Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Not Sure-IE and Firefox acting up


  • This topic is locked This topic is locked
2 replies to this topic

#1 Dawter

Dawter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:USA
  • Local time:07:42 AM

Posted 06 June 2009 - 07:46 PM

I double click on Firefox but the browser doesn't open although it's listed as a running process in Task Manager. Instead of Firefox opening IE 7 opens with various websites (none are my home page) and I have seen porn pop up.
I ran a HijackThis scan and clicked on the button to "Upload to Trend Secure" and Firefox opens up to the correct page (that's how I got here.)
Spybot caught a few things, Trojan Hunter caught a few and Malwarebytes caught a few. But something is still wrong.
I now noticed in the Task Manager a "rundll32.exe" running.
When Firefox does open and I do a search on Google, the Google pages are messed up. I see the Google icon for a moment then it switches to a scrambled icon that you can't even make out and the page is all weird.

Here is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:33:04 PM, on 6/6/2009
Platform: Windows XP SP3 (WinNT

5.01.2600)
MSIE: Internet Explorer v7.00

(7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program

Files\Bonjour\mDNSResponder.exe
C:\Program

Files\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program

Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program

Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\InkSaver\InkSaver.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet

Explorer\IEXPLORE.EXE
C:\Program Files\Trend

Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page =

https://my.hillmangroup.com/dana-na/auth/url_1

1/welcome.cgi
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Local Page =
R1 -

HKCU\Software\Microsoft\Windows\CurrentVe

rsion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer -

{0347C33E-8762-4905-BF09-768834316C61

} - C:\Program Files\HP\Smart Web

Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips -

{053F9267-DC04-4294-A72C-58F732D338C

0} - C:\Program Files\HP\Smart Web

Printing\hpswp_framework.dll
O2 - BHO: Spybot-S&D IE Protection -

{53707962-6F74-2D53-2644-206D7942484F

} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RoboForm -

{724d43a9-0d85-11d4-9908-00400523e39a}

- C:\Program Files\Siber Systems\AI

RoboForm\roboform.dll
O2 - BHO: SSVHelper Class -

{761497BB-D6F0-462C-B6EB-D4DAF1D92D

43} - C:\Program

Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: &RoboForm -

{724d43a0-0d85-11d4-9908-00400523e39a}

- C:\Program Files\Siber Systems\AI

RoboForm\roboform.dll
O4 - HKLM\..\Run: [BCMSMMSG]

BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program

Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program

Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray]

C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds]

C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ClocX] C:\Program

Files\ClocX\ClocX.exe
O4 - HKLM\..\Run: [InkSaver] C:\Program

Files\InkSaver\InkSaver.exe hide
O4 - HKLM\..\Run: [Malwarebytes'

Anti-Malware] "C:\Program Files\Malwarebytes'

Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [CursorXP] C:\Program

Files\CursorXP\CursorXP.exe
O8 - Extra context menu item: E&xport to

Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office12\EX

CEL.EXE/3000
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C6085

01} - C:\Program

Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java

Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C6085

01} - C:\Program

Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote -

{2670000A-7350-4f3c-8081-5663EE0C6C49}

-

C:\PROGRA~1\MICROS~2\Office12\ONBttnI

E.dll
O9 - Extra 'Tools' menuitem: S&end to

OneNote -

{2670000A-7350-4f3c-8081-5663EE0C6C49}

-

C:\PROGRA~1\MICROS~2\Office12\ONBttnI

E.dll
O9 - Extra button: Create Mobile Favorite -

{2EAF5BB1-070F-11D3-9307-00C04FAE2D

4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) -

{2EAF5BB2-070F-11D3-9307-00C04FAE2D

4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile

Favorite... -

{2EAF5BB2-070F-11D3-9307-00C04FAE2D

4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Fill Forms -

{320AF880-6646-11D3-ABEE-C5DBF3571F

46} - file://C:\Program Files\Siber Systems\AI

RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms -

{320AF880-6646-11D3-ABEE-C5DBF3571F

46} - file://C:\Program Files\Siber Systems\AI

RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save -

{320AF880-6646-11D3-ABEE-C5DBF3571F

49} - file://C:\Program Files\Siber Systems\AI

RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms -

{320AF880-6646-11D3-ABEE-C5DBF3571F

49} - file://C:\Program Files\Siber Systems\AI

RoboForm\RoboFormComSavePass.html
O9 - Extra button: HP Clipbook -

{58ECB495-38F0-49cb-A538-10282ABF65E

7} - C:\Program Files\HP\Smart Web

Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select -

{700259D7-1666-479a-93B1-3250410481E8}

- C:\Program Files\HP\Smart Web

Printing\hpswp_extensions.dll
O9 - Extra button: RoboForm -

{724d43aa-0d85-11d4-9908-00400523e39a}

- file://C:\Program Files\Siber Systems\AI

RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm

Toolbar -

{724d43aa-0d85-11d4-9908-00400523e39a}

- file://C:\Program Files\Siber Systems\AI

RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A82

63} -

C:\PROGRA~1\MICROS~2\Office12\REFIEB

AR.DLL
O9 - Extra button: (no name) -

{DFB852A3-47F8-48C4-A200-58CAB36FD2

A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search

& Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2

A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem:

@xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: NeoTrace It! -

{9885224C-1217-4c5f-83C2-00002E6CEF2B

} -

C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm

(HKCU)
O16 - DPF:

{6414512B-B978-451D-A0D8-FCFDF33E833

C} (WUWebControl Class) -

http://www.update.microsoft.com/windowsupda

te/v6/V5Controls/en/x86/client/wuweb_site.cab

?1208565893833
O16 - DPF:

{6E32070A-766D-4EE6-879C-DC1FA91D2F

C3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v

6/V5Controls/en/x86/client/muweb_site.cab?1

233193973810
O16 - DPF:

{E008A543-CEFB-4559-912F-C27C2B89F13

B} (Domino Web Access 7 Control) -

https://my.hillmangroup.com/,DanaInfo=domin

o1.hillmangroup.com+dwa7W.cab
O16 - DPF:

{E5F5D008-DD2C-4D32-977D-1A0ADF0305

8B} (JuniperSetupSP1 Control) -

https://my.hillmangroup.com/dana-cached/setu

p/JuniperSetupSP1.cab
O20 - Winlogon Notify: 944b7b47609 -

C:\WINDOWS\System32\dmconfig32.dll
O23 - Service: ArcSoft Connect Daemon

(ACDaemon) - ArcSoft Inc. - C:\Program

Files\Common Files\ArcSoft\Connection

Service\Bin\ACService.exe
O23 - Service: Adobe LM Service - Adobe

Systems - C:\Program Files\Common

Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple

Computer, Inc. - C:\Program

Files\Bonjour\mDNSResponder.exe
O23 - Service: Dock Login Service

(DockLoginService) - Unknown owner -

C:\Program

Files\Dell\DellDock\DockLogin.exe (file

missing)
O23 - Service: Folder Size (FolderSize) - Brio -

C:\Program

Files\FolderSize\FolderSizeSvc.exe
O23 - Service: MBAMService - Malwarebytes

Corporation - C:\Program Files\Malwarebytes'

Anti-Malware\mbamservice.exe
O23 - Service: Window Washer Engine

(wwEngineSvc) - Webroot Software, Inc. -

C:\Program

Files\Webroot\Washer\WasherSvc.exe

Edited by Dawter, 06 June 2009 - 08:08 PM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:42 PM

Posted 17 June 2009 - 12:35 AM

Hello and welcome to Bleeping Computer. Sorry for the delay the forums here at BC are always
very busy and we do are best to keep up. If you no longer require any help could you let me no
please, so this topic can be closed.

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:
  • Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
  • Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
  • If I do not hear back from you within 5 days of my last post, then this topic will be closed.
First I would like to see a new log since alot could have changed since your origional post.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Thanks

unite.jpg


#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:42 PM

Posted 21 June 2009 - 08:36 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users