Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet hijacked when running spyware/malware removal programs, internet also hijacked intermittently when CPU not in use


  • This topic is locked This topic is locked
4 replies to this topic

#1 texasrocker

texasrocker

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 08 February 2009 - 09:47 AM

I try to run Housecall 6.5 & Kacpersky scans and my computer is slowed to a crawl about 5 seconds after the scan starts. I have downloaded Threatfire and scanned my computer, and downloaded Malwarebytes - Anti-Malware and scanned, the problem is not fixed. I have a svc.host in my Task-Manager that is alway using between 2 & 5% of my CPU, but in reallity seems to be freezing my computer.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:55 PM, on 2/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
D:\Programme\HijackThis.exe
K:\Programs\Safari\Safari.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://at7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://at7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {072CA835-0624-47B2-83D6-A7A5CD5C22DA} - (no file)
O2 - BHO: (no name) - {353B8BD5-5CF2-4036-83AF-48F67CBE369C} - (no file)
O2 - BHO: (no name) - {3AB032E2-DD70-4071-91E2-303A1798B817} - (no file)
O2 - BHO: (no name) - {4c4c1a5a-e630-47af-b1c4-186a9586d1c3} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5B1CB136-01BF-4EDC-99AB-0F10A8AC847C} - (no file)
O2 - BHO: (no name) - {6A1DDB8F-98EB-464D-BA0B-BA9584A1DF28} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {9C35323A-05D9-42BF-8BE4-6DDB4AAE02B2} - C:\WINDOWS\system32\mlJdDVOf.dll (file missing)
O2 - BHO: (no name) - {C31DEA2A-708E-40D8-8F59-9996C03D8CFB} - (no file)
O2 - BHO: (no name) - {D181EE8E-AF1F-4237-AFDC-BA1092CB449D} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {DF1BF564-5FB0-4B60-A3BA-493F1D0D5EA7} - (no file)
O2 - BHO: (no name) - {DFE33175-4231-4E50-8595-945F248E5142} - C:\Dokumente und Einstellungen\Craig Milam\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2SNFQ3ZM\silent.dll[1].bak
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ThreatFire] C:\Programme\ThreatFire\TFTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Inetreg] "C:\Programme\InstallShield Installation Information\{AC85CD9E-BC46-4874-90E6-ADB558DE7D9E}\Setup.exe" /i_again -s
O4 - HKCU\..\RunOnce: [SpybotDeletingB6581] command /c del "C:\WINDOWS\system32\cbXOfeBu.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3503] cmd /c del "C:\WINDOWS\system32\cbXOfeBu.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7891] command /c del "C:\WINDOWS\system32\nnnoLDUO.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5591] cmd /c del "C:\WINDOWS\system32\nnnoLDUO.dll_old"
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Labtec Mauseinstellungen.lnk = C:\Programme\Labtec Laser Mouse Software\MulMouse.exe
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Programme\NETGEAR\WG311v3\wlancfg5.exe
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Show website &list - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &Suspend Webpage Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &Deny this website - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &Allow this website - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Programme\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k00719/sb02a.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094206514030
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127987752812
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} - file://F:\ols\connect\fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL tefexf.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ThreatFire - PC Tools - C:\Programme\ThreatFire\TFService.exe

--
End of file - 9104 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:57 PM

Posted 08 February 2009 - 12:02 PM

Hello texasrocker,

Posted Image

Can you run in Normal Mode at all? If so, please post further HijackThis logs made in Normal Mode. HijackThis can't see everything when run in Safe Mode.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {072CA835-0624-47B2-83D6-A7A5CD5C22DA} - (no file)
O2 - BHO: (no name) - {353B8BD5-5CF2-4036-83AF-48F67CBE369C} - (no file)
O2 - BHO: (no name) - {3AB032E2-DD70-4071-91E2-303A1798B817} - (no file)
O2 - BHO: (no name) - {4c4c1a5a-e630-47af-b1c4-186a9586d1c3} - (no file)
O2 - BHO: (no name) - {5B1CB136-01BF-4EDC-99AB-0F10A8AC847C} - (no file)
O2 - BHO: (no name) - {6A1DDB8F-98EB-464D-BA0B-BA9584A1DF28} - (no file)
O2 - BHO: (no name) - {9C35323A-05D9-42BF-8BE4-6DDB4AAE02B2} - C:\WINDOWS\system32\mlJdDVOf.dll (file missing)
O2 - BHO: (no name) - {C31DEA2A-708E-40D8-8F59-9996C03D8CFB} - (no file)
O2 - BHO: (no name) - {D181EE8E-AF1F-4237-AFDC-BA1092CB449D} - (no file)
O2 - BHO: (no name) - {DF1BF564-5FB0-4B60-A3BA-493F1D0D5EA7} - (no file)
O2 - BHO: (no name) - {DFE33175-4231-4E50-8595-945F248E5142} - C:\Dokumente und Einstellungen\Craig Milam\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2SNFQ3ZM\silent.dll[1].bak
O4 - HKCU\..\RunOnce: [SpybotDeletingB6581] command /c del "C:\WINDOWS\system32\cbXOfeBu.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3503] cmd /c del "C:\WINDOWS\system32\cbXOfeBu.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7891] command /c del "C:\WINDOWS\system32\nnnoLDUO.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5591] cmd /c del "C:\WINDOWS\system32\nnnoLDUO.dll_old"
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Navigate to and delete the following file(s)(if they exist):

C:\WINDOWS\SYSTEM32\WinCtrl32.dll

This tool is designed for Safe Mode, so good there. :thumbup2:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Thanks,
tea

Edited by teacup61, 08 February 2009 - 12:03 PM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 texasrocker

texasrocker
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 08 February 2009 - 08:36 PM

Thank you so much, I can already tell a difference!

I'll attach the hijack this file, but the report.txt is 4.5 MB! It won't let me upload it!

Cheers,
Craig

Attached Files



#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:57 PM

Posted 09 February 2009 - 07:10 AM

Hi Craig,

I'm glad it's better already. :thumbup2:

Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),

Also remove the checkmark from the the Lock Desktop Items box if it is checked.
Apply.
Apply and Exit Display properties.

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {DFE33175-4231-4E50-8595-945F248E5142} - C:\Dokumente und Einstellungen\Craig Milam\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2SNFQ3ZM\silent.dll[1].bak
O20 - Winlogon Notify: WinCtrl32 - WinCtrl32.dll (file missing)
O24 - Desktop Component 0: (no name) - C:\Programme\Messenger\pogovu.html
O24 - Desktop Component 1: (no name) - C:\Programme\MSN\medesisi.html


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Navigate to and delete the following folder, just in case it's still there :

C:\Dokumente und Einstellungen\Craig Milam\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2SNFQ3ZM

And the following files should be deleted, if they're still there:

C:\Programme\MSN\medesisi.html
C:\Programme\Messenger\pogovu.html

Reboot your computer.

Now make sure MBAM is updated and have a scan with it, please. Let me know if it finds anything and please post a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:57 PM

Posted 20 February 2009 - 12:41 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users