Ergebnis 1 bis 5 von 5

Thema: Endless Search Engines Taking Over

  1. #1
    Einsteiger
    Registriert seit
    22.08.2007
    Beiträge
    3

    Endless Search Engines Taking Over

    Hi. Thank you in advance for any help, it is much appreciated! Looking for some help because I'm at a loss now. Here's the problem: My brother is new to the internet and was presumably surfing some porn sites. He must've inadvertantly downloaded some autoexec because now whenever I search for anything under Yahoo, it brings up the results but when I click on such results I get redirected to those endless search engine sites.
    I've ran both Ad-Aware SE and AVG Free Edition in an attempt to remove any spyware/viruses. This did not correct the problem. My system specs: Dell celeron 2.39 ghz 1.00 gb ram Windows XP 2002 Home Edition Service Pack 2

    I took a Hijackthis log: Logfile of HijackThis v1.99.1
    Scan saved at 8:03:01 PM, on 8/21/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16512)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\AOL\1172176035\ee\AOLSoftware.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\Program Files\America Online 9.0a\aoltray.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijack This\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.epix.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1172176035\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O15 - Trusted Zone: *.musicmatch.com
    O15 - Trusted Zone: *.musicmatch.com (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
    O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60...ad/ppcwebi.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-30.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.co...s/MsnPUpld.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
    O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7DBFA59D-CDFF-4E5D-81A6-5C8E6A5B643A}: NameServer = 85.255.114.23,85.255.112.213
    O17 - HKLM\System\CCS\Services\Tcpip\..\{84AF59F4-8583-40F3-A0D0-B4830596782C}: NameServer = 85.255.114.23,85.255.112.213
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8D60003C-97EA-4E5D-A3FB-D28B04F736B1}: NameServer = 85.255.114.23,85.255.112.213
    O17 - HKLM\System\CCS\Services\Tcpip\..\{91448E39-377B-4EFC-ADAE-F9D5EC73E9B4}: NameServer = 85.255.114.23,85.255.112.213
    O17 - HKLM\System\CCS\Services\Tcpip\..\{92C61605-76AF-4B6F-A9A3-8E49BBF2ACF5}: Domain = domain.invalid
    O17 - HKLM\System\CCS\Services\Tcpip\..\{92C61605-76AF-4B6F-A9A3-8E49BBF2ACF5}: NameServer = 85.255.114.23,85.255.112.213
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FC3F9D67-13B5-4505-B021-F225FE827AAD}: NameServer = 85.255.114.23,85.255.112.213
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.23 85.255.112.213
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.23 85.255.112.213
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

  2. #2
    Supermod a.D. Avatar von Ruby
    Registriert seit
    25.01.2005
    Ort
    The Netherlands
    Beiträge
    20.038

    AW: Endless Search Engines Taking Over

    Welcome to HijackThis.eu @ kreepkid

    • Please download FixWareout from one of these sites:
    • Save it to your desktop and run it.
    • Click Next, then Install.
    • Make sure "Run fixit" is checked and click Finish.
    • The fix will begin; follow the prompts.
    • You will be asked to reboot your computer; please do so.
    • Your system may take longer than usual to load; that's normal.
    • When your system reboots, follow the prompts.
    • Now HijackThis will launch.
    • Please click Scan, and check the following items:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{7DBFA59D-CDFF-4E5D-81A6-5C8E6A5B643A}: NameServer = 85.255.114.23,85.255.112.213
    O17 - HKLM\System\CCS\Services\Tcpip\..\{84AF59F4-8583-40F3-A0D0-B4830596782C}: NameServer = 85.255.114.23,85.255.112.213
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8D60003C-97EA-4E5D-A3FB-D28B04F736B1}: NameServer = 85.255.114.23,85.255.112.213
    O17 - HKLM\System\CCS\Services\Tcpip\..\{91448E39-377B-4EFC-ADAE-F9D5EC73E9B4}: NameServer = 85.255.114.23,85.255.112.213
    O17 - HKLM\System\CCS\Services\Tcpip\..\{92C61605-76AF-4B6F-A9A3-8E49BBF2ACF5}: Domain = domain.invalid
    O17 - HKLM\System\CCS\Services\Tcpip\..\{92C61605-76AF-4B6F-A9A3-8E49BBF2ACF5}: NameServer = 85.255.114.23,85.255.112.213
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FC3F9D67-13B5-4505-B021-F225FE827AAD}: NameServer =
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.23 85.255.112.213
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.23 85.255.112.213
    • Click Fix Checked. Close HijackThis, and click OK to proceed.
    • Finally, please post the contents of report.txt (it should open), along with a fresh HijackThis log.
    • Please note:
    If You have connection problems or those 017's ~ O17 - HKLM~ 85.255.114.23,85.255.112.213, return =>
    Before doing this write down all the settings, note that not all system/setups even have these settings, while some connection service's will require them.
    In the windows control panel: If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections.
    Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties.
    Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically.
    Press OK twice to get out of the properties screen and reboot if it asks.
    That option might not be available one some systems.

    Source

  3. #3
    Einsteiger
    Registriert seit
    22.08.2007
    Beiträge
    3

    Re: Endless Search Engines Taking Over

    Thank you so much Ruby. That seemed to fix it no problem. I took Hijackthis log just for reference:

    Username "Allison Stininger" - 2007-08-22 22:01:26 [Fixwareout edited 2007/07/05]

    »»»»»Prerun check
    HKLM\SOFTWARE\~\Winlogon\ "System"="kdhmc.exe"

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\P arameters
    "nameserver"="85.255.114.23 85.255.112.213" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\p arameters\interfaces\{7DBFA59D-CDFF-4E5D-81A6-5C8E6A5B643A}
    "nameserver"="85.255.114.23,85.255.112.213" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\p arameters\interfaces\{84AF59F4-8583-40F3-A0D0-B4830596782C}
    "nameserver"="85.255.114.23,85.255.112.213" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\p arameters\interfaces\{8D60003C-97EA-4E5D-A3FB-D28B04F736B1}
    "nameserver"="85.255.114.23,85.255.112.213" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\p arameters\interfaces\{91448E39-377B-4EFC-ADAE-F9D5EC73E9B4}
    "nameserver"="85.255.114.23,85.255.112.213" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\p arameters\interfaces\{92C61605-76AF-4B6F-A9A3-8E49BBF2ACF5}
    "nameserver"="85.255.114.23,85.255.112.213" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\p arameters\interfaces\{FC3F9D67-13B5-4505-B021-F225FE827AAD}
    "nameserver"="85.255.114.23,85.255.112.213" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\p arameters\interfaces\{2810EB22-763D-4D0C-9450-64BBD1758685}
    "DhcpNameServer"="85.255.114.23,85.255.112.213" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\p arameters\interfaces\{7DBFA59D-CDFF-4E5D-81A6-5C8E6A5B643A}
    "DhcpNameServer"="85.255.114.23,85.255.112.213" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\p arameters\interfaces\{84AF59F4-8583-40F3-A0D0-B4830596782C}
    "DhcpNameServer"="85.255.114.23,85.255.112.213" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\p arameters\interfaces\{8D60003C-97EA-4E5D-A3FB-D28B04F736B1}
    "DhcpNameServer"="85.255.114.23,85.255.112.213" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\p arameters\interfaces\{91448E39-377B-4EFC-ADAE-F9D5EC73E9B4}
    "DhcpNameServer"="85.255.114.23,85.255.112.213" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\p arameters\interfaces\{FC3F9D67-13B5-4505-B021-F225FE827AAD}
    "DhcpNameServer"="85.255.114.23,85.255.112.213" <Value cleared.

    Successfully flushed the DNS Resolver Cache.

    Thanks again, you saved me a lot of headaches.

  4. #4
    Supermod a.D. Avatar von Ruby
    Registriert seit
    25.01.2005
    Ort
    The Netherlands
    Beiträge
    20.038

    AW: Endless Search Engines Taking Over

    You are welcome @ kreepkid

    but we are not finished yet. We must go on... There is still a lot to do.
    These entries:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{92C61605-76AF-4B6F-A9A3-8E49BBF2ACF5}: NameServer = 85.255.114.23,85.255.112.213

    belong to
    inetnum: 85.255.112.0 - 85.255.127.255
    netname: inhoster
    descr: Inhoster hosting company
    descr: OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine
    You can use www.dnsstuff.com to get all wanted information. It's very dangerous to get these entries on a system ... may be there is more malware on your machine may be there is a rootkit on your machine too... We must look for it.

    Please follow these instructions, made by Karl83:

    Let's have a look if you have some rootkits on your system.
    • Please close down all applications.
    • Disconnect from the Internet
    • Don't do anything with your machine

    Let Blacklight scan your system
    • Download F-Secure Blacklight and unzip itto its own folder C:\program files\blacklight.
    • Run it from blbeta.exe. Close all other applications.
    • Click onto "I accept the agreement", "next", "Scan".
    • When the scan is finished, exit Blacklight with "Close".
    • In the folder of Blacklight you can find the Log fsbl-XXX.log, the XXX will be replaced with the real number.

    Let RootkitRevealer scan your system
    • Download RootkitRevealer and unzip it to its own folder C:\program files\rootkitrevealer.
    • Run the RootkitReavealer.exe. Close down all other applications
    • Run it with a click onto "Scan".
    • When the scan is finished -> Save the logfile.

    Let Gmer scan
    • Download Gmer from here. Unzip it to your desktop.
    • Start gmer.exe > Tab Rootkit. Close down all other applications.
    • Be assured that all checkmarks are set from "System" to "ADS".
    • (Important: NO checkmark may be set next to "Show all".
      Start the "Scan". Don't do anything with your machine.
    • When the scan is finished, click onto "Copy" to get the logfile.
    • Exit Gmer with "Ok".
    • Paste your logfile to this thread.

    Open your AntiVirus and Waking programs before connecting to the Internet!

    Please post all three logfiles.
    Run HijackThis again > Do a system scan > Safe the logfile and post it.

  5. #5
    Einsteiger
    Registriert seit
    22.08.2007
    Beiträge
    3

    Re: AW: Endless Search Engines Taking Over

    Zitat Zitat von Ruby Beitrag anzeigen
    You are welcome @ kreepkid

    but we are not finished yet. We must go on... There is still a lot to do.
    These entries:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{92C61605-76AF-4B6F-A9A3-8E49BBF2ACF5}: NameServer = 85.255.114.23,85.255.112.213

    belong to
    You can use www.dnsstuff.com to get all wanted information. It's very dangerous to get these entries on a system ... may be there is more malware on your machine may be there is a rootkit on your machine too... We must look for it.

    Please follow these instructions, made by Karl83:

    Let's have a look if you have some rootkits on your system.
    • Please close down all applications.
    • Disconnect from the Internet
    • Don't do anything with your machine

    Let Blacklight scan your system
    • Download F-Secure Blacklight and unzip itto its own folder C:\program files\blacklight.
    • Run it from blbeta.exe. Close all other applications.
    • Click onto "I accept the agreement", "next", "Scan".
    • When the scan is finished, exit Blacklight with "Close".
    • In the folder of Blacklight you can find the Log fsbl-XXX.log, the XXX will be replaced with the real number.

    Let RootkitRevealer scan your system
    • Download RootkitRevealer and unzip it to its own folder C:\program files\rootkitrevealer.
    • Run the RootkitReavealer.exe. Close down all other applications
    • Run it with a click onto "Scan".
    • When the scan is finished -> Save the logfile.

    Let Gmer scan
    • Download Gmer from here. Unzip it to your desktop.
    • Start gmer.exe > Tab Rootkit. Close down all other applications.
    • Be assured that all checkmarks are set from "System" to "ADS".
    • (Important: NO checkmark may be set next to "Show all".
      Start the "Scan". Don't do anything with your machine.
    • When the scan is finished, click onto "Copy" to get the logfile.
    • Exit Gmer with "Ok".
    • Paste your logfile to this thread.

    Open your AntiVirus and Waking programs before connecting to the Internet!

    Please post all three logfiles.
    Run HijackThis again > Do a system scan > Safe the logfile and post it.
    Ran Rootkit Reveal and saved log:

    HKU\S-1-5-21-3280761382-763186856-2056209300-1006\RemoteAccess\InternetProfile 5/2/2007 7:01 PM 17 bytes Data mismatch between Windows API and raw hive data.
    HKLM\SECURITY\Policy\Secrets\SAC* 8/10/2004 9:23 PM 0 bytes Key name contains embedded nulls (*)
    HKLM\SECURITY\Policy\Secrets\SAI* 8/10/2004 9:23 PM 0 bytes Key name contains embedded nulls (*)
    HKLM\SOFTWARE\Classes\webcal\URL Protocol 2/14/2005 5:45 PM 13 bytes Data mismatch between Windows API and raw hive data.
    HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 9/4/2007 6:17 PM 80 bytes Data mismatch between Windows API and raw hive data.
    C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\1b4.823615A601C7EF41.history 9/4/2007 6:18 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
    C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\1e8.C56CC0E001C7EF41.history 9/4/2007 6:20 PM 0 bytes Hidden from Windows API.
    C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\1e8.C95FA5F001C7EF41.history 9/4/2007 6:20 PM 0 bytes Hidden from Windows API.
    C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\4e0.27C0FCAC01C7EF42.history 9/4/2007 6:23 PM 0 bytes Hidden from Windows API.
    C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\4e0.27C0FCAC01C7EF42.history\00000000.bak 9/4/2007 6:23 PM 388 bytes Hidden from Windows API.
    C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\b1c.9E10AF6C01C7EF40.history 9/4/2007 6:12 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
    C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\b1c.9E10AF6C01C7EF40.history\00000000.bak 9/4/2007 6:12 PM 388 bytes Visible in Windows API, but not in MFT or directory index.
    C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\ef4.4D1B750A01C7EF41.history\00000000.bak 9/4/2007 6:20 PM 5.68 MB Hidden from Windows API.
    C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\fb8.508411B601C7EF41.history 9/4/2007 6:18 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
    C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\fb8.508411B601C7EF41.history\00000000.bak 9/4/2007 6:18 PM 388 bytes Visible in Windows API, but not in MFT or directory index.
    C:\WINDOWS\Temp\cch~4e3d2a51b5.htp 9/4/2007 6:16 PM 8.00 KB Visible in Windows API, but not in MFT or directory index.
    C:\WINDOWS\Temp\cch~4e3d2a65e4.htp 9/4/2007 6:16 PM 8.00 KB Visible in Windows API, but not in MFT or directory index.

    thank you

Aktive Benutzer

Aktive Benutzer

Aktive Benutzer in diesem Thema: 1 (Registrierte Benutzer: 0, Gäste: 1)

Ähnliche Themen

  1. Dr Watson Taking Up Cpu And Stopping Firewall
    Von hubbabubba im Forum Archiv
    Antworten: 1
    Letzter Beitrag: 27.09.2005, 20:46
  2. Antworten: 1
    Letzter Beitrag: 20.03.2005, 01:41
  3. Endless popups, Please help
    Von Excelsior22 im Forum Archiv
    Antworten: 4
    Letzter Beitrag: 09.03.2005, 23:51
  4. about search im IE
    Von Unregistriert im Forum Archiv
    Antworten: 1
    Letzter Beitrag: 27.10.2004, 16:00

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein
  •