cvw3design
asked on
redirect to google search doubleclick randomly
Hello.
I am fixing a computer that randomly gets redirected to a google search "http://ad.doubleclick.net/adi/N3271.SpecificMedia/B3361533.5;sz=300x250;click=http://ads.specificmedia.com/click/v=5;m=2;l=331;c=5332;b=23086;-0;ts=20090326123720;dct=;ord=20090326123720"
It usually happens while in yahoo mail but it has happened in other locations as well. At first I thought that it might be a problem with the dns so I changed the dns setting to opendns. I then returned the computer to the user because I thought the problem was resolved and I could not reproduce the problem. I got a phone call a day later saying that the same problem occured. I scaned using adaware, spybot S&D, avast and hijack this. The system is fully patched.
here is the hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:42 PM, on 4/2/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.ex e
C:\Windows\Explorer.EXE
C:\Windows\system32\tasken g.exe
C:\Program Files\Lavasoft\Ad-Aware\AA WTray.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\CyberLink\PowerDVD\P DVDServ.ex e
C:\Program Files\Canon\MyPrinter\BJMY PRT.EXE
C:\Program Files\ScanSoft\OmniPageSE4 \OpWareSE4 .exe
C:\Windows\WindowsMobile\w mdcBase.ex e
C:\Program Files\Microsoft Office\Office12\GrooveMoni tor.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.ex e
C:\Windows\System32\rundll 32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.E XE
C:\Program Files\Microsoft Works\WkCalRem.exe
C:\Windows\system32\wbem\u nsecapp.ex e
C:\Windows\System32\osk.ex e
C:\Windows\system32\Search ProtocolHo st.exe
C:\Windows\system32\Search FilterHost .exe
C:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.yahoo.com/?fr=fp-yie8
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=EM&Loc=ENG_US&Sys=DTP&M=T3646
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=EM&Loc=ENG_US&Sys=DTP&M=T3646
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=nofound&Br=EM&Loc=ENG_US&Sys=DTP&M=T3646
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch =
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R0 - HKCU\Software\Microsoft\In ternet Explorer\Toolbar,LinksFold erName =
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5 EBB0BA0F0A 2} - C:\Program Files\AskSBar\SrchAstt\1.b in\A2SRCHA S.DLL (file missing)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn\ yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - MRI_DISABLED - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7 695ECA0567 0} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn\ yt.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5 EBB0BA0F0A 2} - C:\Program Files\AskSBar\SrchAstt\1.b in\A2SRCHA S.DLL (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-9 5DAC4DFA40 8} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0 BBC1D38A37 E} - C:\Program Files\Microsoft Office\Office12\GrooveShel lExtension s.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre1.6.0_04\bin \ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-B A8D5E23E04 5} - (no file)
O2 - BHO: Advertising Cookie Opt-out - {8E425EB4-ADBD-4816-B1E8-4 9BB9DECF03 4} - C:\Program Files\Google\Advertising Cookie Opt-out\opt_out.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-6 4B5B4FF55D 0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A 07C3DB8F77 7} - c:\windows\system32\BAE.dl l
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-8 6F7AC24508 1} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn\ YTSingleIn stance.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-F FB09D4B49C A} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-6 4B5B4FF55D 0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn\ yt.dll
O4 - HKLM\..\Run: [RtHDVCpl] "C:\Windows\RtHDVCpl.exe"
O4 - HKLM\..\Run: [Skytel] "C:\Windows\Skytel.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\P DVDServ.ex e"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\L anguage\La nguage.exe "
O4 - HKLM\..\Run: [CanonSolutionMenu] "C:\Program Files\Canon\SolutionMenu\C NSLMAIN.ex e" /logon
O4 - HKLM\..\Run: [CanonMyPrinter] "C:\Program Files\Canon\MyPrinter\BJMy Prt.exe" /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgd update.exe " -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4 \OpwareSE4 .exe"
O4 - HKLM\..\Run: [Windows Mobile-based device management] "C:\Windows\WindowsMobile\ wmdcBase.e xe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMoni tor.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast 4\ashDisp. exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl. dll,NvStar tup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTr ay.dll,NvT askbarInit
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AA WTray.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.e xe
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\Sidebar.exe" /autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCe nter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.E XE
O4 - Startup: wkcalrem.LNK = C:\Program Files\Microsoft Works\WkCalRem.exe
O4 - Global Startup: MRI_DISABLED
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.h tm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3 \Office12\ EXCEL.EXE/ 3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5 663EE0C6C4 9} - C:\PROGRA~1\MICROS~3\Offic e12\ONBttn IE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5 663EE0C6C4 9} - C:\PROGRA~1\MICROS~3\Offic e12\ONBttn IE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~3\Offic e12\REFIEB AR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O9 - Extra button: Qwest Live - {F86457D1-0452-4150-9F79-1 D7CAF56AE3 5} - http://qwest.live.com (file missing) (HKCU)
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\T cpip\..\{4 052C31B-36 5D-46B1-98 32-0648977 57350}: NameServer = 208.67.222.222,208.67.220. 220
O17 - HKLM\System\CS1\Services\T cpip\..\{4 052C31B-36 5D-46B1-98 32-0648977 57350}: NameServer = 208.67.222.222,208.67.220. 220
O17 - HKLM\System\CS2\Services\T cpip\..\{4 052C31B-36 5D-46B1-98 32-0648977 57350}: NameServer = 208.67.222.222,208.67.220. 220
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3 CB6248B04C D} - C:\Program Files\Microsoft Office\Office12\GrooveSyst emServices .dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.e xe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.ex e
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.e xe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.e xe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService .exe
O23 - Service: Google Update Service (gupdate1c9b4132bf8c11) (gupdate1c9b4132bf8c11) - Google Inc. - C:\Program Files\Google\Update\Google Update.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AA WService.e xe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc .exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVER S\xaudio.e xe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdat e\YahooAUS ervice.exe
--
End of file - 9828 bytes
I am fixing a computer that randomly gets redirected to a google search "http://ad.doubleclick.net/adi/N3271.SpecificMedia/B3361533.5;sz=300x250;click=http://ads.specificmedia.com/click/v=5;m=2;l=331;c=5332;b=23086;-0;ts=20090326123720;dct=;ord=20090326123720"
It usually happens while in yahoo mail but it has happened in other locations as well. At first I thought that it might be a problem with the dns so I changed the dns setting to opendns. I then returned the computer to the user because I thought the problem was resolved and I could not reproduce the problem. I got a phone call a day later saying that the same problem occured. I scaned using adaware, spybot S&D, avast and hijack this. The system is fully patched.
here is the hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:42 PM, on 4/2/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.ex
C:\Windows\Explorer.EXE
C:\Windows\system32\tasken
C:\Program Files\Lavasoft\Ad-Aware\AA
C:\Windows\RtHDVCpl.exe
C:\Program Files\CyberLink\PowerDVD\P
C:\Program Files\Canon\MyPrinter\BJMY
C:\Program Files\ScanSoft\OmniPageSE4
C:\Windows\WindowsMobile\w
C:\Program Files\Microsoft Office\Office12\GrooveMoni
C:\Program Files\Alwil Software\Avast4\ashDisp.ex
C:\Windows\System32\rundll
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.E
C:\Program Files\Microsoft Works\WkCalRem.exe
C:\Windows\system32\wbem\u
C:\Windows\System32\osk.ex
C:\Windows\system32\Search
C:\Windows\system32\Search
C:\Program Files\Trend Micro\HijackThis\HijackThi
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - MRI_DISABLED - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-9
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-B
O2 - BHO: Advertising Cookie Opt-out - {8E425EB4-ADBD-4816-B1E8-4
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-6
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-8
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-F
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-6
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O4 - HKLM\..\Run: [RtHDVCpl] "C:\Windows\RtHDVCpl.exe"
O4 - HKLM\..\Run: [Skytel] "C:\Windows\Skytel.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\P
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\L
O4 - HKLM\..\Run: [CanonSolutionMenu] "C:\Program Files\Canon\SolutionMenu\C
O4 - HKLM\..\Run: [CanonMyPrinter] "C:\Program Files\Canon\MyPrinter\BJMy
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgd
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4
O4 - HKLM\..\Run: [Windows Mobile-based device management] "C:\Windows\WindowsMobile\
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMoni
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTr
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AA
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.e
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\Sidebar.exe" /autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCe
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.E
O4 - Startup: wkcalrem.LNK = C:\Program Files\Microsoft Works\WkCalRem.exe
O4 - Global Startup: MRI_DISABLED
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.h
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O9 - Extra button: Qwest Live - {F86457D1-0452-4150-9F79-1
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.e
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.ex
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.e
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.e
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService
O23 - Service: Google Update Service (gupdate1c9b4132bf8c11) (gupdate1c9b4132bf8c11) - Google Inc. - C:\Program Files\Google\Update\Google
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AA
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVER
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdat
--
End of file - 9828 bytes
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I believe the DNS servers are legit ones related to OpenDns, probably configured by the user or network admin
ASKER
here is the updated hijack this log. You are correct Admin3k. The dns servers are legit. they are opendns's servers.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:45:46 PM, on 4/3/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.ex e
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\CyberLink\PowerDVD\P DVDServ.ex e
C:\Program Files\Canon\MyPrinter\BJMY PRT.EXE
C:\Program Files\ScanSoft\OmniPageSE4 \OpWareSE4 .exe
C:\Windows\WindowsMobile\w mdcBase.ex e
C:\Program Files\Microsoft Office\Office12\GrooveMoni tor.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.ex e
C:\Windows\System32\rundll 32.exe
C:\Program Files\Lavasoft\Ad-Aware\AA WTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.E XE
C:\Program Files\Microsoft Works\WkCalRem.exe
C:\Windows\system32\tasken g.exe
C:\Windows\system32\wbem\u nsecapp.ex e
C:\Windows\system32\Search FilterHost .exe
C:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
C:\Windows\system32\wuaucl t.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.yahoo.com/?fr=fp-yie8
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=EM&Loc=ENG_US&Sys=DTP&M=T3646
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=EM&Loc=ENG_US&Sys=DTP&M=T3646
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=nofound&Br=EM&Loc=ENG_US&Sys=DTP&M=T3646
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch =
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R0 - HKCU\Software\Microsoft\In ternet Explorer\Toolbar,LinksFold erName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn\ yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7 695ECA0567 0} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn\ yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0 BBC1D38A37 E} - C:\Program Files\Microsoft Office\Office12\GrooveShel lExtension s.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre1.6.0_04\bin \ssv.dll
O2 - BHO: Advertising Cookie Opt-out - {8E425EB4-ADBD-4816-B1E8-4 9BB9DECF03 4} - C:\Program Files\Google\Advertising Cookie Opt-out\opt_out.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-6 4B5B4FF55D 0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A 07C3DB8F77 7} - c:\windows\system32\BAE.dl l
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-8 6F7AC24508 1} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn\ YTSingleIn stance.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-6 4B5B4FF55D 0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn\ yt.dll
O4 - HKLM\..\Run: [RtHDVCpl] "C:\Windows\RtHDVCpl.exe"
O4 - HKLM\..\Run: [Skytel] "C:\Windows\Skytel.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\P DVDServ.ex e"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\L anguage\La nguage.exe "
O4 - HKLM\..\Run: [CanonSolutionMenu] "C:\Program Files\Canon\SolutionMenu\C NSLMAIN.ex e" /logon
O4 - HKLM\..\Run: [CanonMyPrinter] "C:\Program Files\Canon\MyPrinter\BJMy Prt.exe" /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgd update.exe " -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4 \OpwareSE4 .exe"
O4 - HKLM\..\Run: [Windows Mobile-based device management] "C:\Windows\WindowsMobile\ wmdcBase.e xe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMoni tor.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast 4\ashDisp. exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl. dll,NvStar tup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTr ay.dll,NvT askbarInit
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AA WTray.exe
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\Sidebar.exe" /autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCe nter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.E XE
O4 - Startup: wkcalrem.LNK = C:\Program Files\Microsoft Works\WkCalRem.exe
O4 - Global Startup: MRI_DISABLED
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.h tm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3 \Office12\ EXCEL.EXE/ 3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5 663EE0C6C4 9} - C:\PROGRA~1\MICROS~3\Offic e12\ONBttn IE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5 663EE0C6C4 9} - C:\PROGRA~1\MICROS~3\Offic e12\ONBttn IE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~3\Offic e12\REFIEB AR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O9 - Extra button: Qwest Live - {F86457D1-0452-4150-9F79-1 D7CAF56AE3 5} - http://qwest.live.com (file missing) (HKCU)
O17 - HKLM\System\CCS\Services\T cpip\..\{4 052C31B-36 5D-46B1-98 32-0648977 57350}: NameServer = 208.67.222.222,208.67.220. 220
O17 - HKLM\System\CS1\Services\T cpip\..\{4 052C31B-36 5D-46B1-98 32-0648977 57350}: NameServer = 208.67.222.222,208.67.220. 220
O17 - HKLM\System\CS2\Services\T cpip\..\{4 052C31B-36 5D-46B1-98 32-0648977 57350}: NameServer = 208.67.222.222,208.67.220. 220
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3 CB6248B04C D} - C:\Program Files\Microsoft Office\Office12\GrooveSyst emServices .dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.e xe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.ex e
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.e xe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.e xe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService .exe
O23 - Service: Google Update Service (gupdate1c9b4132bf8c11) (gupdate1c9b4132bf8c11) - Google Inc. - C:\Program Files\Google\Update\Google Update.exe
O23 - Service: IZE - Sysinternals - www.sysinternals.com - C:\Users\Owner\AppData\Loc al\Temp\IZ E.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AA WService.e xe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc .exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: VBD - Sysinternals - www.sysinternals.com - C:\Users\Owner\AppData\Loc al\Temp\VB D.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVER S\xaudio.e xe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdat e\YahooAUS ervice.exe
--
End of file - 9337 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:45:46 PM, on 4/3/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.ex
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\CyberLink\PowerDVD\P
C:\Program Files\Canon\MyPrinter\BJMY
C:\Program Files\ScanSoft\OmniPageSE4
C:\Windows\WindowsMobile\w
C:\Program Files\Microsoft Office\Office12\GrooveMoni
C:\Program Files\Alwil Software\Avast4\ashDisp.ex
C:\Windows\System32\rundll
C:\Program Files\Lavasoft\Ad-Aware\AA
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.E
C:\Program Files\Microsoft Works\WkCalRem.exe
C:\Windows\system32\tasken
C:\Windows\system32\wbem\u
C:\Windows\system32\Search
C:\Program Files\Trend Micro\HijackThis\HijackThi
C:\Windows\system32\wuaucl
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Advertising Cookie Opt-out - {8E425EB4-ADBD-4816-B1E8-4
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-6
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-8
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-6
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O4 - HKLM\..\Run: [RtHDVCpl] "C:\Windows\RtHDVCpl.exe"
O4 - HKLM\..\Run: [Skytel] "C:\Windows\Skytel.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\P
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\L
O4 - HKLM\..\Run: [CanonSolutionMenu] "C:\Program Files\Canon\SolutionMenu\C
O4 - HKLM\..\Run: [CanonMyPrinter] "C:\Program Files\Canon\MyPrinter\BJMy
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgd
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4
O4 - HKLM\..\Run: [Windows Mobile-based device management] "C:\Windows\WindowsMobile\
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMoni
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTr
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AA
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\Sidebar.exe" /autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCe
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.E
O4 - Startup: wkcalrem.LNK = C:\Program Files\Microsoft Works\WkCalRem.exe
O4 - Global Startup: MRI_DISABLED
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.h
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O9 - Extra button: Qwest Live - {F86457D1-0452-4150-9F79-1
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.e
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.ex
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.e
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.e
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService
O23 - Service: Google Update Service (gupdate1c9b4132bf8c11) (gupdate1c9b4132bf8c11) - Google Inc. - C:\Program Files\Google\Update\Google
O23 - Service: IZE - Sysinternals - www.sysinternals.com - C:\Users\Owner\AppData\Loc
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AA
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: VBD - Sysinternals - www.sysinternals.com - C:\Users\Owner\AppData\Loc
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVER
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdat
--
End of file - 9337 bytes
ASKER
i also ran malwarebytes here is the log file associated with that.
Malwarebytes' Anti-Malware 1.35
Database version: 1938
Windows 6.0.6001 Service Pack 1
4/3/2009 2:16:42 PM
mbam-log-2009-04-03 (14-16-42).txt
Scan type: Quick Scan
Objects scanned: 63961
Time elapsed: 3 minute(s), 39 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE \Microsoft \Windows\C urrentVers ion\Ext\St ats\{1d4db 7d2-6ec9-4 7a3-bd87-1 e41684e07b b} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE \Microsoft \Windows\C urrentVers ion\Explor er\Advance d\Start_Sh owSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Malwarebytes' Anti-Malware 1.35
Database version: 1938
Windows 6.0.6001 Service Pack 1
4/3/2009 2:16:42 PM
mbam-log-2009-04-03 (14-16-42).txt
Scan type: Quick Scan
Objects scanned: 63961
Time elapsed: 3 minute(s), 39 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
ASKER
I could not find any of the following files
"Or, look for any of these FAKE files(Search engine hijackers) and delete them if present in the system32 folder.(delete in Safe Mode if won't
go easily)
C:\Windows\system32\wdmaud .sys <-- bad
C:\Windows\system32\sysaud io.sys <-- bad
c:\windows\system32\ntnet. drv <-- bad
If the above files are not found in the system, also check the registry key below and check the values of "aux, aux1, aux2, aux3, aux4" to
make sure there are no values pointing to random filenames(similar to the ones below)
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows NT\CurrentVersion\Drivers3 2]
"aux"="C:\\WINDOWS\\system 32\\..\\jj mviih.nkt"
"aux"="C:\WINDOWS\system32 \..\sjkemx .iqd"
"aux2"= "C:\WINDOWS\system32\..\kv lhurx.niq"
"aux2"="C:Windowssystem32. .wkliog.ny c
"aux4"="c:\docume~1\%usern ame%\LOCAL S~1\Temp\. .\herlppj. sna" "
"Or, look for any of these FAKE files(Search engine hijackers) and delete them if present in the system32 folder.(delete in Safe Mode if won't
go easily)
C:\Windows\system32\wdmaud
C:\Windows\system32\sysaud
c:\windows\system32\ntnet.
If the above files are not found in the system, also check the registry key below and check the values of "aux, aux1, aux2, aux3, aux4" to
make sure there are no values pointing to random filenames(similar to the ones below)
[HKEY_LOCAL_MACHINE\SOFTWA
"aux"="C:\\WINDOWS\\system
"aux"="C:\WINDOWS\system32
"aux2"= "C:\WINDOWS\system32\..\kv
"aux2"="C:Windowssystem32.
"aux4"="c:\docume~1\%usern