Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google hijacked, internet programs not working, now no internet on computer.


  • Please log in to reply
31 replies to this topic

#1 Jennasie

Jennasie

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 09 March 2009 - 11:30 PM

Hi,

Im usually pretty good and keeping my computer protected and clean. If I ever get a virus I can usually fix it myself by researching and such.

This time however I'm not so lucky, I cant seem to figure it out at all.

I recently got a new wireless card for my computer because I thought my old one was really broken, the hard covers had come off so the insides were all sticking out. My internet had been running slowly, I just figured it was the source of the problem.

Today however, Firefox crashed, and I couldn't get it to come back up at all, it would just keep crashing. Same with Internet Explorer, it would load a page and then crash, telling me that "Internet Explorer has encountered an error and needs to shut down."

Google has been redirecting to a sub-site instead of Google itself, like I was searching through an outside website.

I finally thought to try safari, I got the internet working but every Google link I clicked would redirect to something completely irrelevant.

Throughout my troubles I have not been able to load MalwareBytes or AVG. They both pop up with error messages before they even load. I originally was trying to re-download AVG because I figured whatever virus this is deleted essential files from the program, but my installation failed stating the registry key was invalid.

I believe I got into this mess having made the mistake of downloading an infected torrent file. I usually scan them but as I said, my virus programs haven't been working lately. Stupid me.

I tried starting in safe mode but it would get stuck and not load at all. I tried doing a system restore but the restore point I created when I installed my wireless card is gone, as are all other restore points.

Right now I'm using a different computer, because I cant even access an internet connection on mine anymore. I cant disable my connection or repair it, its quite frustrating.

Id like to post a HijackThis log but I don't know how I would do that at this time.

I would really appreciate if someone could just help me, talk me through or something.


running, windows xp service pack 2.

thanks.

Edited by Jennasie, 09 March 2009 - 11:43 PM.


BC AdBot (Login to Remove)

 


#2 Jennasie

Jennasie
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 10 March 2009 - 12:00 AM

So I did a little tweaking and I got my internet working again, it still has all the problems above but i can use it... sort of.

#3 Jennasie

Jennasie
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 10 March 2009 - 01:48 AM

So then I tripped over my power cord and destroyed my screen.

So I plugged in an extra monitor and avg seems to be working... O_o

scanning now.

#4 Jennasie

Jennasie
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 10 March 2009 - 06:36 PM

k so, scan picked up one trojan and some tackers from popups.

they have been removed but now, my settings on my screen are all screwy, i can only use default windows appearance, the other is just gone.


i also now cannot use safari, so i have no access to an internet browser, but i still have a connection.


i have no clue what is wrong here.

any help? please?

#5 Jennasie

Jennasie
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 10 March 2009 - 07:08 PM

alright, so i changed the malwarebytes .exe to a .bat and got it to run for me. currently scanning. hope this fixes things.


thanks for all the help.

#6 Jennasie

Jennasie
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 10 March 2009 - 08:22 PM

malwarebytes scan revealed a few trojans and some other things. all are now gone.

restarted my system and i can now get firefox and ie to stay open but i still cant access the internet through them.

my interface/settings are still in the old view, and i cant change it back to windows xp... i never changed it in the first place.. so, idk.



:thumbsup:

there is obviously something else here that i cant get rid of myself.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:22 AM

Posted 10 March 2009 - 08:29 PM

Hello please post the MBAM log so we can see what and where the malware was.

Next run SAS

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Jennasie

Jennasie
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 10 March 2009 - 09:13 PM

i put the programs you specified on a flash drive and put them on my laptop, i got the superanti spyware to install but i cannot run the program. it says that "it encountered and error and needs to shut down"

as i was doing this i got this message on my screen.

"the instruction at "0x7564d27e" referenced memory at "0x00000060" the memory could not be "read""

titled "svchost.exe"


here is my MBAM log.

i dont know what to do about not being able to start the super program. i tried changing the file extention but that didnt work either.



Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 2

3/10/2009 5:49:27 PM
mbam-log-2009-03-10 (17-49-27).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 190970
Time elapsed: 50 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 25
Registry Values Infected: 1
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\dnscache.dnscacheobj (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{1fd79a59-37b1-459b-9097-09f9fab8a523} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b97f9125-71a1-48d0-b920-f140ef8de809} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{376892ae-1825-4e5f-9f85-23f9640051cc} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{376892ae-1825-4e5f-9f85-23f9640051cc} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{376892ae-1825-4e5f-9f85-23f9640051cc} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dnscache.dnscacheobj.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.102,85.255.112.186 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.102,85.255.112.186 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{b098614a-cf78-44fc-95df-e722328c2058}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.102,85.255.112.186 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{b098614a-cf78-44fc-95df-e722328c2058}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.102,85.255.112.186 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{cf74eb59-d5b2-43ad-9d79-dbfa7844532b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.102,85.255.112.186 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.102,85.255.112.186 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.102,85.255.112.186 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\mediaplayerplg.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svcnost.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\senekadrfnkvpp.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\bits.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\ipdll.dll (Trojan.Agent) -> Quarantined and deleted successfully.

#9 Jennasie

Jennasie
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 10 March 2009 - 09:38 PM

i tried a few diferent file extentions and got it to install, but as i said in a previous post i cant get it to go into safe mode, it gets stuck at

"multi(0)disk(0)rdisk(0)partition(1)\windows\system32\drivers.mup.sys"

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:22 AM

Posted 10 March 2009 - 09:41 PM

Ok Jennasie, we have some work to do . I belive your flash drive is also infected.

For the pC you need to reboot the PC normally to complete that malware removal. Next you must update the MBAM data base and rescn your's is quite dated.
Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Now run Flash_Disinfector on the PC and the Flash Drive.
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Jennasie

Jennasie
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 10 March 2009 - 09:54 PM

i havent been able to get updated for any of my programs because something is blocking my internet. none of my programs will connect... not even the super scan thing.

i will try to disinfect my flash drive now.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:22 AM

Posted 10 March 2009 - 09:57 PM

Sorry to double post you. As this ..."multi(0)disk(0)rdisk(0)partition(1)\windows\system32\drivers.mup.sys" ... will probably require a repair install to fix. Are you opposed to a full wipe of the hard drive and reinstall of the Operating system. This will fix all the problems and then yu need only run Flash_Disinfector on your mobile drive.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Jennasie

Jennasie
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 10 March 2009 - 10:01 PM

Sorry to double post you. As this ..."multi(0)disk(0)rdisk(0)partition(1)\windows\system32\drivers.mup.sys" ... will probably require a repair install to fix. Are you opposed to a full wipe of the hard drive and reinstall of the Operating system. This will fix all the problems and then yu need only run Flash_Disinfector on your mobile drive.



that would suck a lot. =\

i started the computer in safe mode with networking (just to see if it would work) and it started up in safe mode... currently running the superspyware program, will post log as soon as its done

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:22 AM

Posted 10 March 2009 - 10:12 PM

Ok, :thumbsup: we'll move along then,As I may be gone till morning try doing the same with MBAM to get an update and scan/log again.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 Jennasie

Jennasie
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 10 March 2009 - 11:04 PM

so heres this:



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/10/2009 at 08:36 PM

Application Version : 4.25.1014

Core Rules Database Version : 3784
Trace Rules Database Version: 1741

Scan type : Complete Scan
Total Scan Time : 00:47:55

Memory items scanned : 268
Memory threats detected : 0
Registry items scanned : 4474
Registry threats detected : 7
File items scanned : 20143
File threats detected : 0

Rogue.Component/Trace
HKLM\Software\Microsoft\403D2EEC
HKLM\Software\Microsoft\403D2EEC#403d2eec
HKLM\Software\Microsoft\403D2EEC#Version
HKLM\Software\Microsoft\403D2EEC#403d836c
HKLM\Software\Microsoft\403D2EEC#403dea89
HKU\S-1-5-21-746137067-448539723-1801674531-1004\Software\Microsoft\CS41275
HKU\S-1-5-21-746137067-448539723-1801674531-1004\Software\Microsoft\FIAS4018



i tried to get programs to update but apparently i dont have network connections anymore. when i go to control panel> network connections nothing is there, i tried plugging in my ethernet cable, to no avail... i also cant access my c:/ drive without right clicking and clicking explore.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users