Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox and IE Hijacked? Malware/Adware?


  • This topic is locked This topic is locked
2 replies to this topic

#1 meathookseed

meathookseed

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 14 June 2009 - 06:14 AM

I'm not sure how this happened I think my Grandson downloaded a toolbar or something similar. What happens is every time I run either firefox or IE I get additional windows advertising productssuc as Acai Berry and similar some are near impossible to close down, They usually traffic via www.incentaclick.com. I have run Adaware, Glary Utilities, Spysweeper and Trend Micro Internet Security, none of them have solved the problem, the computer seems to run very slowly and Firefox and IE crash all the time, more adverts seem to run when we are on Facebook, I have tried blocking the sites via Trend and also by using the blocking functions of Firefox but the Ads keep appearing!!




DDS (Ver_09-05-14.01) - NTFSx86
Run by William Hayward at 11:50:57.54 on 14/06/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.503.244 [GMT 1:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC

-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\PERFECT SERIES\MULTI-DIRECTION OPTICAL MOUSE\1.4\MOUSE32A.EXE
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\William Hayward\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uWindow Title = Microsoft Internet Explorer provided by Freeserve
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}

&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program

files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - No File
BHO: Media Access Startup: {25b8d58c-b0cb-46b0-ba64-05b3804e4e86} - c:\program files\media

access startup\1.0.0.610\HPIEAddOn.dll
BHO: NP Helper Class: {35b8d58c-b0cb-46b0-ba64-05b3804e4e86} - c:\program files\internet

saving optimizer\3.1.0.3900\NPIEAddOn.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program

files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program

files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: System Search Dispatcher: {cdbfb47b-58a8-4111-bf95-06178dce326d} - System Search

Dispatcher
BHO: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program

files\ask.com\GenericAskToolbar.dll
TB: Freeserve: {8b68564d-53fd-4293-b80c-993a9f3988ee} - blank
TB: ALTAVISTA: {4e7bd74f-2b8d-469e-92ea-ec65a294ae31} -
TB: {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: Money Viewer: {9404901d-06da-4b23-a0ee-3ea4f64ec9b3} - c:\program files\microsoft

money\system\mnyviewer.dll
uRun: [FreeRAM XP] "c:\program files\yourware solutions\freeram xp pro\FreeRAM XP Pro.exe"

-win
uRun: [OE] "c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe"
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [Cmaudio] "RunDll32" cmicnfg.cpl,CMICtrlWnd
mRun: [LVCOMSX] "c:\windows\system32\LVCOMSX.EXE"
mRun: [LWBMOUSE] "c:\program files\perfect series\multi-direction optical mouse\1.4

\MOUSE32A.EXE"
mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [USB Storage Toolbox] "c:\program files\usb disk win98 driver\Res.EXE"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common

files\installshield\updateservice\issch.exe" -start
mRun: [Ad-Watch] "c:\program files\lavasoft\ad-aware\AAWTray.exe"
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe"

/startintray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program

files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\MICROS~2.LNK -
IE: &Search -
IE: AltaVista Search - file://c:\program files\dynamic

toolbar\altavista\cache\SelectedContextSearch.htm
IE: Search with Freeserve - c:\progra~1\freese~1\fsbar\FSBar.dll/VSearch.htm
IE: Translate - file://c:\program files\dynamic

toolbar\altavista\cache\SelectedContextTranslation.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} -

c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} -

c:\windows\system32\Shdocvw.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} -

c:\program files\microsoft money\system\mnyviewer.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} -

hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -

hxxp://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.c

ab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} -

hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} -

hxxp://utilities.pcpitstop.com/da/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -

hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} -

hxxp://download.microsoft.com/download/8/3/d/83d1fe15-fe0f-4bdf-b09c-

4e3c49808ec7/LegitCheckControl.cab
DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} -

hxxp://download.ebay.com/turbo_lister/UK/install.cab
DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} -

hxxp://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -

hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -

hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} -

hxxp://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -

hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} -

hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab

?1229984047714
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -

hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab

?1229984020839
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -

hxxp://a840.g.akamai.net/7/840/537/6cc9eddcba090b/housecall.antivirus.com/housecall/xscan5

3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-

1_6_0_07-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} -

hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -

hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37765.4364236111
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-

1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-

1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} -

hxxp://by8fd.bay8.hotmail.msn.com/activex/HMAtchmt.ocx
DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - hxxp://fdl.msn.com/public/chat/msnchat45.cab
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} -

hxxps://plugins.valueactive.eu/flashax/iefax.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} -

hxxp://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
TCP: {6271B74A-4842-4248-AF8B-44FEB9C12FC3} = 212.139.132.56 212.139.132.57
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1

\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32

\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\willia~1\applic~1

\mozilla\firefox\profiles\q2jjrzxf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\program files\internet saving optimizer\3.1.0.3900

\ff\components\NPFFAddOn.dll
FF - component: c:\program files\media access startup\1.0.0.610

\ff\components\HPFFAddOn.dll
FF - plugin: c:\documents and settings\william hayward\application

data\mozilla\firefox\profiles\q2jjrzxf.default\extensions\[email protected]\platform

\winnt_x86-msvc\plugins\npfax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============


============== File Associations ===============

regfile=*** no open command defined ***

=============== Created Last 30 ================

2009-06-11 12:07 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-10 18:15 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-10 18:04 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-

3E09-4E5E-81B7-FE5819D6772F}
2009-06-10 17:57 <DIR> --d----- c:\program files\Lavasoft
2009-06-10 15:08 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 15:08 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-07 17:22 <DIR> --dsh--- c:\documents and settings\william

hayward\IECompatCache
2009-06-07 16:27 23,552 ac------ c:\windows\system32\dllcache\wdmaud.drv
2009-06-07 16:27 23,552 a------- c:\windows\system32\wdmaud.drv
2009-06-07 16:25 427 a------- c:\windows\system\CmiCnfg.ini
2009-06-07 16:25 225,280 a------- c:\windows\CmiRmRedundDir.exe
2009-06-07 16:25 <DIR> --d----- c:\program files\C-Media 3D Audio
2009-06-07 10:07 100,489 a------- c:\windows\UninstallFirefox.exe
2009-06-06 13:50 1,089,593 -c------ c:\windows\system32

\dllcache\ntprint.cat
2009-06-05 23:47 <DIR> --dsh--- c:\documents and settings\william

hayward\PrivacIE
2009-06-05 23:35 <DIR> --dsh--- c:\documents and settings\william

hayward\IETldCache
2009-06-05 20:36 <DIR> --d----- c:\windows\ie8updates
2009-06-05 20:33 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-06-05 20:22 <DIR> -cd-h--- c:\windows\ie8
2009-06-02 23:33 <DIR> --d----- c:\docume~1\willia~1\applic~1\GlarySoft
2009-06-02 23:25 <DIR> --d----- c:\program files\Glary Utilities
2009-06-01 21:56 <DIR> --d----- c:\docume~1\willia~1\applic~1\Webroot
2009-06-01 20:24 <DIR> --dsh--- C:\found.000
2009-05-31 21:37 <DIR> --d----- c:\program files\Ask.com
2009-05-31 21:35 <DIR> --d----- c:\program files\MSSOAP
2009-05-31 21:33 1,563,008 a------- c:\windows\WRSetup.dll
2009-05-31 21:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Webroot
2009-05-31 21:33 <DIR> --d----- c:\program files\Webroot
2009-05-31 20:34 <DIR> --d----- c:\program files\Enigma Software Group
2009-05-26 14:54 <DIR> --d----- c:\program files\Media Access Startup
2009-05-26 14:54 <DIR> --d----- c:\program files\Internet Saving Optimizer
2009-05-26 14:52 <DIR> --d----- c:\program files\DoubleD
2009-05-16 21:23 0 a------- c:\windows\popcreg.dat

==================== Find3M ====================

2009-06-07 10:07 4,145 ac------ c:\windows\mozver.dat
2009-05-13 06:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-05 15:49 76,487 a-------

c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-04-21 18:27 176,752 a------- c:\windows\system32\drivers\ssidrv.sys
2009-04-21 18:27 23,152 a------- c:\windows\system32\drivers\sshrmd.sys
2009-04-21 18:27 29,808 a------- c:\windows\system32\drivers\ssfs0bbc.sys
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2005-12-15 23:43 774,144 ac------ c:\program files\RngInterstitial.dll
2004-02-07 12:27 4 ac------ c:\documents and settings\william

hayward\SETUP.DAT
2003-07-15 01:15 722 ac------ c:\program files\INSTALL.LOG

============= FINISH: 11:57:48.50 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:56 AM

Posted 22 June 2009 - 05:06 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:56 PM

Posted 27 June 2009 - 12:18 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users