PDA

View Full Version : Browser Redirecting.



Mr Deck
13-01-2009, 05:46 AM
Hi all :help:
I have searching the net for a fix for this problem but I have just got more confused.:dogeye:

Here is what is happening;
When I google anything the browser takes me to other websites such as Yell.com, Ebay sites which have nothing to do with the search. This happens in Ie And Firefox.

Here is the print out of Hijack this.( I have no clue what to remove if anything in the list)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:42:11, on 12/01/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Virgin Broadband\PCguard\RPS.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Users\Pat\AppData\Roaming\Adobe\Manager.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.101tricks.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Run] "C:\Users\Pat\AppData\Roaming\Adobe\Manager.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O13 - Gopher Prefix:
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.vista.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe

--
End of file - 5838 bytes
If the above does not help where can I find the BUG!! that is causing the problem? Thank you in Advance for any help.
Take care all

Speedy Gonzales
13-01-2009, 05:54 AM
Welcome to PF1 Mr Deck

Tick these entries, then tick fix checked

Close browsers

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

This maybe suss

O4 - HKCU\..\Run: [Run] "C:\Users\Pat\AppData\Roaming\Adobe\Manager.ex e"

Then get malwarebytes and trojan remover below. Update both then scan

Then select all options under utilities, in trojan remover

Mr Deck
13-01-2009, 06:50 AM
Hi Speedy.
Thank you for the quick reply. Still no luck unfortunatly. I have ran the 2 programs but still redirecting me.

I am going to try and record what is happening on my browser, At the bottom it says ETACH while browsing and a load of other stuff as well. If i record it maybe someone will make some sense of it.
I will kill it before it kills me lol

Take care all
Pat

Speedy Gonzales
13-01-2009, 06:53 AM
Post a pic / snapshot if you can here (http://imagef1.net.nz/?page=adv)

Uninstall this

O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.vista.exe

Uninstall Adaware, And Pest Control

And install Avast Home

Mr Deck
13-01-2009, 10:14 AM
Hiya Ok It sayts at the bottom of the browser Transferring data from Google to www.ecata.info then Ecata moves that to other random sites.

If that makes sense?

Speedy Gonzales
13-01-2009, 10:39 AM
You may have trojan.dnschanger.

After you did a scan with malwarebytes, if it picked anything up. Did you click on show results, tick whatever, then click on remove selected to remove it?

Close the browser while you do this

Mr Deck
13-01-2009, 08:16 PM
Hi Speedy It's 8 am here in the not so sunny UK but the browser seems to be working fine. Just for the record.
Whatever it was redirects the google search pages to other websites in a new Tab, when you do a second search you may hit the page you want. It slows the browser down as well in my case about 40% However I am on Virgin super fast so for me it's not to bad.

Scan results below for future referance below:
***** THE SYSTEM HAS BEEN RESTARTED *****
12/01/2009 18:23:59: Trojan Remover has been restarted
----------
Cleaning up TDSS keys/files:
C:\Windows\system32\drivers\msqpdxvmppkybw.sys - deleted
C:\Windows\system32\msqpdxvfceispt.dll - deleted
----------
================================================== =====
Removing the following registry keys:
HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv. sys - removed
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Min imal\msqpdxvmppkybw.sys - already removed (or did not exist)
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Net work\msqpdxvmppkybw.sys - already removed (or did not exist)
================================================== =====
12/01/2009 18:23:59: Trojan Remover closed
************************************************** **********


***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.7.5.2560. For information, email support@simplysup1.com
[Unregistered version]
Scan started at: 18:17:53 12 Jan 2009
Using Database v7258
Operating System: Windows Vista SP1 [Windows Vista Service Pack 1 (Build 6001)]
Edition: Windows Vista (TM) Home Premium
File System: NTFS
User Account Control is Enabled.
Data directory: C:\Users\Pat\AppData\Roaming\Simply Super Software\Trojan Remover\
Database directory: C:\Program Files\Trojan Remover\
Logfile directory: C:\Users\Pat\Documents\Simply Super Software\Trojan Remover Logfiles\
Program directory: C:\Program Files\Trojan Remover\
Running with Administrator privileges

************************************************** **********
The following Anti-Malware program(s) are loaded:
Microsoft Windows Defender

************************************************** **********


************************************************** **********
18:17:53: Scanning ----------WIN.INI-----------
WIN.INI found in C:\Windows

************************************************** **********
18:17:53: Scanning --------SYSTEM.INI---------
SYSTEM.INI found in C:\Windows

************************************************** **********
18:17:53: ----- SCANNING FOR ROOTKIT SERVICES -----
Hidden Service Keyname: msqpdxserv.sys
Hidden Service: \systemroot\system32\drivers\msqpdxvmppkybw.sys
C:\Windows\system32\drivers\msqpdxvmppkybw.sys
74240 bytes
Created: 07/01/2009
Modified: 07/01/2009
Company: [no info]
Entry has been scheduled for deletion when the PC is restarted
C:\Windows\system32\drivers\msqpdxvmppkybw.sys - no action requested on this file
----------

************************************************** **********
18:18:44: Scanning -----WINDOWS REGISTRY-----
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key's "Shell" value calls the following program(s):
File: explorer.exe
C:\Windows\explorer.exe
2927104 bytes
Created: 12/12/2008
Modified: 29/10/2008
Company: Microsoft Corporation
----------
This key's "Userinit" value calls the following program(s):
File: C:\Windows\system32\userinit.exe
C:\Windows\system32\userinit.exe
25088 bytes
Created: 20/10/2008
Modified: 19/01/2008
Company: Microsoft Corporation
----------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Value Name: load
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value Name: Windows Defender
Value Data: %ProgramFiles%\Windows Defender\MSASCui.exe -hide
C:\Program Files\Windows Defender\MSASCui.exe
1008184 bytes
Created: 20/10/2008
Modified: 19/01/2008
Company: Microsoft Corporation
--------------------
Value Name: RtHDVCpl
Value Data: RtHDVCpl.exe
C:\Windows\RtHDVCpl.exe
4702208 bytes
Created: 25/10/2007
Modified: 25/10/2007
Company: Realtek Semiconductor
--------------------
Value Name: MSConfig
Value Data: "C:\Windows\system32\msconfig.exe" /auto
C:\Windows\system32\msconfig.exe
227840 bytes
Created: 20/10/2008
Modified: 19/01/2008
Company: Microsoft Corporation
--------------------
Value Name: NvCplDaemon
Value Data: RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
C:\Windows\system32\NvCpl.dll
13539872 bytes
Created: 22/05/2008
Modified: 22/05/2008
Company: NVIDIA Corporation
--------------------
Value Name: NvMediaCenter
Value Data: RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
C:\Windows\system32\NvMcTray.dll
92704 bytes
Created: 22/05/2008
Modified: 22/05/2008
Company: NVIDIA Corporation
--------------------
Value Name: PCguard
Value Data: "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
310000 bytes
Created: 05/09/2007
Modified: 05/09/2007
Company: Virgin Media
--------------------
Value Name: -FreedomNeedsReboot
Value Data: "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"
C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe
13552 bytes
Created: 05/09/2007
Modified: 05/09/2007
Company: Virgin Media
--------------------
Value Name: SunJavaUpdateSched
Value Data: "C:\Program Files\Java\jre6\bin\jusched.exe"
C:\Program Files\Java\jre6\bin\jusched.exe
136600 bytes
Created: 16/12/2008
Modified: 16/12/2008
Company: Sun Microsystems, Inc.
--------------------
Value Name: Corel File Shell Monitor
Value Data: C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
16200 bytes
Created: 30/10/2007
Modified: 30/10/2007
Company: Corel, Inc.
--------------------
Value Name: QuickTime Task
Value Data: "C:\Program Files\QuickTime\QTTask.exe" -atboottime
C:\Program Files\QuickTime\QTTask.exe
413696 bytes
Created: 04/11/2008
Modified: 04/11/2008
Company: Apple Inc.
--------------------
Value Name: TrojanScanner
Value Data: C:\Program Files\Trojan Remover\Trjscan.exe /boot
C:\Program Files\Trojan Remover\Trjscan.exe
1231752 bytes
Created: 12/01/2009
Modified: 01/01/2009
Company: Simply Super Software
--------------------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Once
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value Name: WMPNSCFG
Value Data: C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
202240 bytes
Created: 20/10/2008
Modified: 19/01/2008
Company: Microsoft Corporation
--------------------
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once
Value Name: IndexCleaner
Value Data: "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe
61168 bytes
Created: 05/09/2007
Modified: 05/09/2007
Company: Virgin Media
--------------------

************************************************** **********
18:18:48: Scanning -----SHELLEXECUTEHOOKS-----
ShellExecuteHooks key is empty

************************************************** **********
18:18:48: Scanning -----HIDDEN REGISTRY ENTRIES-----
Taskdir check completed
----------
No Hidden File-loading Registry Entries found
----------

************************************************** **********
18:18:48: Scanning -----ACTIVE SCREENSAVER-----
No active ScreenSaver found to scan.

************************************************** **********
18:18:48: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----

************************************************** **********
18:18:48: Scanning ----- SERVICEDLL REGISTRY KEYS -----

************************************************** **********
18:18:53: Scanning ----- SERVICES REGISTRY KEYS -----
Key: 61883
ImagePath: system32\DRIVERS\61883.sys
C:\Windows\system32\DRIVERS\61883.sys
45696 bytes
Created: 20/10/2008
Modified: 19/01/2008
Company: Microsoft Corporation
----------
Key: aawservice
ImagePath: "C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe"
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
611664 bytes
Created: 10/09/2008
Modified: 10/09/2008
Company: Lavasoft
----------
Key: Apple Mobile Device
ImagePath: "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
132424 bytes
Created: 07/11/2008
Modified: 07/11/2008
Company: Apple Inc.
----------
Key: Avc
ImagePath: system32\DRIVERS\avc.sys
C:\Windows\system32\DRIVERS\avc.sys
40448 bytes
Created: 20/10/2008
Modified: 19/01/2008
Company: Microsoft Corporation
----------
Key: blbdrive
ImagePath: \SystemRoot\system32\drivers\blbdrive.sys - file is missing - alert is globally excluded
----------
Key: CSS DVP
ImagePath: system32\DRIVERS\css-dvp.sys
C:\Windows\system32\DRIVERS\css-dvp.sys
835792 bytes
Created: 19/10/2008
Modified: 26/11/2007
Company: Authentium, Inc
----------
Key: dvpapi
ImagePath: "C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.vista.exe"
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.vista.exe
-R- 177448 bytes
Created: 27/11/2007
Modified: 27/11/2007
Company: Authentium, Inc.
----------
Key: ialm
ImagePath: system32\DRIVERS\igdkmd32.sys
C:\Windows\system32\DRIVERS\igdkmd32.sys
1380864 bytes
Created: 02/11/2006
Modified: 19/10/2006
Company: Intel Corporation
----------
Key: IpInIp
ImagePath: system32\DRIVERS\ipinip.sys - file is missing - alert is globally excluded
----------
Key: irsir
ImagePath: system32\DRIVERS\irsir.sys
C:\Windows\system32\DRIVERS\irsir.sys
20992 bytes
Created: 02/11/2006
Modified: 02/11/2006
Company: Microsoft Corporation
----------
Key: ITMRTSVC
ImagePath: "C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe"
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
280080 bytes
Created: 19/12/2006
Modified: 19/12/2006
Company: CA, Inc.
----------
Key: MarvinBus
ImagePath: system32\DRIVERS\MarvinBus.sys
C:\Windows\system32\DRIVERS\MarvinBus.sys
171520 bytes
Created: 23/09/2005
Modified: 23/09/2005
Company: Pinnacle Systems GmbH
----------
Key: MSDV
ImagePath: system32\DRIVERS\msdv.sys
C:\Windows\system32\DRIVERS\msdv.sys
52608 bytes
Created: 20/10/2008
Modified: 19/01/2008
Company: Microsoft Corporation
----------
Key: msiserver
ImagePath: %systemroot%\system32\msiexec /V
----------
Key: NETw3v32
ImagePath: system32\DRIVERS\NETw3v32.sys
C:\Windows\system32\DRIVERS\NETw3v32.sys
1781760 bytes
Created: 02/11/2006
Modified: 02/11/2006
Company: Intel® Corporation
----------
Key: nvstor
ImagePath: system32\drivers\nvstor.sys
C:\Windows\system32\drivers\nvstor.sys
40040 bytes
Created: 02/11/2006
Modified: 02/11/2006
Company: NVIDIA Corporation
----------
Key: nvstor32
ImagePath: system32\DRIVERS\nvstor32.sys
C:\Windows\system32\DRIVERS\nvstor32.sys
110624 bytes
Created: 26/10/2007
Modified: 26/10/2007
Company: NVIDIA Corporation
----------
Key: nvsvc
ImagePath: %SystemRoot%\system32\nvvsvc.exe
C:\Windows\system32\nvvsvc.exe
118784 bytes
Created: 22/05/2008
Modified: 22/05/2008
Company: NVIDIA Corporation
----------
Key: NwlnkFlt
ImagePath: system32\DRIVERS\nwlnkflt.sys - file is missing - alert is globally excluded
----------
Key: NwlnkFwd
ImagePath: system32\DRIVERS\nwlnkfwd.sys - file is missing - alert is globally excluded
----------
Key: PAC207
ImagePath: system32\DRIVERS\PFC027.SYS
C:\Windows\system32\DRIVERS\PFC027.SYS
508160 bytes
Created: 29/05/2007
Modified: 29/05/2007
Company: PixArt Imaging Inc.
----------
Key: PDAgent
ImagePath: "C:\Program Files\Raxco\PerfectDisk\PDAgent.exe"
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
414984 bytes
Created: 28/04/2008
Modified: 28/04/2008
Company: Raxco Software, Inc.
----------
Key: PDEngine
ImagePath: "C:\Program Files\Raxco\PerfectDisk\PDEngine.exe"
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
738568 bytes
Created: 28/04/2008
Modified: 28/04/2008
Company: Raxco Software, Inc.
----------
Key: ProtexisLicensing
ImagePath: C:\Windows\system32\PSIService.exe
C:\Windows\system32\PSIService.exe
177704 bytes
Created: 05/06/2007
Modified: 05/06/2007
Company:
----------
Key: Radialpoint Security Services
ImagePath: C:\Windows\system32\dllhost.exe /Processid:{80098F68-1220-4F43-80A8-15C7395B8874}
C:\Windows\system32\dllhost.exe
7168 bytes
Created: 02/11/2006
Modified: 02/11/2006
Company: Microsoft Corporation
----------
Key: RPPKT
ImagePath: system32\DRIVERS\rp_pkt32.sys
C:\Windows\system32\DRIVERS\rp_pkt32.sys
48384 bytes
Created: 19/10/2008
Modified: 19/04/2007
Company: Radialpoint, Inc.
----------
Key: RPSKT
ImagePath: system32\DRIVERS\rp_skt32.sys
C:\Windows\system32\DRIVERS\rp_skt32.sys
53192 bytes
Created: 19/10/2008
Modified: 19/10/2008
Company: Radialpoint Inc.
----------
Key: RPSUpdaterR
ImagePath: C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
99056 bytes
Created: 05/09/2007
Modified: 19/10/2008
Company: Radialpoint Inc.
----------
Key: RP_FWS
ImagePath: C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
293104 bytes
Created: 05/09/2007
Modified: 05/09/2007
Company: Virgin Media
----------
Key: RTL8023xp
ImagePath: system32\DRIVERS\Rtnicxp.sys
C:\Windows\system32\DRIVERS\Rtnicxp.sys
47104 bytes
Created: 02/11/2006
Modified: 02/11/2006
Company: Realtek Semiconductor Corporation
----------
Key: snpstd
ImagePath: system32\DRIVERS\snpstd.sys
C:\Windows\system32\DRIVERS\snpstd.sys
299776 bytes
Created: 18/02/2004
Modified: 18/02/2004
Company:
----------
Key: usnjsvc
ImagePath: "C:\Program Files\Windows Live\Messenger\usnsvc.exe"
C:\Program Files\Windows Live\Messenger\usnsvc.exe
98328 bytes
Created: 18/10/2007
Modified: 18/10/2007
Company: Microsoft Corporation
----------
Key: WLSetupSvc
ImagePath: "C:\Program Files\Windows Live\installer\WLSetupSvc.exe"
C:\Program Files\Windows Live\installer\WLSetupSvc.exe
266240 bytes
Created: 25/10/2007
Modified: 25/10/2007
Company: Microsoft Corporation
----------

************************************************** **********
18:19:02: Scanning -----VXD ENTRIES-----

************************************************** **********
18:19:02: Scanning ----- WINLOGON\NOTIFY DLLS -----
No WINLOGON\NOTIFY DLLs found to scan

************************************************** **********
18:19:02: Scanning ----- CONTEXTMENUHANDLERS -----
Key: 7-Zip
CLSID: {23170F69-40C1-278A-1000-000100020000}
Path: C:\Program Files\7-Zip\7-zip.dll
C:\Program Files\7-Zip\7-zip.dll
69632 bytes
Created: 06/12/2007
Modified: 06/12/2007
Company: Igor Pavlov
----------
Key: MagicISO
CLSID: {DB85C504-C730-49DD-BEC1-7B39C6103B7A}
Path: C:\Program Files\MagicISO\misosh.dll
C:\Program Files\MagicISO\misosh.dll
20992 bytes
Created: 18/11/2008
Modified: 05/06/2006
Company: MagicISO, Inc.
----------
Key: {FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
Path: C:\Program Files\Virgin Broadband\PCguard\AVCntxtR.dll
C:\Program Files\Virgin Broadband\PCguard\AVCntxtR.dll
106736 bytes
Created: 05/09/2007
Modified: 05/09/2007
Company: Radialpoint Inc.
----------

************************************************** **********
18:19:02: Scanning ----- FOLDER\COLUMNHANDLERS -----
Key: {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}
File: "C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll"
C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
357888 bytes
Created: 28/08/2008
Modified: 28/08/2008
Company: Sun Microsystems, Inc.
----------

************************************************** **********
18:19:03: Scanning ----- BROWSER HELPER OBJECTS -----
Key: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
BHO: C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
63128 bytes
Created: 12/01/2006
Modified: 12/01/2006
Company: Adobe Systems Incorporated
----------
Key: {3C060EA2-E6A9-4E49-A530-D4657B8C449A}
BHO: C:\Program Files\Virgin Broadband\PCguard\pkR.dll
C:\Program Files\Virgin Broadband\PCguard\pkR.dll
55024 bytes
Created: 05/09/2007
Modified: 05/09/2007
Company: Radialpoint Inc.
----------
Key: {53707962-6F74-2D53-2644-206D7942484F}
BHO: C:\PROGRA~1\SPYBOT~1\SDHelper.dll
C:\PROGRA~1\SPYBOT~1\SDHelper.dll - file is excluded from scanning [SPYBOT S&D file]
----------
Key: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
BHO: C:\Program Files\Java\jre6\bin\ssv.dll
C:\Program Files\Java\jre6\bin\ssv.dll
320920 bytes
Created: 16/12/2008
Modified: 16/12/2008
Company: Sun Microsystems, Inc.
----------
Key: {9030D464-4C02-4ABF-8ECC-5164760863C6}
BHO: C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
328752 bytes
Created: 20/09/2007
Modified: 20/09/2007
Company: Microsoft Corporation
----------
Key: {DBC80044-A445-435b-BC74-9C25C1C588A9}
BHO: C:\Program Files\Java\jre6\bin\jp2ssv.dll
C:\Program Files\Java\jre6\bin\jp2ssv.dll
34816 bytes
Created: 16/12/2008
Modified: 16/12/2008
Company: Sun Microsystems, Inc.
----------

************************************************** **********
18:19:04: Scanning ----- SHELLSERVICEOBJECTS -----

************************************************** **********
18:19:04: Scanning ----- SHAREDTASKSCHEDULER ENTRIES -----

************************************************** **********
18:19:04: Scanning ----- IMAGEFILE DEBUGGERS -----
No "Debugger" entries found.

************************************************** **********
18:19:04: Scanning ----- APPINIT_DLLS -----
The AppInit_DLLs value is blank or does not exist

************************************************** **********
18:19:04: Scanning ----- SECURITY PROVIDER DLLS -----

************************************************** **********
18:19:04: Scanning ------ COMMON STARTUP GROUP ------
[C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup]
The Common Startup Group attempts to load the following file(s) at boot time:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
-HS- 174 bytes
Created: 02/11/2006
Modified: 20/10/2008
Company: [no info]
--------------------

************************************************** **********
18:19:05: Scanning ----- USER STARTUP GROUPS -----
Checking Startup Group for: Pat
[C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Sta rt Menu\Programs\Startup]
C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Sta rt Menu\Programs\Startup\desktop.ini
-HS- 174 bytes
Created: 19/10/2008
Modified: 19/10/2008
Company: [no info]
----------
--------------------

************************************************** **********
18:19:05: Scanning ----- SCHEDULED TASKS -----
No Scheduled Tasks found to scan

************************************************** **********
18:19:05: Scanning ----- SHELLICONOVERLAYIDENTIFIERS -----
No ShellIconOverlayIdentifiers Registry key found to scan

************************************************** **********
18:19:05: ----- ADDITIONAL CHECKS -----
Heuristic checks for hidden files/drivers completed
----------
Layered Service Provider entries checks completed
----------
Windows Explorer Policies checks completed
----------
Checking autorun.inf in D:\
D:\autorun.inf
-RHS- 255 bytes
Created: 07/01/2009
Modified: 07/01/2009
Company: [no info]
D:\autorun.inf ShellExecute entry: ["resycled\boot.com d:"]
D:\resycled\boot.com
-RHS- 30720 bytes
Created: 12/11/2008
Modified: 06/01/2009
Company: [no info]
D:\autorun.inf - READ-ONLY, HIDDEN and SYSTEM file attributes removed
D:\autorun.inf - file renamed to: D:\autorun.inf.vir
----------
--------------------
Desktop Wallpaper: C:\Users\Public\Pictures\Sample Pictures\Desert Landscape.jpg
C:\Users\Public\Pictures\Sample Pictures\Desert Landscape.jpg
228863 bytes
Created: 02/11/2006
Modified: 24/10/2008
Company: [no info]
----------
Web Desktop Wallpaper: %SystemDrive%\Users\Public\Pictures\Sample Pictures\Desert Landscape.jpg
C:\Users\Public\Pictures\Sample Pictures\Desert Landscape.jpg
228863 bytes
Created: 02/11/2006
Modified: 24/10/2008
Company: [no info]
----------
Checks for rogue DNS NameServers completed
Checking for specific malicious files:
C:\Program Files\Mozilla Firefox\components\iamfamous.dll - Trojan.Agent
C:\Program Files\Mozilla Firefox\components\iamfamous.dll - file renamed to: C:\Program Files\Mozilla Firefox\components\iamfamous.dll.vir
----------
----------
Additional checks completed

************************************************** **********
18:19:40: Scanning ----- RUNNING PROCESSES -----

C:\Windows\System32\smss.exe
[1 loaded module]
--------------------
C:\Windows\system32\csrss.exe
[13 loaded modules in total]
--------------------
C:\Windows\system32\wininit.exe
[25 loaded modules in total]
--------------------
C:\Windows\system32\csrss.exe
[13 loaded modules in total]
--------------------
C:\Windows\system32\services.exe
[37 loaded modules in total]
--------------------
C:\Windows\system32\lsass.exe
[61 loaded modules in total]
--------------------
C:\Windows\system32\lsm.exe
[21 loaded modules in total]
--------------------
C:\Windows\system32\winlogon.exe
[29 loaded modules in total]
--------------------
C:\Windows\system32\svchost.exe
[46 loaded modules in total]
--------------------
C:\Windows\system32\nvvsvc.exe - file already scanned
[23 loaded modules in total]
--------------------
C:\Windows\system32\svchost.exe - file already scanned
[42 loaded modules in total]
--------------------
C:\Windows\System32\svchost.exe - file already scanned
[59 loaded modules in total]
--------------------
C:\Windows\System32\svchost.exe - file already scanned
[67 loaded modules in total]
--------------------
C:\Windows\System32\svchost.exe - file already scanned
[123 loaded modules in total]
--------------------
C:\Windows\system32\svchost.exe - file already scanned
[152 loaded modules in total]
--------------------
C:\Windows\system32\SLsvc.exe
[25 loaded modules in total]
--------------------
C:\Windows\system32\rundll32.exe
[41 loaded modules in total]
--------------------
C:\Windows\system32\svchost.exe - file already scanned
[91 loaded modules in total]
--------------------
C:\Program Files\Virgin Broadband\PCguard\Fws.exe - file already scanned
[69 loaded modules in total]
--------------------
C:\Windows\system32\svchost.exe - file already scanned
[95 loaded modules in total]
--------------------
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe - file already scanned
[30 loaded modules in total]
--------------------
C:\Windows\system32\Dwm.exe
[36 loaded modules in total]
--------------------
C:\Windows\Explorer.EXE - file already scanned
[163 loaded modules in total]
--------------------
C:\Program Files\Windows Defender\MSASCui.exe - file already scanned
[41 loaded modules in total]
--------------------
C:\Windows\RtHDVCpl.exe - file already scanned
[46 loaded modules in total]
--------------------
C:\Windows\System32\rundll32.exe
[30 loaded modules in total]
--------------------
C:\Program Files\Virgin Broadband\PCguard\RPS.exe - file already scanned
[159 loaded modules in total]
--------------------
C:\Program Files\Windows Media Player\wmpnscfg.exe - file already scanned
[28 loaded modules in total]
--------------------
C:\Windows\System32\spoolsv.exe
[78 loaded modules in total]
--------------------
C:\Windows\system32\taskeng.exe
[76 loaded modules in total]
--------------------
C:\Windows\system32\svchost.exe - file already scanned
[63 loaded modules in total]
--------------------
C:\Windows\system32\taskeng.exe
[47 loaded modules in total]
--------------------
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
[29 loaded modules in total]
--------------------
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe - file already scanned
[29 loaded modules in total]
--------------------
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.vista.exe - file already scanned
[21 loaded modules in total]
--------------------
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe - file already scanned
[34 loaded modules in total]
--------------------
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe - file already scanned
[48 loaded modules in total]
--------------------
C:\Windows\system32\svchost.exe - file already scanned
[46 loaded modules in total]
--------------------
C:\Windows\system32\PSIService.exe - file already scanned
[25 loaded modules in total]
--------------------
C:\Windows\system32\svchost.exe - file already scanned
[52 loaded modules in total]
--------------------
C:\Windows\System32\svchost.exe - file already scanned
[18 loaded modules in total]
--------------------
C:\Windows\system32\SearchIndexer.exe
[61 loaded modules in total]
--------------------
C:\Windows\system32\WUDFHost.exe
[34 loaded modules in total]
--------------------
C:\Program Files\Windows Media Player\wmpnetwk.exe
[93 loaded modules in total]
--------------------
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe - file already scanned
[45 loaded modules in total]
--------------------
C:\Windows\system32\wbem\unsecapp.exe
[27 loaded modules in total]
--------------------
C:\Windows\system32\wbem\wmiprvse.exe
[32 loaded modules in total]
--------------------
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe - file already scanned
[84 loaded modules in total]
--------------------
C:\Windows\system32\dllhost.exe
[72 loaded modules in total]
--------------------
C:\Windows\System32\msdtc.exe
[54 loaded modules in total]
--------------------
C:\Program Files\Mozilla Firefox\firefox.exe
[119 loaded modules in total]
--------------------
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
[72 loaded modules in total]
--------------------
C:\Windows\system32\NOTEPAD.EXE
[20 loaded modules in total]
--------------------
C:\Program Files\Trojan Remover\Rmvtrjan.exe
FileSize: 2921336
[This is a Trojan Remover component]
[71 loaded modules in total]
--------------------

************************************************** **********
18:21:13: Checking HOSTS file
No malicious entries were found in the HOSTS file

************************************************** **********
18:21:13: Scanning ------ %TEMP% DIRECTORY ------
C:\Users\Pat\AppData\Local\Temp\etilqs_Fa1XVkwoJA9 dUth1f8Un appears to be in-use/locked
************************************************** **********
18:21:18: Scanning ------ C:\Windows\Temp DIRECTORY ------
************************************************** **********
18:21:20: Scanning ------ ROOT DIRECTORY ------

************************************************** **********
18:21:20: ------ Scan for other files to remove ------
No malware-related files found to remove

************************************************** **********
------ INTERNET EXPLORER HOME/START/SEARCH SETTINGS ------
HKLM\Software\Microsoft\Internet Explorer\Main\"Start Page":
http://go.microsoft.com/fwlink/?LinkId=69157
HKLM\Software\Microsoft\Internet Explorer\Main\"Local Page":
%SystemRoot%\system32\blank.htm
HKLM\Software\Microsoft\Internet Explorer\Main\"Search Page":
http://go.microsoft.com/fwlink/?LinkId=54896
HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL":
http://go.microsoft.com/fwlink/?LinkId=69157
HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL":
http://go.microsoft.com/fwlink/?LinkId=54896
HKCU\Software\Microsoft\Internet Explorer\Main\"Start Page":
http://www.101tricks.co.uk/
HKCU\Software\Microsoft\Internet Explorer\Main\"Local Page":
C:\Windows\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main\"Search Page":
http://go.microsoft.com/fwlink/?LinkId=54896

************************************************** **********
=== CHANGES WERE MADE TO THE WINDOWS REGISTRY ===
=== ONE OR MORE FILES WERE RENAMED OR REMOVED ===
Scan completed at: 18:21:20 12 Jan 2009
Total Scan time: 00:03:27
-------------------------------------------------------------------------
One or more files could not be moved or renamed as requested.
They may be in use by Windows, so Trojan Remover needs
to restart the system in order to deal with these files.
12/01/2009 18:21:31: restart commenced
************************************************** **********


Malwarebytes' Anti-Malware 1.32
Database version: 1646
Windows 6.0.6001 Service Pack 1

12/01/2009 18:38:16
mbam-log-2009-01-12 (18-38-16).txt

Scan type: Quick Scan
Objects scanned: 46022
Time elapsed: 4 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\totalvid (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Sta rt Menu\Programs\totalvid (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\totalvid\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Users\Pat\AppData\Roaming\Adobe\Manager.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Thank you for your help if anyone ever wants to learn a magic trick or two to impress friends let me know :) I'll stick around the forum just incase I can help anyone out at anytime.

Take care all
Pat

Speedy Gonzales
13-01-2009, 08:24 PM
Ah ha, so it was dnschanger. Good to hear its running a lot better !

This is what was causing it, the end of the malwarebytes log

Folders Infected:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\totalvid (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Sta rt Menu\Programs\totalvid (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\totalvid\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Users\Pat\AppData\Roaming\Adobe\Manager.exe (Trojan.Agent) -> Quarantined and deleted successfully.