Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I've been hijacked


  • This topic is locked This topic is locked
2 replies to this topic

#1 Focuslight

Focuslight

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 15 February 2009 - 11:10 PM

Thanks to a little bit of internet research, I've learned that I managed to obtain some hijacks that stuck around after dealing with a backdoor trojan. While Norton addressed it best it could, now whenever I click a link from a search engine I get redirected to spammy websites opened in new tabs. I used HijackThis to analyze it myself, and very carefully tried to "fix" the files I knew were not legit files with the help of a guide (http://forums.majorgeeks.com/showthread.php?t=38752). Unfortunately this has not yet resolved the problem and I don't want to further damage my computer with my own carelessness.

I am also having a problem with my edition of Norton 360 enabling auto-protect, but I think this is unrelated and can be fixed with a re-install.

thanks for your help in advance,
-Focus

DDS (Ver_09-02-01.01) - NTFSx86
Run by Melissa at 19:49:56.27 on 15/02/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_07
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.3061.1744 [GMT -8:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\system32\CISVC.EXE
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Windows\System32\svchost.exe -k ipripsvc
C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
C:\Program Files\Mediafour\MacDrive 7\MacDriveServiceD.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Windows\System32\alg.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe
C:\Program Files\Mediafour\MacDrive 7\MacDriveD.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Users\Melissa\Downloads\HiJackThis.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Melissa\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Users\Melissa\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.shoptoshiba.ca/welcome
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>;*.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [MacDrive 7 Generic TimeOutPatch] c:\program files\mediafour\macdrive 7\macdrive_7_generic_timeout_patch\TimeOutPatch.EXE
uRun: [<NO NAME>]
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MacDrive application] "c:\program files\mediafour\macdrive 7\MacDrive.exe"
mRun: [Getting started with MacDrive] "c:\program files\mediafour\macdrive 7\MDGetStarted.exe" /auto
mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe
mRun: [{FD1C41EC-B9AC-4F08-9BDB-CC8ECC8FC1B3}] "c:\program files\mediafour\macdrive 7\MacDriveD.exe"
mRun: [MacDrive 7 Generic TimeOutPatch] c:\program files\mediafour\macdrive 7\macdrive_7_generic_timeout_patch\TimeOutPatch.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
dRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
StartupFolder: c:\users\melissa\appdata\roaming\micros~1\windows\startm~1\programs\startup\macdri~1.lnk - c:\program files\mediafour\macdrive 7\macdrive_7_generic_timeout_patch\TimeOutPatch.EXE
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\melissa\appdata\roaming\mozilla\firefox\profiles\76z9es2d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cbc.ca/news/
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll

============= SERVICES / DRIVERS ===============

R0 MDFSYSNT;MacDrive file system driver;c:\windows\system32\drivers\MDFSYSNT.SYS [2008-7-22 288768]
R0 MDPMGRNT;MacDrive partition driver;c:\windows\system32\drivers\MDPMGRNT.SYS [2007-2-28 19072]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20090129.001\IDSvix86.sys [2009-1-30 270384]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2008-8-14 16400]
R2 iprip;RIP Listener;c:\windows\system32\svchost.exe -k ipripsvc [2008-6-14 21504]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 MacDriveService;MacDrive service;c:\program files\mediafour\macdrive 7\MacDriveService.exe [2008-5-2 150528]
R2 MacDriveServiceD;MacDriveServiceD;c:\program files\mediafour\macdrive 7\MacDriveServiceD.exe [2007-4-18 143360]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-15 99376]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2008-6-13 41008]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 DGFWBOOT;Bootloader Service for Mbox 2 Pro Driver (WDM);c:\windows\system32\drivers\dgfwboot.sys [2008-8-14 24080]
S3 DIGIFW;Service for Mbox 2 Pro Driver (WDM);c:\windows\system32\drivers\digifw.sys [2008-8-14 167952]

=============== Created Last 30 ================

2009-02-15 16:57 4,785 a------- c:\windows\system32\warning.gif
2009-02-15 16:57 1,347 a------- c:\windows\system32\ahtn.htm
2009-02-15 16:56 104,960 a------- c:\windows\system32\ntdll64.exe
2009-02-15 16:56 1 a------- c:\windows\system32\uniq.tll
2009-02-15 16:56 24,064 a------- c:\windows\system32\303350.exe
2009-02-15 16:52 347 ---shr-- C:\autorun.inf
2009-02-15 16:01 <DIR> a-d----- c:\programdata\TEMP
2009-02-15 14:12 257,951,331 a------- c:\windows\MEMORY.DMP
2009-02-14 17:23 428,544 a------- c:\windows\system32\EncDec.dll
2009-02-14 17:23 217,088 a------- c:\windows\system32\psisrndr.ax
2009-02-14 17:23 293,376 a------- c:\windows\system32\psisdecd.dll
2009-02-14 17:23 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-02-14 17:23 80,896 a------- c:\windows\system32\MSNP.ax
2009-02-11 21:01 827,392 a------- c:\windows\system32\wininet.dll
2009-02-11 21:01 1,383,424 a------- c:\windows\system32\mshtml.tlb
2009-02-11 00:07 39 a------- c:\windows\3D Text Factory.INI
2009-02-10 23:53 10 -----r-- c:\windows\ABC3D.SN
2009-02-01 21:01 97,800 a------- c:\windows\system32\infocardapi.dll
2009-02-01 21:01 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-02-01 21:01 622,080 a------- c:\windows\system32\icardagt.exe
2009-02-01 21:01 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-02-01 21:01 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-02-01 21:01 11,264 a------- c:\windows\system32\icardres.dll
2009-02-01 21:01 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-02-01 21:01 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-02-01 20:54 96,760 a------- c:\windows\system32\dfshim.dll
2009-02-01 20:53 282,112 a------- c:\windows\system32\mscoree.dll
2009-02-01 20:53 41,984 a------- c:\windows\system32\netfxperf.dll
2009-02-01 20:53 158,720 a------- c:\windows\system32\mscorier.dll
2009-02-01 20:53 83,968 a------- c:\windows\system32\mscories.dll
2009-01-24 21:01 <DIR> --d----- c:\programdata\Adobe

==================== Find3M ====================

2009-01-15 07:05 86,016 a------- c:\windows\inf\infstor.dat
2009-01-15 07:05 51,200 a------- c:\windows\inf\infpub.dat
2009-01-15 07:05 143,360 a------- c:\windows\inf\infstrng.dat
2009-01-10 23:02 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-10 23:02 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-10 23:02 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-23 03:47 138,240 a------- c:\windows\system32\drivers\Rtlh86.sys
2008-12-23 03:47 10,240 a------- c:\windows\system32\RtNicProp32.dll
2008-06-14 12:14 174 a--sh--- c:\program files\desktop.ini
2008-06-14 12:00 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 04:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 04:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 04:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 04:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 01:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 01:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 01:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 01:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-10-02 12:29 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-10-02 12:29 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-10-02 12:29 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 19:50:31.26 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:26 PM

Posted 25 February 2009 - 11:14 PM

Hello Focuslight,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:26 PM

Posted 01 March 2009 - 06:17 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users