Microsoft
Software
Hardware
Network
Question : Browser redirecting to various sites but HijackThis and Malwarebytes scans seem clean
I've got a pc running XP on a network behind a smoothwall firewall and with Kaspersky 6.0 for workstations up to date and running with some sort of software firewall which is alerting me to and blocking *most of the attempted attempted browser redirects/access attempts. All of the other computers on the network are acting just as normally as they usually do. In the "topic description" field I listed a few sites that I've been consistently forwarded to. img.mdclk001.org is the one that appears the most. I've run numerous Malwarebytes and HijackThis scans both in regular and safe mode with System Restore off... only the very first Malwarebytes scan had anything appear... since then it's all been clean. I'm too much of a noob to do anything but guess on HijackThis logs, but nothing obvious pops out at me there either. I've run an ESET online scan which I think did actually show a number of issues but I didn't write anything down unfortunately. Please help. This is a work pc and I'm using it while working it but really don't like the feeling of doing that.
One more thing... the virus seems to be blocking a couple sites. One is pcpitstop.com... at least when I try to post. The other that I've noticed is hijackthis.de when I try to do an auto-analysis of my HJT log.
Thank you!!
I didn't really see anything in terms of proper protocol for requesting help on this forum. Let me know if I did anything wrong, but in the meantime this is a detailed HJT log:
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 9:04:57 AM, on 7/27/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Windows folder: C:\WINDOWS
System folder: C:\WINDOWS\SYSTEM32
Hosts file: C:\WINDOWS\System32\driver
s\etc\host
s
Running processes:
C:\WINDOWS\System32\smss.e
xe
C:\WINDOWS\system32\winlog
on.exe
C:\WINDOWS\system32\servic
es.exe
C:\WINDOWS\system32\lsass.
exe
C:\WINDOWS\system32\svchos
t.exe
C:\WINDOWS\System32\svchos
t.exe
C:\WINDOWS\system32\spools
v.exe
C:\Program Files\Common Files\Acronis\Schedule2\sc
hedul2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceS
ervice.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\Program Files\Bonjour\mDNSResponde
r.exe
C:\Program Files\Java\jre6\bin\jqs.ex
e
C:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.
exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sql
servr.exe
C:\WINDOWS\system32\nvsvc3
2.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QB
CFMonitorS
ervice.exe
C:\WINDOWS\System32\svchos
t.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\WINDOWS\system32\RUNDLL
32.EXE
C:\Program Files\iTunes\iTunesHelper.
exe
C:\WINDOWS\system32\ctfmon
.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QB
Update\qbu
pdate.exe
C:\Program Files\Extensis\Extensis Suitcase 11\Suitcase.exe
C:\WINDOWS\system32\wuaucl
t.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EX
E
C:\Program Files\iPod\bin\iPodService
.exe
C:\WINDOWS\system32\mstsc.
exe
C:\Program Files\DS Development\Easy Mail Merge for Outlook\EMMOpts.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EX
E
C:\Program Files\ACT\ACT for Windows\Act8.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Adobe InDesign CS4\InDesign.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingServ
ice.exe
C:\Program Files\Mozilla Firefox\plugin-container.e
xe
C:\Program Files\TrendMicro\HiJackThi
s\HiJackTh
is.exe
O1 - Hosts: ÿþ127.0.0.1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
84B7D6BE0B
3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.d
ll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0
445EE16191
0} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
t.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-E
ABFE594F69
C} - C:\Program Files\Java\jre6\lib\deploy
\jqs\ie\jq
s_plugin.d
ll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
819E2EAAC9
3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
t.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.
dll,NvStar
tup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTr
ay.dll,NvT
askbarInit
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceMana
ger\CS4Ser
viceManage
r.exe" -launchedbylogin
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dump
rep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.
exe"
O4 - HKLM\..\Run: [Intuit SyncManager] c:\Program Files\Common Files\Intuit\Sync\IntuitSy
ncManager.
exe startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QB
Update\qbu
pdate.exe
O4 - Global Startup: Suitcase 11.0.lnk = ?
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\ie_banner_den
y.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
t.dll/Acro
IECapture.
html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
t.dll/Acro
IEAppend.h
tml
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
t.dll/Acro
IECaptureS
elLinks.ht
ml
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
t.dll/Acro
IEAppendSe
lLinks.htm
l
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
t.dll/Acro
IECapture.
html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
t.dll/Acro
IEAppend.h
tml
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
t.dll/Acro
IECapture.
html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
t.dll/Acro
IEAppend.h
tml
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
\OFFICE11\
EXCEL.EXE/
3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-A
A4ACF32ED8
E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\SCIEPlgn.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-8
9C7CE1B18F
6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-8
9C7CE1B18F
6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
C9C571A826
3} - C:\PROGRA~1\MICROS~2\OFFIC
E11\REFIEB
AR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
2ba3849658
3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
2ba3849658
3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
0C04F79568
3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
0C04F79568
3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-F
CFDF33E833
C} (WUWebControl Class) -
http://update.micros...b?1
2387867529
64
O17 - HKLM\System\CCS\Services\T
cpip\Param
eters: Domain = cathedraloffice.com
O17 - HKLM\Software\..\Telephony
: DomainName = cathedraloffice.com
O17 - HKLM\System\CS1\Services\T
cpip\Param
eters: Domain = cathedraloffice.com
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-8
6486D72E74
9} - C:\Program Files\Intuit\QuickBooks Enterprise Solutions 9.0\HelpAsyncPluggableProt
ocol.dll
O18 - Protocol: intu-help-qb3 - {C5E479EA-0A65-4B05-8C6C-2
FC8CC682EB
4} - c:\Program Files\Intuit\QuickBooks Enterprise Solutions 9.0\HelpAsyncPluggableProt
ocol.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~
1\GOEC62~1
.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-0
0A0C90312E
1} - C:\WINDOWS\System32\browse
ui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3
078302C203
0} - C:\WINDOWS\System32\browse
ui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\sc
hedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.
exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceS
ervice.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponde
r.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingServ
ice.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-0512
10-111108)
- Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService
.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.ex
e
O23 - Service: Kaspersky Network Agent (klnagent) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.
exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3
2.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QB
CFMonitorS
ervice.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FC
S\Intuit.Q
uickBooks.
FCS.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
--
End of file - 10124 bytes
Answer : Browser redirecting to various sites but HijackThis and Malwarebytes scans seem clean
Run RSoP.msc on XP machine and check if your blocikng policy is really removed :)
Random Solutions
Microsoft Excel 2007 - parse Data in a cell
Execute only select sql
how do you export / reuse schema from existing database MS SQL Server 2008?
Batch file syntax for "For" command
Sending BYTE to serial port - C++
Accessing MySQL thru VB.NET
Windows Machine and Windows Services for UNIX
Domain account with read only permissions
What's the best way to schedule text message to pager alerts?
Active Directory Users and Computers MMC error and Event ID 1000
