Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijack & Scanners won't run


  • This topic is locked This topic is locked
2 replies to this topic

#1 Gary8

Gary8

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 07 April 2009 - 08:11 AM

I have several issues going on. I have my google search results being HiJacked. I primarily use Firefox, but both Firefox and IE are affected. Ad-Aware, Spybot, and Anti-Malware won't run normally. I was able to rename Spybotsd.exe to spybotsd1.exe and get it to run successfully, but the others won't run at all... Even when renamed. Spybot supposedly finds and cleans win32.tdss.rtk, but it continues to find it with each scan. My installed Symantec Endpoint Protection will only scan the C: and D: drives and won't scan my E:, K:, and O: drives, and finds nothing. (These are all local drives.. not network drives). I have run the online Kapersky, ESET, and Panda scans which find nothing, but at least they scan all the drives.

Here is my HiJackthis log: Any help will be very much appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:28 AM, on 4/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
e:\APC\POWERC~1\agent\pbeagent.exe
e:\APC\POWERC~1\server\PBESER~1.EXE
D:\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
D:\Symantec\Backup Exec\NT\beremote.exe
D:\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Nero 7\InCD\NBHGui.exe
D:\Nero 7\InCD\InCD.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\ZoneAlarm\zlclient.exe
C:\WINDOWS\System\CmFlywav.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System\CMAS2DS.EXE
D:\Spybot - Search & Destroy\TeaTimer.exe
E:\HP_Printer\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\logon.scr
D:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O1 - Hosts: 69.147.112.160 mail.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\GetRight\xx2gr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\SUN_Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [VxTaskbarMgr] D:\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SecurDisc] D:\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] D:\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CmFlywaveName] C:\WINDOWS\System\CmFlywav.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] D:\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Policies\Explorer\Run: [{F48CE42D-096C-1033-1021-050506080001}] "C:\Program Files\Common Files\{F48CE42D-096C-1033-1021-050506080001}\Update.exe" mc-110-12-0000272
O4 - Global Startup: HP Digital Imaging Monitor.lnk = E:\HP_Printer\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Download with GetRight - E:\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - E:\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\SUN_Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\SUN_Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - d:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1180999411011
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://sympatico.zone.msn.com/bingame/zuma...aploader_v6.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.2.1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thehales.homeip.net
O17 - HKLM\Software\..\Telephony: DomainName = thehales.homeip.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{E6D401D0-0F77-478A-BB68-494DD1279453}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thehales.homeip.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = thehales.homeip.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.187,85.255.112.208
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = thehales.homeip.net
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: SearchList = thehales.homeip.net
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = thehales.homeip.net
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: SearchList = thehales.homeip.net
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = thehales.homeip.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: ebahn - {8D32BA61-D15B-11D4-894B-000000000000} - E:\Bentley Publishers\eBahn\hsppp.dll
O18 - Protocol: x-cnote - {8D32BA61-D15B-11D4-894B-000000000000} - E:\Bentley Publishers\eBahn\hsppp.dll
O18 - Protocol: x-ebahn - {8D32BA61-D15B-11D4-894B-000000000000} - E:\Bentley Publishers\eBahn\hsppp.dll
O20 - Winlogon Notify: winkzt32 - winkzt32.dll (file missing)
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - e:\APC\POWERC~1\agent\pbeagent.exe
O23 - Service: APC PBE Server (APCPBEServer) - APC - e:\APC\POWERC~1\server\PBESER~1.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - D:\Symantec\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - Symantec Corporation - D:\Symantec\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - Symantec Corporation - D:\Symantec\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - Symantec Corporation - D:\Symantec\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - Symantec Corporation - D:\Symantec\Backup Exec\NT\beserver.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Nero 7\InCD\InCDsrv.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PDEngine - Unknown owner - D:\Raxco\PerfectDisk\PDEngine.exe (file missing)
O23 - Service: PDScheduler (PDSched) - Unknown owner - D:\Raxco\PerfectDisk\PDSched.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Auto-upgrade Agent (Smcinst) - Unknown owner - C:\Program Files\Symantec AntiVirus\SmcLU\Setup\smcinst.exe (file missing)
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VPRemote Install Bootstrap Service (VPREMOTE) - Unknown owner - C:\TEMP\Clt-Inst\vpremote.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11070 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:28 AM

Posted 12 April 2009 - 06:06 PM

Hello Gary8,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:28 AM

Posted 20 April 2009 - 08:02 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Edited by teacup61, 20 April 2009 - 09:32 AM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users