Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirected by malware


  • This topic is locked This topic is locked
3 replies to this topic

#1 Darthkk

Darthkk

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 10 January 2009 - 11:01 AM

Hi all, For the last week of so my IE and Firefox browser first page links are redirected to sites such as www.monstermarketplace.com and www.nexplore.com . Safari is ok. I have read a lot of forum posts and have tried most of the suggested malware removal tools (StopZilla, Spy Doctor, Adware, Kaspersky, AGV, Vundofix, and a few more I've forgotten about). I've updated my Java (yet the on-line scan with Kaspersky still says my Java is out of date?), and removed a lot of old software that is no longer used.

I'm stumped! Any help appreciated.

System Model Dell DXG051 (XPS)
OS Name Microsoft Windows XP Professional
Version 5.1.2600 Service Pack 3 Build 2600


DSS.txt results

DDS (Ver_09-01-07.01) - NTFSx86
Run by Dad at 10:45:25.15 on 10/01/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1361 [GMT -5:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated)
FW: Kaspersky Anti-Virus *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PRISMSVC.EXE
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\AirPort\APAgent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\Z1UEH8ZO\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\ievkbd.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe"
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [PMX Daemon] ICO.EXE
mRun: [nwiz] nwiz.exe /install
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
TCP: {765AB1C4-3AF9-4071-95B3-B622B53CCC37} = 64.71.255.198
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: klogon - c:\windows\system32\klogon.dll
Notify: PRISMAPI.DLL - PRISMAPI.DLL
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dad\applic~1\mozilla\firefox\profiles\30ja4tvu.default\
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 32784]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-1-4 227344]
R3 Angel;Angel MPEG Device;c:\windows\system32\drivers\Angel.sys [2007-9-6 376320]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe [2008-11-11 206088]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
R4 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [2007-9-7 61526]
S3 P1160COM;Creative PC-CAM 880 (Camera);c:\windows\system32\drivers\p1160buk.sys --> c:\windows\system32\drivers\P1160Buk.sys [?]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

=============== Created Last 30 ================

2009-01-06 20:40 0 a------- C:\proc.id
2009-01-06 20:40 0 a------- C:\asdasd.asdasd
2009-01-06 19:44 <DIR> --d----- c:\docume~1\dad\applic~1\MSNInstaller
2009-01-06 19:40 1,594 a------- c:\windows\VPNUnInstall.MIF
2009-01-06 19:30 <DIR> --d----- C:\Dell
2009-01-06 16:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-01-06 16:07 <DIR> --d----- c:\program files\common files\iS3
2009-01-06 16:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-01-05 18:41 <DIR> --d----- c:\program files\CCleaner
2009-01-04 17:34 <DIR> --d----- c:\program files\Trend Micro
2009-01-04 17:33 <DIR> --d----- C:\VundoFix Backups
2009-01-04 17:24 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-04 17:24 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-04 14:39 96,976 a------- c:\windows\system32\drivers\klin.dat
2009-01-04 14:39 87,855 a------- c:\windows\system32\drivers\klick.dat
2009-01-04 14:38 6,909,984 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-01-04 14:38 589,856 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-01-04 14:38 56,112 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-01-04 14:38 4,144 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-01-04 14:38 <DIR> --d----- c:\program files\Kaspersky Lab
2009-01-04 14:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-01-04 14:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-01-04 12:26 <DIR> --d----- c:\windows\pss
2008-12-27 14:34 <DIR> --d----- c:\program files\iPod
2008-12-27 14:34 <DIR> --d----- c:\program files\iTunes
2008-12-27 14:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-27 12:30 <DIR> --d----- c:\program files\Bonjour
2008-12-25 11:03 <DIR> --d----- c:\program files\Sony
2008-12-24 20:07 <DIR> --d----- c:\windows\system32\appmgmt
2008-12-24 19:19 <DIR> --d----- c:\program files\Lavasoft
2008-12-24 19:19 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-24 19:12 <DIR> --d----- c:\docume~1\dad\applic~1\Malwarebytes
2008-12-24 19:12 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-24 19:12 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-24 19:12 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-24 19:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-24 19:10 33,832 a------- c:\windows\system32\dnqdcxev.exe
2008-12-24 19:07 33,832 a------- c:\windows\system32\mcvtqhyt.exe
2008-12-24 15:34 1,668,120 a------- c:\windows\system32\kkhiehqr.ini
2008-12-24 15:33 609,043 a------- c:\windows\system32\yIihOqru.ini
2008-12-24 15:33 608,896 a------- c:\windows\system32\yIihOqru.ini2
2008-12-24 08:12 1,668,120 a------- c:\windows\system32\gyokqrhk.ini
2008-12-24 08:09 609,595 a------- c:\windows\system32\JmSCccfe.ini2
2008-12-24 08:09 610,232 a------- c:\windows\system32\JmSCccfe.ini
2008-12-24 06:51 1,668,120 a------- c:\windows\system32\eobuqdjj.ini
2008-12-24 06:45 609,696 a------- c:\windows\system32\cIjlmUtv.ini2
2008-12-24 06:45 609,696 a------- c:\windows\system32\cIjlmUtv.ini

==================== Find3M ====================

2008-11-11 20:00 218,376 a------- c:\windows\system32\klogon.dll
2008-11-11 19:58 25,601 a------- c:\windows\system32\drivers\klopp.dat
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-06-17 10:17 0 a------- c:\program files\temp01
2007-10-11 18:01 80 ---shr-- c:\windows\system32\99997C87F3.dll

============= FINISH: 10:46:15.04 ===============

Any help appreciated

Attached Files



BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:09:45 PM

Posted 25 January 2009 - 01:32 PM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Please post the contents of log.txt.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  • Reply to this thread; do not start another!
  • Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  • Do not run any other tool until instructed to do so!
  • Let me know if any of the links do not work or if any of the tools do not work.
  • Tell me about problems or symptoms that occur during the fix.
  • Do not run any other programs or open any other windows while doing a fix.
  • Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 Darthkk

Darthkk
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 28 January 2009 - 05:53 PM

Thanks for getting to me however I decided to blast my computer and start from scratch. Runs like a charm now.
Mike

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:09:45 PM

Posted 30 January 2009 - 01:59 PM

Thanks for letting me know.

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users