Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijack after MS Antispyware 2009 removal


  • This topic is locked This topic is locked
3 replies to this topic

#1 Buck Bundy

Buck Bundy

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 30 December 2008 - 08:09 PM

Hi,

I somehow managed to get MS Antispyware 2009 installed, and after appearing to get rid of it manually (on the face of it at least), I'm left with a few possibly related problems.......

Google is hijacked and although results look normal, I cannot see the URL in the status bar when rolling over the link, and when clicking a link it takes me to another search page, K search for example. If I type a URL directly, it displays a 404 page, but only links it doesn't want me to see such as Lavasoft, and this forum!

Also, after first noticing my mouse custom buttons failed to work, I realised a load of things have been disabled from starting automatically, the MS intellimouse tool among them.

McAfee Internet Security has been disabled from updating, but otherwise appears ok, and it seems Windows update has also been disabled.

I cannot enter safe mode, and most control panel items are inaccessible as rundll32.exe is missing.

What have I done so far? Well I manually removed MS Antispyware 2009 from HDD and registry, managed to kid it into letting me install HJT (but only after renaming it), CWShredder came up clean, I installed Ashampoo Antispyware 2 (from a cover disk) which found and fixed a couple of things that repaired the google results hijack, but the problem returned when I restarted the machine and nothing has been found since. I managed to get Adaware 2008 installed, but cannot update it, but that came up clean. I've instlled MBAM but evan after renaming it, it refuses to run. The process appears in task manager but nothing happens.

Here's the DDS log:


DDS (Version 1.1.0) - FAT32x86
Run by Dafydd at 0:07:13.18 on 31/12/2008
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.511.281 [GMT 0:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k eapsvcs
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
D:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
svchost.exe "C:\WINDOWS\system32\kdcomw.exe"
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\windows\explorer.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEKE.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
I:\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.orange.co.uk/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe
mWinlogon: Shell=c:\windows\explorer.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [SSS7] "c:\program files\steganos security suite 7\SSS7.exe" -boot
uRun: [EPSON Stylus SX600FW(Network)] c:\windows\system32\spool\drivers\w32x86\3\e_fatieke.exe /fu "c:\windows\temp\E_S50C.tmp" /EF "HKCU"
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [nForce Tray Options] sstray.exe /r
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [AntiSpyWare2Guard] d:\program files\ashampoo\ashampoo antispyware 2\AntiSpyWare2Guard.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [SSS7] "c:\program files\steganos security suite 7\SSS7.exe" -firstboot
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - d:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - d:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: E&xport to Microsoft Excel - d:\progra~1\micros~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -
LSA: Notification Packages = scecli scecli scecli

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-10-10 207656]
R2 AASW2_Service;Ashampoo AntiSpyWare 2 Service;d:\program files\ashampoo\ashampoo antispyware 2\AntiSpyWareService.exe [2008-12-21 749400]
R2 aawservice;Lavasoft Ad-Aware Service;"d:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-10-11 358736]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-10-11 144704]
R2 SLEE_81_DRIVER;Steganos Live Encryption Engine 8.1 [Driver];\??\c:\windows\system32\drivers\SLEE81.sys [2005-5-13 69632]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-10-11 605512]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-10-10 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-10-10 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-10-10 40488]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; []
S2 McNASvcMcProxy;McAfee Network Agent McNASvcMcProxy;c:\windows\system32\kdcomw.exe srv []
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-10-10 34152]

=============== Created Last 30 ================

2008-12-30 22:57 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-28 22:25 <DIR> --d----- C:\Emmas phone mem card backup
2008-12-21 19:31 <DIR> --d----- c:\program files\Trend Micro
2008-12-21 18:00 <DIR> --d----- c:\windows\pss
2008-12-14 23:17 246 a------- c:\windows\system32\drivers\atmapi.sys
2008-12-14 23:17 32,768 a------- c:\windows\system32\fkj.jee
2008-12-14 23:17 24,576 a------- c:\windows\system32\rgr6.pa
2008-12-14 23:17 32,768 a------- c:\windows\system32\zed.pa
2008-12-14 23:17 21,504 a------- c:\windows\system32\v1.e2
2008-12-14 23:17 65,024 a------- c:\windows\system32\r33.es
2008-12-14 23:17 64,512 a------- c:\windows\system32\efgop.ee
2008-12-14 23:17 578,560 a------- c:\windows\system32\dllcache\user32.dll
2008-12-14 23:17 307,200 a------- c:\windows\system32\nvaux32.dll

==================== Find3M ====================

2008-12-14 23:17 578,560 a------- c:\windows\system32\user32.DLL
2008-12-13 06:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-11-27 21:20 34,816 ---shr-- c:\windows\system32\kdcomw.exe
2008-10-24 11:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-21 17:36 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-18 22:58 286,720 a------- c:\windows\iun506.exe
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 13:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-10-13 15:27 2,678 a------- c:\windows\java\packages\data\WDFPNHRJ.DAT
2008-10-13 15:27 2,678 a------- c:\windows\java\packages\data\XZ7XJ9JL.DAT
2008-10-13 15:27 2,678 a------- c:\windows\java\packages\data\UJNRJRNV.DAT
2008-10-13 15:27 2,678 a------- c:\windows\java\packages\data\Q1FZPNB1.DAT
2008-10-13 15:27 2,678 a------- c:\windows\java\packages\data\5ZRJBXZB.DAT
2008-10-11 00:44 249,856 a------- c:\windows\system32\pdfmona.dll
2008-10-11 00:44 51,716 a------- c:\windows\system32\pdf995mon.dll
2008-10-10 18:58 558,142 a------- c:\windows\java\packages\l7xjb753.zip
2008-10-10 18:58 155,995 a------- c:\windows\java\packages\u83zjrbv.zip
2008-10-10 18:56 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-10-03 10:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 -------- c:\windows\system32\dllcache\strmdll.dll

============= FINISH: 0:08:28.84 ===============

Thanks in anticipation.

Attached Files



BC AdBot (Login to Remove)

 


#2 Buck Bundy

Buck Bundy
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 05 January 2009 - 06:03 AM

Hello,

Given the size of my problem, I've decided to zap the whole thing and reinstall Windows.

Hopefully that will sort it out, but if not I might be back for help sooner rather than later!

I'll let you spend time helping those who starting from scratch really isn't an option.

Thanks

Buck

#3 Buck Bundy

Buck Bundy
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 05 January 2009 - 06:06 AM

Oops! duplicate reply!

Edited by Buck Bundy, 05 January 2009 - 06:08 AM.


#4 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:08:39 PM

Posted 08 January 2009 - 01:37 PM

Thanks for informing us.
Sorry you had to reinstall.

If you have other problems please start a new topic.

This thread is closed.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users