Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

An Unwanted Homepage Has Invaded My Pc As Prefered


  • This topic is locked This topic is locked
2 replies to this topic

#1 nclarsen

nclarsen

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 19 November 2007 - 01:35 PM

Hey,

I can't get rid of o homepage, witch has invaded my PC as prefered homepage.

The homepage use this adress: hxxp://www.protectionways.com, and wants me to downloade (and buy)different antivirus products, such as Virus heal, Antispyware Shiels, Malware buin and Intrusion Detection Systems (IDS software).

They also use this adress: hxxp://www.virprotec.com/?aff=112.

Please help me.

My best reguards

Niels Chr. Larsen

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:52:07, on 19-11-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Norman\npm\bin\ELOGSVC.EXE
C:\Norman\Ngs\bin\NPROSEC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\npm\Bin\Zanda.exe
C:\Norman\npm\bin\nvoy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\npf\bin\npfsvc32.exe
C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Programmer\Canon\CAL\CALMAIN.exe
C:\Norman\npm\bin\NVCSCHED.EXE
C:\Norman\npm\bin\NJEEVES.EXE
C:\Norman\npc\bin\npcsvc32.exe
C:\Norman\nvc\bin\nvcoas.exe
C:\Norman\npc\bin\nuaa.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Norman\npf\bin\npfuser.exe
C:\Programmer\Video Add-on\icthis.exe
C:\Programmer\Video Add-on\isfmntr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Java\jre1.5.0_10\bin\jusched.exe
C:\Norman\npm\bin\ZLH.EXE
C:\Programmer\Video Add-on\icmntr.exe
C:\Programmer\Video Add-on\isfmm.exe
C:\Programmer\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Norman\nvc\BIN\NIP.EXE
C:\Norman\nvc\bin\cclaw.exe
C:\Programmer\Microsoft Office\Office\FINDFAST.EXE
C:\Programmer\Microsoft Office\Office\OSA.EXE
C:\Programmer\Internet Explorer\IEXPLORE.EXE
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmer\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {23B760D6-C98B-450B-9B32-26C7775CDF83} - C:\Programmer\Video Add-on\isfmdl.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programmer\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmer\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar3.dll
O3 - Toolbar: IE Custom Tools - {70CC76D5-A4EE-4F25-9931-B109A63E298E} - C:\Programmer\Video Add-on\ictmdl.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\npm\bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [NPCTray] C:\Norman\npc\bin\npc_tray.exe /LOAD
O4 - HKLM\..\Run: [hcenter] "C:\Programmer\Support.com\bin\tgcmd.exe" /server /startmonitor
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AROReminder] C:\Programmer\Advanced Registry Optimizer\aro.exe -rem
O4 - HKLM\..\Policies\Explorer\Run: [kernel32.dll] C:\WINDOWS\system32\mssearchnet.exe
O4 - HKLM\..\Policies\Explorer\Run: [wininet.dll] dfrgsrv.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Programmer\Video Add-on\icthis.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Programmer\Video Add-on\isfmntr.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Hurtig søgning.lnk = C:\Programmer\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office-start.lnk = C:\Programmer\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Programmer\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Programmer\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Programmer\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Programmer\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Programmer\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Programmer\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\norman\npc\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\norman\npc\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\norman\npc\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\norman\npc\bin\nlf.dll
O15 - Trusted Zone: http://www.bgbank.dk
O15 - Trusted Zone: http://www.msn.dk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150392215441
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.bgbank.dk/html/activex/e-Sa...G/e-Safekey.cab
O22 - SharedTaskScheduler: Replay for WindowsXP - {D81E2FC4-B0A2-11D3-21AC-07C04C21A18A} - C:\WINDOWS\system32\replmap.dll (file missing)
O22 - SharedTaskScheduler: doglike - {3750da11-9b0c-4a75-9c8a-bbcbfcd1ccea} - C:\WINDOWS\system32\fftktmk.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programmer\Canon\CAL\CALMAIN.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\npm\bin\ELOGSVC.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmer\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\npm\Bin\Zanda.exe
O23 - Service: Norman Parental Control (NPC) - Norman ASA - C:\Norman\npc\bin\npcsvc32.exe
O23 - Service: Norman Personal Firewall Service (NPFSvc32) - Norman ASA - C:\Norman\npf\bin\npfsvc32.exe
O23 - Service: Norman Security service (NPROSECSVC) - Norman ASA - C:\Norman\Ngs\bin\NPROSEC.EXE
O23 - Service: Norman User Activity Agent (NUAA) - Norman ASA - C:\Norman\npc\bin\nuaa.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\npm\bin\NVCSCHED.EXE
O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Norman\npm\bin\nvoy.exe

--
End of file - 9516 bytes


Mod Edit: Disabled active links to malware sites.~ TMacK

Edited by TMacK, 19 November 2007 - 03:20 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:39 PM

Posted 27 November 2007 - 01:32 AM

Hello Niels,

NOTE: If you have downloaded SmitfraudFix previously please delete that version and download it again!

Please download SmitfraudFix

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of the SmitfraudFix report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:39 PM

Posted 18 December 2007 - 12:29 AM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users