Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Browser Hijack Bug


  • Please log in to reply
1 reply to this topic

#1 dond1

dond1

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 15 May 2009 - 03:57 PM

1. In responding to searches in google, Browser is re-directed to various other sites. Web pages clicked in goolgle may not load.
2. Spybot does not execute.
3. System restore does not work.
4. Followed instructions in myantispyware.com to remove dns changer, but do not see the following trojans in driverlist under non- plug and play like instructions would indicate I would see: TDSS, seneka, gaopdxserv, or msqpdxserv.
5. Downloaded malawarebytes anti-malware to desktop, but it will not execute.
6. Ran free version of Preevx 3.0 and 7 infections identified. Typical file name is uacngrqlyttmlgnkivl.dll in C:windows\system32\


DDS (Ver_09-05-14.01) - NTFSx86
Run by Don's at 16:36:31.10 on Fri 05/15/2009
Internet Explorer: 6.0.2900.2180

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com/ie
mLocal Page = hxxp://www.qfind.net/
mStart Page = msnbc.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McBrwHelper Class: {227b8aa8-daf2-4892-bd1d-73f568bcb24e} - c:\progra~1\mcafee.com\mps\mcbrhlpr.dll
BHO: McAfee Privacy Service Popup Blocker: {3ec8255f-e043-4cae-8b3b-b191550c2a22} - c:\progra~1\mcafee.com\mps\POPUPK~1.DLL
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_5_7_0.dll
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRunServices: [Windows iMessenger Messenger] winimsg.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [DPSNDR] c:\windows\system32\DPSNDR.exe
mRun: [zgrrzksxujp] c:\windows\system32\kvllls.exe
mRun: [comdvd] c:\windows\msagent\chars\comdvd.exe
mRun: [*comdvd] c:\windows\msagent\chars\comdvd.exe
mRun: [*cinet] c:\windows\msagent\chars\cinet.exe
mRun: [*rasdos] c:\windows\rasdos.exe
mRun: [*mcreg] c:\windows\registration\mcreg.exe
mRun: [*libimg] c:\windows\repair\libimg.exe
mRun: [*basdvd] c:\windows\config\basdvd.exe
mRun: [*msvc] c:\windows\registration\msvc.exe
mRun: [Windows iMessenger Messenger] winimsg.exe
mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
mRun: [VirusScan Online] "c:\progra~1\mcafee.com\vso\mcvsshld.exe"
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [MPSExe] c:\progra~1\mcafee.com\mps\mscifapp.exe /embedding
mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe
mRun: [Antivirus] c:\windows\av.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunServices: [Windows iMessenger Messenger] winimsg.exe
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
LSP: c:\windows\system32\mclsp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0000000A-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab
DPF: {00000162-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/B/B/0BB06A5C-8611-4840-86B3-54DDDD0344B9/wma9dmo.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://www.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: igfxcui - igfxsrvc.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-05-15 15:58 <DIR> --d----- c:\program files\Trend Micro
2009-05-15 15:32 <DIR> --d----- c:\program files\dfd_hijack
2009-05-15 14:45 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-15 14:45 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-15 14:45 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-15 14:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-15 14:03 27,656 a------- c:\windows\system32\drivers\pxsec.sys
2009-05-15 14:03 22,024 a------- c:\windows\system32\drivers\pxscan.sys
2009-05-15 14:03 <DIR> --d----- c:\program files\Prevx
2009-05-15 14:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PrevxCSI
2009-05-13 18:35 6,144 a------- c:\windows\system32\iehelper.dll
2009-05-13 18:25 291,856 a------- c:\windows\sysguard.exe
2009-04-15 22:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NeptunesAdve
2009-04-15 22:12 <DIR> --d----- c:\program files\Neptunes Secret
2009-04-15 22:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BigFishGamesCache

==================== Find3M ====================

2009-03-21 10:18 986,112 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 10:44 283,648 a------- c:\windows\system32\pdh.dll
2009-03-06 10:44 283,648 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-02 19:52 1,495,552 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-02-19 05:58 18,432 -------- c:\windows\system32\dllcache\iedw.exe
2007-03-15 20:59 57,168 a------- c:\docume~1\don's\applic~1\GDIPFONTCACHEV1.DAT
2005-08-11 21:43 0 a------- c:\documents and settings\don's\Upgrade.exe
2004-11-05 17:50 3,953,408 ---sh--- c:\windows\config\dvdsab.bak2
2004-12-10 22:57 1,130,114 a--sh--- c:\windows\fonts\yekcvs.bak1
2004-12-11 10:57 1,130,114 ---sh--- c:\windows\fonts\yekcvs.bak2
2004-12-01 04:39 493,504,875 a--sh--- c:\windows\registration\cvsm.bak1
2004-12-01 04:57 493,504,875 ---sh--- c:\windows\registration\cvsm.bak2
2004-10-12 10:57 192,528 ---sh--- c:\windows\registration\gercm.bak2
2004-10-30 12:44 1,335,907 ---sh--- c:\windows\repair\gmibil.bak2

============= FINISH: 16:38:11.59 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:13 PM

Posted 21 May 2009 - 09:59 PM

Hello dond1,

If you still need help then

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

  • download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Select Files and Folders created in last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized).
    info.txt can also be found at c:\RSIT\info.txt

Edited by SifuMike, 21 May 2009 - 10:03 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users