10 replies to this topic

[gasko]

Hi, I'm a relative newbie. It seems I have a problem that's not uncommon, but not so easy to fix. Almost any incorrectly entered URL takes me instantly to a Netster search page. I don't have their toolbar, there's nothing listed in the add/remove programs listing and Spybot says I'm clean. I'm using Firefox and ZoneAlarm Security Suite. Below is my HijackThis log. Thank you in advance.

Logfile of HijackThis v1.99.1
Scan saved at 7:02:28 PM, on 26/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Documents and Settings\George Skowronski\Desktop\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abc.net.au/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132832961826
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Piatan]

Hi gasko:

Please use the following links to run two, or more of these online Virus Scanners and let them fix whatever they find.

If you are using any of the browsers listed just below, the following online Virus scanning site is compatable.
When using Trend Micro, be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location, so you can delete it yourself.

http://be.trendmicro...call_launch.php
If you are using any of these browsers:
Microsoft Internet Explorer
Netscape (6+)
Mozilla (1+)
Firefox (all)
Opera (7.5+)

Internet Explorer users can also use the following links.

When using Trend Micro, be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location, so you can delete it yourself.
http://www.kaspersky.com/virusscanner
http://www.kaspersky...ml?id=146100010
Bitdefender and let it delete everything it finds.
TrendMicro HouseCall
eTrust AntiVirus Web Scanner
Panda ActiveScan
Note any thing that can't be fixed
Reboot when done.

Please download, install, update and scan your system with the free version of Ewido trojan scanner:

• When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
• From the main ewido screen, click on update in the left menu, then click the Start update button.
• After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
• If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
• When the scan finishes, click on "Save Report". This will create a text file.
  Please save the Ewido report, to be posted here later.
  
  If you are having problems with the updater, you can use this link to manually update Ewido.
  Ewido manual updates
  
  The trial version of Ewido works like a full featured version for 14 days, after that the only features that will not work are, autoupdate and realtime protection. It will still be able to be updated with the link above and be used to scan and remove undesirables.
  
  
  Then, Please download and install Ad-Aware SE and Spybot S&D according to the following instructions. If you already have these programs, please make sure they are the latest version and have been updated today. Then run full systems scans as described below.
  
  Install and how to use the NEW Ad-aware SE
  http://www.bleepingc...showtutorial=48
  
  Reboot after using Ad-Aware SE.
  Download the VX cleaner plug in for Adaware. Install it, then open Adaware & go to *add-ons* & run the plug-in. If anything is found, select *clean system* & when done, reboot & run Adaware & let it finish the clean-up. Reboot again.
  
  
  Would you please download the Spybot S&D program from here Spybot S&D and install it.[list]
• Select Search for updates.
• Then select all available updates that are displayed in the white box.
• Select a download mirror nearest your location.
• Then select Download updates .
• Shut down and restart Spybot.
• Select the Search and destroy icon and click on Check for Problems.
• Delete/fix anything that spybot lists In RED.

.

Then, please REBOOT, to allow Spybot to finish working.

Please download CCleaner from here to clean temp files from your computer.

• Double click on the file to start the installation of the program.
• Select your language and click OK, then next.
• Read the license agreement and click I Agree.
• Click next to use the default install location. Click Install then finish to complete installation.
• Double click the CCleaner shortcut on the desktop to start the program.
• Click Run Cleaner to run the program.
• Caution : It is not recommended to use the 'Issues' tab as it is known to find legitimate items.
• After it has completed it's process, click Exit.

Next:
Boot into SAFE MODE:
To restart in Safe Mode:
Restart your computer.

Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.
Next:
Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.

(When finished, remember to return and place a check on "Hide protected operating system files" Click Apply and then OK.)

Then, in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\(EVERY Listed USER)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Also delete "COOKIES". Click Apply then OK.

Then reboot into NORMAL MODE and enable hidden files.

Then please run Hijack This, copy the log and post it in this topic, along with the Ewido report.

To post, please use the Add Reply feature, so I will be notified.

Please do not change anything in the fresh log. We need to see the entire log, with no revisions.

[gasko]

Hi Piatan,

Thank you. All done as you suggest. The behaviour persists - I still get taken to Netster with mistyped or incorrect URLs. Here are the Ewido and HijackThis reports after all you recommended. Thanks again for your help.

Gasko

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:11:14 PM, 12/03/2006
+ Report-Checksum: 7766164F

+ Scan result:

:mozilla.28:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.52:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.53:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.54:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.55:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.56:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.57:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.59:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.60:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.69:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.81:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.82:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.96:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.104:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.107:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.108:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.143:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.144:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.145:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.146:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.147:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.169:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.170:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.172:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.173:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.176:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Centrport : Cleaned with backup
:mozilla.179:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned with backup
:mozilla.191:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.192:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.265:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.272:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.306:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Pro-market : Cleaned with backup
:mozilla.308:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.309:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.310:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.311:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.312:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.375:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.376:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.402:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Yadro : Cleaned with backup
:mozilla.405:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.406:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.407:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.444:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.445:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.459:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.515:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.516:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.517:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.538:C:\Documents and Settings\George Skowronski\Application Data\Mozilla\Firefox\Profiles\fewyzsdw.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 7:23:00 PM, on 12/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9YE.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Documents and Settings\George Skowronski\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abc.net.au/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [\\HOME-DOWNSTAIRS\EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9YE.EXE /P41 "\\HOME-DOWNSTAIRS\EPSON Stylus Photo R800" /O6 "USB003" /M "Stylus Photo R800"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132832961826
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Piatan]

Hi gasko:

Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.

Please advise if this helps.

[gasko]

Hi Piatan, That was already set. I think the problem is largely resolved. There are still some entries that send me to netster. For instance, If I enter www.american-heart.org (intead of americanheart.org), I get sent to Netster, if I enter www.babyboomer.com I get to a new.net search page, if I enter www.babybummer.com I get to a goDaddy search page. However if I enter www.babybeimer.com I get an error message as I would expect. It's almost as if these guys collect a whole lot of common errors or word combinations and redirect them all to their own websites. In other words the problem might not be not on my machine. Could that be right?

[Piatan]

Lets see if this has the desired effect.

Download the Hoster program and run it.
http://members.aol.c...dbee/hoster.zip
When it opens, click on the Restore Original Hosts button and then exit Hoster.

[gasko]

No noticeaable change. As for my previous post. Generally getting the expected 'file not found' message rather than netster, but some (examples given above) end up on netster or other unrequested search engines. Tried it on another machine (presumed uninfected) with similar result. My theory as previous - Netster and similar sites have large lists of misspelled and made-up URLs which they capture and redirect to their own site. Maybe my own machine is actually clean. What do you think? What happens when you enter some of the above addresses?

[Piatan]

Hi gasko:

Yes, your suspicions are in the ballpark.

I hardly ever have time to surf the Net. I use only known links and those provided by Google. I really can't recall the last time I typed a URL.

If there are no unresolved problems, I recommend the following.

One of the best features of Windows XP is the System Restore option, however if Malware infects a computer with this operating system the Malware can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  
  Download the new Ad-Aware SE version, and follow the instructions on how to do a full scan: http://forums.spywar...showtopic=11150
  -reboot after using Ad-Aware SE. Also while there get the VX2 plugin and follow the instructions to run it also.
  
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

And also see TonyKlein's good advice
http://castlecops.co...tlite7736-.html
So how did I get infected in the first place?

Safe surfing.

[gasko]

Thanks for all your help and expertise. This is a fantastic service you guys provide. Much appreciated.

[Piatan]

You're welcome. Glad to be of help.

[Piatan]

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php