya6.0\docs\jre\bin\java.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Perforce\P4Webs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Qualcomm\Eudora\Eudora.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\dwj\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://computer.perf...anet/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\malessio\Application Data\Mozilla\Profiles\default\uzbxt6gs.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://eessl3.webex...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E66B1443-4E27-4791-BF53-A8E36E169E7B}: NameServer = 10.0.0.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = perforce.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{E66B1443-4E27-4791-BF53-A8E36E169E7B}: NameServer = 10.0.0.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = perforce.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: iexplore - g46mg.dll (file missing)
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe" -s "C:\Program Files\Alias\Maya6.0\docs/Wrapper.conf (file missing)
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: P4Demo - Unknown owner - c:\P4Demo\p4s.exe (file missing)
O23 - Service: P4Demo2005.1 - Unknown owner - c:\P4DemoRoot\P4Server\p4s.exe
O23 - Service: Perforce - Unknown owner - C:\P42005.1\p4s.exe (file missing)
O23 - Service: Perforce Web - Unknown owner - C:\PROGRA~1\Perforce\P4Webs.exe

#4
andydf

Posted 06 December 2005 - 04:11 PM

Visiting Staff

Visiting Consultant
1,660 posts

Hi mra
Make it a pint of beer and you've got a deal

Please follow these instuctions.

Open internet explorer
Click tools-> internet options-> content-> auto complete
Uncheck any boxes and click the clear form tab
Click OK

Next
Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

Click the Free Trial link under to "SpySweeper" to download the program.
Install it. Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Options on the left side.
Click the Sweep Options tab.
Under What to Sweep please put a check next to the following:
- Sweep Memory
- Sweep Registry
- Sweep Cookies
- Sweep All User Accounts
- Enable Direct Disk Sweeping
- Sweep Contents of Compressed Files
- Sweep for Rootkits
- Please UNCHECK Do not Sweep System Restore Folder.
Click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working.

Andy

#5
mra

Posted 07 December 2005 - 09:37 AM

New Member

Topic Starter
Member
4 posts

Hiya Andy!

It must have been a while since you have used Webroot's product, as it now requires a subscription to save the log or automatically remove the items, so instead I have attached a screenshot of the results for you, and also edited the registry myself to remove the offending entries and deleted the offending files.

And it must also have been a long time since you have been in a pub down south, as the Flowers I was refering to was not a type of flora, but rather a real ale of some quality :-) Generally available in better pubs in Berkshire.

Upon reboot, the problem has disapeared, so I guess you earned a pint!

Cheers (and thanks),
MRA

Attached Thumbnails

#6
andydf

Posted 07 December 2005 - 02:08 PM

Visiting Staff

Visiting Consultant
1,660 posts

Hi mra

I did wonder why you said a "pint of flowers" :woot:

and your right I haven't been in a pub down south for a while. Must admit though, I am partial to a good real ale when I can get to the pub.

Back to the serious stuff, Webroot have moved their trial version to a different location

only found out today. http://www.download....4-10405877.html is the link we are now using, it may be a good idea to download and use it just to be sure.

Please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. :woot:

Andy

#7
andydf

Posted 20 December 2005 - 03:33 PM

Visiting Staff

Visiting Consultant
1,660 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.