Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Getting Redirected From Websites + Slow Browser


  • This topic is locked This topic is locked
2 replies to this topic

#1 ProfessorChaos2007

ProfessorChaos2007

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 23 September 2007 - 08:40 PM

Ok this is a weird problem, this may be a bit long but I want to be complete...

I have 2 computers - desktop & laptop, connected in my dorm room via a wireless router connected to my dorm's LAN.

The desktop has intermittent problems where when trying to get to gmail (gmail.google.com), I find that it starts connecting to another site, 31joy.com or some other site, and I'm presented with a screen full of garbage characters. Often the browser (IE & Mozilla, I've tried both), runs VERY slow, though the rest of the computer runs fine. I cleared a virus from my computer *DOOR*.LL, and it ran fine, but now it's back, and I have the problem on my laptop too. THough a scan with AVG and Ad-Aware and Trend Micro finds no malware on the laptop. But when I take the laptop to the library and connect to their wireless network, the problem is gone! THen I reconnect to my network and it's back. I've reset my router and AVG doesn't find any viruses on my hard drive.

Though on my laptop, Trend Micro gives me a popup saying it found the malware WORM_DROM.AI in files OnlO0r.dll and fjOs0r.dll.

AVG on my desktop says that I have "Win32/PEPatch.X" in files on my temp directory numbered 1.exe through 10.exe
Temp\2.exe
3.exe, 4.exe, 5.exe

I've run AVG, Ad-Aware, Trend-Micro OfficeScan and Hijack this on both computers, as well as registry cleaning programs.


HEre's the Hijackthis log from my laptop:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:37 PM, on 9/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Wireless\Bin\EvtEng.exe
D:\Trend Micro\OfficeScan Client\ntrtscan.exe
D:\Wireless\Bin\RegSrvc.exe
D:\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
D:\Wireless\bin\ZCfgSvc.exe
D:\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Synaptics\SynTP\SynTPLpr.exe
D:\Synaptics\SynTP\SynTPEnh.exe
D:\Trend Micro\OfficeScan Client\pccntmon.exe
D:\Trend Micro\OfficeScan Client\TmPfw.exe
D:\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\TEMP\HZ95E0.EXE
D:\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
D:\Mozilla Firefox\firefox.exe
D:\Ad-Aware 2007\aawservice.exe
C:\Documents and Settings\Dave\Desktop\HiJackThis.exe
C:\WINDOWS\system32\notepad.exe

R3 - Default URLSearchHook is missing
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: (no name) - {C2626E66-D21B-E628-C1DF-1DACCFA36ED2} - C:\Program Files\Common Files\fjOs0r.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "D:\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "D:\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] D:\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] D:\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "D:\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [AAWTray] D:\Ad-Aware 2007\AAWTray.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://D:\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Ad-Aware 2007\aawservice.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - D:\Wireless\Bin\EvtEng.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - D:\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - D:\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - D:\Wireless\Bin\S24EvMon.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - D:\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - D:\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - D:\Trend Micro\OfficeScan Client\TmProxy.exe

--
End of file - 4137 bytes


----------------------------
HERE'S THE ONE FROM MY DESKTOP
----------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:30 PM, on 9/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Common Files\Acronis\Schedule2\schedul2.exe
D:\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Grisoft\AVG7\avgamsvr.exe
D:\Grisoft\AVG7\avgupsvc.exe
D:\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\Grisoft\AVG7\avgcc.exe
D:\Winamp\winampa.exe
D:\Acronis TrueImage Home\TrueImageMonitor.exe
D:\Java\jre1.6.0_02\bin\jusched.exe
D:\Common Files\Acronis\Schedule2\schedhlp.exe
D:\Acronis TrueImage Home\TimounterMonitor.exe
D:\Lavasoft\Ad-Aware 2007\AAWTray.exe
D:\Collegio Football\2008\cgofbfs.exe
D:\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
D:\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dave\Desktop\HiJackThis.exe

O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C2626E66-D21B-E628-C1DF-1DACCFA36ED2} - D:\Common Files\fjOs0r.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] D:\Winamp\winampa.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] D:\Acronis TrueImage Home\TrueImageMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AcronisTimounterMonitor] D:\Acronis TrueImage Home\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "D:\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AAWTray] D:\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [Collegio Football FastStart] "D:\Collegio Football\2008\cgofbfs.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = D:\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: &Download All with FlashGet - D:\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - D:\FlashGet\jc_link.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1190530772515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1190530730578
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://entriq.vo.llnwd.net/o1/NBCUniversal...0_15_Silent.cab
O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.llnwd.net/o1/NBCUniversal...sal_1_0_0_9.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - D:\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - D:\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - D:\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: OfficeScan NT Firewall (TmPfw) - Unknown owner - D:\Trend Micro\OfficeScan Client\TmPfw.exe (file missing)
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Unknown owner - D:\Trend Micro\OfficeScan Client\TmProxy.exe (file missing)

--
End of file - 7787 bytes

BC AdBot (Login to Remove)

 


#2 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:06:07 AM

Posted 02 October 2007 - 09:44 PM

Hi ProfessorChaos2007,

Welcome to Bleeping Computer. Sorry for the delay, this forum is overwhelmed right now.

Both your computers are infected. Decide which one you want to fix first. Shut the other one down and leave it powered off. As long as it is running and connected to your network it will keep re-infecting the machine we are trying to clean.

For the machine you want to fix first, do the following:

Move HijackThis to its own folder. To do this, first delete the copy you have on your desktop, then click here and download the new version to your desktop.

To install HijackThis, double-click on the icon. When it runs it will prompt you to extract hijackthis.exe to C:\Program Files\Trend Micro\HijackThis. Accept this default. When it is done installing, HijackThis will automatically launch. When the license agreement appears, select I accept and then close the program.

Next, disable or remove any peer-to-peer file sharing programs you have running. (I see BitComet on your laptop.) These things are dangerous -- you can read more about that in this article -- but even if you decide to keep using them, at least shut them down until we get the machine cleaned up.

Now, run Combofix.

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply.

Then open HijackThis and run a fresh scan. Post that log together with the Combofix log in your next reply.

Dave

#3 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:06:07 AM

Posted 15 October 2007 - 05:28 AM

Due to lack of feedback, this topic is now closed. If you want it re-opened, please PM me and put the url in your request.

This applies to the original poster only. Everyone else please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users