Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Google redirect virus again

Status
Not open for further replies.
Dylans

Dylans

Technical User
Feb 27, 2008
5
Hi all,
I also seem to have picked up this redirect virus

My Hijackthis log reads as follows

Logfile of HijackThis v1.99.1
Scan saved at 20:26:19, on 27/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe
C:\Archivos de programa\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMIndexingService.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Archivos de programa\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Archivos de programa\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Archivos de programa\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Archivos de programa\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B8242B0-D9FC-4F22-A23E-2C86B088006B}: NameServer = 85.255.113.142,85.255.112.67
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E0E7D5D-8A2D-4FF0-85DF-412281DDF6E4}: NameServer = 85.255.113.142 85.255.112.67
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3C5F416-5EFB-4B3F-9DF3-0E616112FACA}: NameServer = 85.255.113.142,85.255.112.67
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.142 85.255.112.67
O17 - HKLM\System\CS1\Services\Tcpip\..\{1B8242B0-D9FC-4F22-A23E-2C86B088006B}: NameServer = 85.255.113.142,85.255.112.67
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.142 85.255.112.67
O17 - HKLM\System\CS2\Services\Tcpip\..\{1B8242B0-D9FC-4F22-A23E-2C86B088006B}: NameServer = 85.255.113.142,85.255.112.67
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.142 85.255.112.67
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Archivos de programa\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMIndexingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

All advice would be very much appreciated.

Thanks in advance
 
Sort by date Sort by votes
Check these and click fix checked.

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O17 - HKLM\System\CCS\Services\Tcpip\..\{1B8242B0-D9FC-4F22-A23E-2C86B088006B}: NameServer = 85.255.113.142,85.255.112.67

O17 - HKLM\System\CCS\Services\Tcpip\..\{6E0E7D5D-8A2D-4FF0-85DF-412281DDF6E4}: NameServer = 85.255.113.142 85.255.112.67

O17 - HKLM\System\CCS\Services\Tcpip\..\{C3C5F416-5EFB-4B3F-9DF3-0E616112FACA}: NameServer = 85.255.113.142,85.255.112.67

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.142 85.255.112.67

O17 - HKLM\System\CS1\Services\Tcpip\..\{1B8242B0-D9FC-4F22-A23E-2C86B088006B}: NameServer = 85.255.113.142,85.255.112.67

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.142 85.255.112.67

O17 - HKLM\System\CS2\Services\Tcpip\..\{1B8242B0-D9FC-4F22-A23E-2C86B088006B}: NameServer = 85.255.113.142,85.255.112.67

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.142 85.255.112.67

Now download ccleaner and avg anti spyware from the links below. Open up and run ccleaner first allowing it to remove all temp stuff from the computer.

Next open up avg anti spyware, click on scanner, then settings, click on the blue link that says "default action for detected malware" and set it to delete. Run a full system scan deleting everything it finds.



Once done, post another logfile on here.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon
 
Upvote 0 Downvote
Please download FixWareout from one of these sites:




Save it to your desktop and run it. Click Next, then Install, then make sure
"Run fixit" is checked and click Finish. The fix will begin; follow the
prompts. You will be asked to reboot your computer; please do so. Your
system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, Hijack This will
launch. Close Hijack This, and click OK to proceed.

At the end of the fix, you may need to restart your computer again.

At the end of the fix, you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt,
along with a new Hijack This log.

==================================
If you get an Autoexec nt error do the following

XP Fix -
Scroll down to get XP Fix

And run FixWareout again.






have hijack this fix these entries. close all browsers and programmes before
clicking FIX.

O17 - HKLM\System\CCS\Services\Tcpip\..\{1B8242B0-D9FC-4F22-A23E-2C86B088006B}: NameServer = 85.255.113.142,85.255.112.67
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E0E7D5D-8A2D-4FF0-85DF-412281DDF6E4}: NameServer = 85.255.113.142 85.255.112.67
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3C5F416-5EFB-4B3F-9DF3-0E616112FACA}: NameServer = 85.255.113.142,85.255.112.67
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.142 85.255.112.67
O17 - HKLM\System\CS1\Services\Tcpip\..\{1B8242B0-D9FC-4F22-A23E-2C86B088006B}: NameServer = 85.255.113.142,85.255.112.67
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.142 85.255.112.67
O17 - HKLM\System\CS2\Services\Tcpip\..\{1B8242B0-D9FC-4F22-A23E-2C86B088006B}: NameServer = 85.255.113.142,85.255.112.67
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.142 85.255.112.67
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\


* Go to Control Panel. - If you are using Windows XP's Category View, select
the Network and Internet Connections category. If you are in Classic View,
go to the next step .

* Double-click the Network Connections icon
* Right-click the Local Area Connection icon and select Properties.
* Hilight Internet Protocol (TCP/IP) and click the Properties button.
* Be sure Obtain DNS server address automatically is selected.
* OK your way out.



* Restart your computer.


* Got to Start > Run and type in cmd.
Click OK.
Type this line in the command window:

ipconfig /flushdns

Hit Enter.





Go here and downlaod the latest version of java, once
downloaded, go to add/remove and uninstall all previous versions of java
from add/remove and then instlall the latest version you just downloaded!






Download AVG Anti-Spyware



* Once you have downloaded AVG Anti-spyware, locate the icon on the desktop
and double-click it to launch the set up program.
* Once the setup is complete you will need run AVG and update the definition
files.
* On the main screen select the icon "Update" then select the "Update now"
link.
* Next select the "Start Update" button, the update will start and a
progress bar will show the updates being installed.
* Once the update has completed select the "Scanner" icon at the top of the
screen, then select the "Settings" tab.
* Once in the Settings screen click on "Recommended actions" and then select
"Delete"
* Under "Reports"
* Select "Automatically generate report after every scan"
* Un-Select "Only if threats were found"


Close AVG Anti-Spyware. Anti-spyware, Do NOT run a scan yet. We will do that
later in safe mode.





* Click here to download ATF Cleaner by Atribune and save it to your
desktop.



* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.
o If you use Firefox:
+ Click Firefox at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords,
please click No at the prompt.
o If you use Opera:
+ Click Opera at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords,
please click No at the prompt.
* Click Exit on the Main menu to close the program.


* Click here for info on how to boot to safe mode if you don't already know
how.




* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in
safe mode:




Run AVG Anti-Spyware!

# IMPORTANT: Do not open any other windows or programs while AVG is scanning
as it may interfere with the scanning process:
# Launch AVG Anti-spyware by double-clicking the icon on your desktop.
# Select the "Scanner" icon at the top and then the "Scan" tab then click on
"Complete System Scan".
# AVG will now begin the scanning process. Be patient this may take a little
time.
Once the scan is complete do the following:
# If you have any infections you will prompted, then select "Apply all
actions"
# Next select the "Reports" icon at the top.
# Select the "Save report as" button in the lower left hand of the screen
and save it to a text file on your system (make sure to remember where you
saved that file, this is important).
# Close AVG and reboot your system back into Normal Mode.






Note: this is a stand alone, it doesn't install to start/programmes.

Download Mwav,



double click on it and it will extract to C:\kaspersky. Click
on the kaspersky folder and click on Kavupd, a black dos window will open
and it will update the programme for you, be patient it will take 5-10
minutes to download the new definitions. Once it's updated, click on
mwavscan
to launch the programme.

Use the defaults of:

Memory
startup folders
Registry
system folders
services

Choose drive , all drives and, click scan all files
and then click scan/clean. After it finishes scanning and cleaning post
the log here with a new hijack this log.

Note: this is a very thorough scanner, it might take anything up to an hour
or more, depending on how many drives you have and how badly infected your
pc is.



Highlight the section of Mwav which says " virus log information "
which lists infected items and hold CTRL + C to Copy then paste it here. The
I just need the infected items list.



Post a new hijack this, the fixwareout log, the Mwav scan log and the AVg antispware log!



Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
If you don't have an anti virus then download and once installed update anti vir!


Anti-vir


Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
Thanks so much for all your help, will keep you posted how I get on
 
Upvote 0 Downvote
Here are my new logs following on from pechenegs advice - do I need to do the other suggestions also?

Username "Dylan" - 01/03/2008 12:14:06 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdonw.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.113.142 85.255.112.67" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{1B8242B0-D9FC-4F22-A23E-2C86B088006B}
"nameserver"="85.255.113.142,85.255.112.67" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{6E0E7D5D-8A2D-4FF0-85DF-412281DDF6E4}
"nameserver"="85.255.113.142" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{C3C5F416-5EFB-4B3F-9DF3-0E616112FACA}
"nameserver"="85.255.113.142,85.255.112.67" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{1B8242B0-D9FC-4F22-A23E-2C86B088006B}
"DhcpNameServer"="85.255.113.142,85.255.112.67" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{C3C5F416-5EFB-4B3F-9DF3-0E616112FACA}
"DhcpNameServer"="85.255.113.142,85.255.112.67" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{D6CA9BB6-62F1-4550-8064-50BF3F675122}
"DhcpNameServer"="85.255.113.142,85.255.112.67" <Value cleared.

Se vació con éxito la caché de resolución de DNS.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Other
C:\WINDOWS\Temp\kdonw.ren 73787 13/06/2007

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"NeroFilterCheck"="C:\\Archivos de programa\\Archivos comunes\\Ahead\\Lib\\NeroCheck.exe"
"ZoneAlarm Client"="\"C:\\Archivos de programa\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"QuickTime Task"="\"C:\\Archivos de programa\\QuickTime\\QTTask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Archivos de programa\\iTunes\\iTunesHelper.exe\""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run\AutorunsDisabled]
"NeroFilterCheck"="C:\\Archivos de programa\\Archivos comunes\\Ahead\\Lib\\NeroCheck.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"LogitechSoftwareUpdate"="\"C:\\Archivos de programa\\Logitech\\Video\\ManifestEngine.exe\" boot"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Archivos de programa\\Archivos comunes\\Ahead\\Lib\\NMBgMonitor.exe\""
"updateMgr"="\"C:\\Archivos de programa\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
"MsnMsgr"="\"C:\\Archivos de programa\\MSN Messenger\\MsnMsgr.Exe\" /background"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 17:00:51 01/03/2008

+ Scan result:



C:\cuarentena\mshlpa.exe.Vir.Vir.Vir -> Logger.Agent.od : Cleaned.
:mozilla.47:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.48:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.49:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.86:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Adviva : Cleaned.
:mozilla.87:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Adviva : Cleaned.
:mozilla.88:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Adviva : Cleaned.
:mozilla.40:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.43:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.71:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Centrport : Cleaned.
:mozilla.72:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Centrport : Cleaned.
:mozilla.55:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Co : Cleaned.
:mozilla.69:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.44:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.52:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Estat : Cleaned.
:mozilla.22:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.23:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.24:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.25:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.26:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.27:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.56:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.57:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.37:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.39:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.10:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.7:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.8:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.9:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.60:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.70:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.78:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.79:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.80:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.81:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.41:C:\Documents and Settings\Roberto\Datos de programa\Mozilla\Firefox\Profiles\8fvd8j17.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\All Users.WINDOWS\Documentos\RD Translations\lightcodec1363.exe -> Trojan.DNSChanger.akt : Cleaned.


::Report end

Logfile of HijackThis v1.99.1
Scan saved at 18:31:57, on 01/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe
C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMIndexingService.exe
C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMIndexStoreSvr.exe
C:\Archivos de programa\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Archivos de programa\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Archivos de programa\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avgnt] "C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Archivos de programa\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Archivos de programa\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E0E7D5D-8A2D-4FF0-85DF-412281DDF6E4}: NameServer = 85.255.113.142 85.255.112.67
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Archivos de programa\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMIndexingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

The virus log information from Mwav was empty.

I look forward to seeing your comments.

Many thanks again.
 
Upvote 0 Downvote
fix these one with hijack this!

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E0E7D5D-8A2D-4FF0-85DF-412281DDF6E4}: NameServer = 85.255.113.142 85.255.112.67




Download Superantispyware (SAS):



Once downloaded and installed update the defintions
and then run a full system scan quarantine what it finds!


* Double-click SUPERAntiSypware.exe and use the default settings for
installation.
* An icon will be created on your desktop. Double-click that icon to launch
the program.
* If asked to update the program definitions, click "Yes". If not, update
the definitions before scanning by selecting "Check for Updates". (If you
encounter any problems while downloading the updates, manually download and
unzip them from here.)


* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all
others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your
computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your
computer.
* After the scan is complete, a Scan Summary box will appear with
potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete".
Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware
again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.




* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

* Doubleclick the drweb-cureit.exe file and Allow to run the express scan
* This will scan the files currently running in memory and when something is
found,
click the yes button when it asks you if you want to cure it. This is only a
short scan.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
* Back at the main window, mark the drives that you want to scan.
* Select all drives. A red dot shows which drives have been chosen.
* Click the green arrow at the right, and the scan will start.
* Click 'Yes to all' if it asks if you want to cure/move the file.
* When the scan has finished, look if you can click next icon next to the
files found: IPB Image
* If so, click it and then click the next icon right below and select Move
incurable as you'll see in next image:
IPB Image
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it
can't be cured. (this in case if we need samples)
* After selecting, in the Dr.Web CureIt menu on top, click file and choose
save report list
* Save the report to your desktop. The report will be called DrWeb.csv
* Close Dr.Web Cureit.
* Reboot your computer!! Because it could be possible that files in use will
be moved/deleted during reboot.




Post a new hijack this, the dr web scan log and the super log!




Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
I've done the two most recent steps and here are the logs

Logfile of HijackThis v1.99.1
Scan saved at 21:43:54, on 02/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe
C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMIndexingService.exe
C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMIndexStoreSvr.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Archivos de programa\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Archivos de programa\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Archivos de programa\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avgnt] "C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Archivos de programa\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Archivos de programa\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E0E7D5D-8A2D-4FF0-85DF-412281DDF6E4}: NameServer = 85.255.113.142 85.255.112.67
O20 - Winlogon Notify: !SASWinLogon - C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Archivos de programa\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMIndexingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

SUPERAntiSpyware Scan Log

Generated 03/02/2008 at 01:59 PM

Application Version : 4.0.1154

Core Rules Database Version : 3412
Trace Rules Database Version: 1404

Scan type : Complete Scan
Total Scan Time : 00:56:05

Memory items scanned : 406
Memory threats detected : 0
Registry items scanned : 4941
Registry threats detected : 0
File items scanned : 14365
File threats detected : 1

Trojan.Unclassifed/K-Series
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C7107574-2D1C-42E1-943B-AE912908A3CF}\RP545\A0171315.EXE

Super Log:
gendel32.exe;C:\;Tool.Gendel;Incurable.Moved.;

Thanks
 
Upvote 0 Downvote
How's the computer running now any better?


boot into safe mode and make sure this one is fixed as it keeps coming back or your security apps are stopping the changes!



have hijack this fix these entries. close all browsers and programmes before
clicking FIX.

O17 - HKLM\System\CCS\Services\Tcpip\..\{1B8242B0-D9FC-4F22-A23E-2C86B088006B}: NameServer = 85.255.113.142,85.255.112.67



* Go to Control Panel. - If you are using Windows XP's Category View, select
the Network and Internet Connections category. If you are in Classic View,
go to the next step .

* Double-click the Network Connections icon
* Right-click the Local Area Connection icon and select Properties.
* Hilight Internet Protocol (TCP/IP) and click the Properties button.
* Be sure Obtain DNS server address automatically is selected.
* OK your way out.



* Restart your computer.


* Got to Start > Run and type in cmd.
Click OK.
Type this line in the command window:

ipconfig /flushdns

Hit Enter.


post another hijack this log!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
The new log is below. Things are working much better now, I don't have the google problem any more. I do seem to have a slight glitch with Zone alarm which takes several go's to start up - do you think I should reinstall?

By the way I would like to make a donation to say thanks for all your help - who would you recommend?

Regards

Dylan

Logfile of HijackThis v1.99.1
Scan saved at 22:05:25, on 03/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMIndexingService.exe
C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMIndexStoreSvr.exe
C:\Archivos de programa\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Archivos de programa\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Archivos de programa\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avgnt] "C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Archivos de programa\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Archivos de programa\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Archivos de programa\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMIndexingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 
Upvote 0 Downvote
clean log, yes you can try reinstalling ZA. Donation, you cna give me a star!




You should now turn off system restore to flush out the bad restore points
and
then re-enable it and make a new clean restore point.


How to turn off system restore







Here's some free tools to keep you from getting infected in the future.


To stop reinfection get spywareblaster from




get the hosts file from here.Unzip it to a folder!





put it into : or click the mvps bat and it should do it for you!


Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98\ME = C:\WINDOWS



ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

when you visit innocent-looking sites that aren't actually innocent at all.






Use either Arovax or spyware terminator, you could try both and see
what one you like!


Arovax shield.



Spyware Terminator



In spyware terminator, click real time protection and tick the box to use
real time protection and tick all the boxes except file exceptions shield.
If your confident in using its advanced feature, click advanced and tick
the HIPS box.

If you want to install and uninstall programs it is best to
temporarily disable Spyware terminator and then re-enable it after you
have installed or uninstalled a program as it will create a lot of pop ups
asking you do you wish this to happen!

Right click spyware terminator on the bottom right of your status bar and
choose exit.Then tick the box and that is spyware terminator disabled!




I would also suggest switching to Mozilla's firefox browser, it's safer, has
a built in pop up blocker, blocks cookies and adds. Mozilla Thunderbird is
also a good
e-mail client.



Another good and free browser is Opera!



Read here to see how to tighten your security:



A good overall guide for firewalls, anti-virus, and anti-trojans as well as
regular spyware cleaners.



Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

iambob
  • Locked
  • Question
Avast Anti-Virus is.. a virus?! 3
Replies
5
Views
210
Oorde
Oorde
DrB0b
  • Locked
  • Question
GMail Google Docs Phishing Attempt
Replies
5
Views
148
goombawaho
goombawaho
andyv2011
  • Locked
  • Question
Looking at Virus Actions
Replies
0
Views
84
andyv2011
andyv2011
Tiffc0922
  • Locked
  • Question
Virus / Malware Scans on Local PCs
Replies
5
Views
128
goombawaho
goombawaho
kharrison70
  • Locked
  • Question
Meskisift Visaal Studie Virus? 6
Replies
6
Views
132
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top