Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Explorer 7 Hijacked


  • This topic is locked This topic is locked
3 replies to this topic

#1 Hodie72762

Hodie72762

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 27 April 2009 - 10:10 AM

IE 7 links are re-directed to "ads" and sometimes "surveys". I am having to use Google Chrome browser. My Avast Home is blocking a script / link? to "directitfast.com/seneka/engine?". This block is popping up every 2-3 min or so. So, I am infected with something. I have tried to do a "system restore" and it opens, but does not run after choosing a restore date. It just sits there frozen. I have removed viruses found by Malwarebytes and SuperAntiVirus Free versions, but they do not remove them completely? My work requires IE7 and I am desperate for help. Thank you so much in advance.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Windows at 10:07:10.02 on Mon 04/27/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.139 [GMT -5:00]

AV: avast! antivirus 4.8.1335 [VPS 090426-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cobian Backup 8\cbService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdfcoms.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Lexmark 6500 Series\lxdfmon.exe
C:\Program Files\Lexmark 6500 Series\lxdfamon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Vonage\Vonage Click-2-Call\click2call.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\Documents and Settings\Windows\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Windows\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Windows\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Windows\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Windows\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Windows\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Windows\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page =
uSearch Bar =
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant =
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [i8kfangui] c:\program files\i8kfangui\I8kfanGUI.exe /startup
uRun: [Google Update] "c:\documents and settings\windows\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [lxdfmon.exe] "c:\program files\lexmark 6500 series\lxdfmon.exe"
mRun: [lxdfamon] "c:\program files\lexmark 6500 series\lxdfamon.exe"
mRun: [Lexmark 6500 Series Fax Server] "c:\program files\lexmark 6500 series\fm3032.exe" /s
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Vonage] c:\program files\vonage\vonage click-2-call\click2call.exe
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Cobian Backup 8 interface] "c:\program files\cobian backup 8\cbInterface.exe" -service
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
Trusted Zone: crmondemand.com\*.secure-ausomxeaa
Trusted Zone: crmondemand.com\secure-ausomxeaa
Trusted Zone: unitedhealthadvisors.com\www
Trusted Zone: unitedhealthproducers.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/45.19/uploader2.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191431230196
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198679527367
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {AE775D48-49AA-11D1-8F1C-00C04FB67063} - hxxp://fdl.msn.com/public/investor/v5/ticker.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://goldenrule.webex.com/client/T23LSP33EP10/event/ieatgpc.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://vpn.stephens.com/dana-cached/setup/JuniperSetupSP1.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~3\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-22 114768]
R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2008-11-23 14464]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-11-22 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-11-22 138680]
R2 lxdf_device;lxdf_device;c:\windows\system32\lxdfcoms.exe -service --> c:\windows\system32\lxdfcoms.exe -service [?]
R2 MSSQL$ACT7;MSSQL$ACT7;c:\program files\microsoft sql server\mssql$act7\binn\sqlservr.exe -sact7 --> c:\program files\microsoft sql server\mssql$act7\binn\sqlservr.exe -sACT7 [?]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-11-22 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-11-22 352920]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2007-10-3 92550]
S2 lxdfCATSCustConnectService;lxdfCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdfserv.exe [2008-1-11 99248]
S3 JL2008PC;Digital Camera;c:\windows\system32\drivers\jl2008pc.sys [2005-7-11 125370]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20080519.003\NAVENG.SYS [2008-5-19 82256]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20080519.003\NAVEX15.SYS [2008-5-19 895408]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\microsoft sql server\mssql$act7\binn\sqlagent.exe -i act7 --> c:\program files\microsoft sql server\mssql$act7\binn\sqlagent.EXE -i ACT7 [?]

=============== Created Last 30 ================

2009-04-27 08:16 <DIR> --d----- C:\New Folder
2009-04-27 08:06 <DIR> --d----- c:\program files\Cobian Backup 8
2009-04-21 16:53 389,120 a------- c:\windows\system32\CF11279.exe
2009-04-21 16:53 389,120 a------- c:\windows\system32\CF11272.exe
2009-04-21 16:53 <DIR> --d----- C:\ComboFix
2009-04-20 17:26 <DIR> --d----- c:\docume~1\windows\applic~1\Malwarebytes
2009-04-20 17:25 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-20 17:25 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-20 17:25 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-20 17:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-20 15:12 <DIR> --dsh--- c:\documents and settings\windows\IECompatCache
2009-04-20 14:37 <DIR> --dsh--- c:\documents and settings\windows\IETldCache
2009-04-20 14:28 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-20 14:28 78,336 a------- c:\windows\system32\dllcache\ieencode.dll
2009-04-20 14:26 105,984 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-04-20 09:06 <DIR> --d----- c:\program files\Trend Micro
2009-04-18 13:56 <DIR> --d----- c:\windows\Crack Installer
2009-04-18 13:56 <DIR> --d----- c:\program files\Crack Installer
2009-04-18 13:54 <DIR> --d----- c:\program files\IEToolbar
2009-04-16 05:21 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-16 05:21 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-16 05:21 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-16 05:21 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 05:21 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 05:21 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-16 05:21 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 05:21 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-16 05:21 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-16 05:21 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-16 05:21 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-14 09:54 <DIR> --d----- C:\MDT

==================== Find3M ====================

2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-08 17:02 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 19:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-09 07:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 07:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 07:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 07:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 06:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 06:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 05:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-03 14:59 56,832 a------- c:\windows\system32\secur32.dll
2008-08-04 20:50 8,104 a------- c:\docume~1\alluse~1\applic~1\ypinfo.bin
2006-06-02 12:12 65,536 a------- c:\program files\im32fax.dil
2008-06-28 10:59 56 ---shr-- c:\windows\system32\0C6F9F96EE.sys
2008-07-16 19:12 1,682 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-05-19 12:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051920080520\index.dat

============= FINISH: 10:08:01.50 ===============

Attached File  Attach.txt   10.68KB   11 downloads

BC AdBot (Login to Remove)

 


#2 Hodie72762

Hodie72762
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 28 April 2009 - 05:13 PM

Can anyone PLEASE help me. Since my initial post I have had several virus found. Vudovirus? and Trojun? something or other. I have see other form post with similar problems but I am afraid to follow their instruction. I have had 20+ "views" of my form post but no one has "replied"... Is there anything I can do?

The log files above are probably outdated now, since more virus has been found and deleted.

I have new files on the ready to post.

Edited by Hodie72762, 28 April 2009 - 05:15 PM.


#3 Hodie72762

Hodie72762
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 01 May 2009 - 05:18 PM

Problem solved by a pay site...

How do I close this post?

Thanks

#4 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:04:41 AM

Posted 04 May 2009 - 12:42 AM

Thanks for informing us.
Good Luck.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users