Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Links in browser hijacked to other sites _help me remove offending sw

  • This topic is locked This topic is locked
2 replies to this topic

#1 jimn2lalip


  • Members
  • 1 posts
  • Local time:02:57 AM

Posted 26 June 2009 - 08:59 AM

I seem to have picked up some malware that I have been unable to remove. It started with a display box saying that I needed to download a fix to a security problem on my PC which kept popping up after my nephew used my PC. I do not know whether he clicked on that message. But I did not, I tried using Malwarebytes Anti-Malware and SuperAntiSpyware which eliminated the security message, but not the hijacked links in my browser. The behavior shown is when I search on Google or similar and am presented with various search results, if I click on any of the links, my browser shows "Jumping" and I am re-directed to various sites not related to the link which was shown in my search results window. If I type the URL into my browser, I can get to the link just fine.

I came to this forum, and followed instructions to download and run DDS script. My text log follows.

Thanks in advance for your help.

DDS (Ver_09-05-14.01) - NTFSx86
Run by Jim Mattson at 6:18:34.25 on Fri 06/26/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.667 [GMT -7:00]

AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {B5510F6F-87E1-47F7-A411-360BC453007C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Common Files\AOL\1102875947\ee\AOLSoftware.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jim Mattson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
c:\program files\common files\aol\1102875947\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\svchost.exe -k driver
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Common Files\AOL\1102875947\EE\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Jim Mattson\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jim Mattson\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jim Mattson\My Documents\Downloads\dds (1).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=
uInternet Settings,ProxyOverride =;direcwaysupport.com
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} -
EB: {182ec0be-5110-49c8-a062-beb1d02a220b} - Adobe PDF
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Spyware Doctor] "c:\program files\spyware doctor\swdoctor.exe" /Q
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [Google Update] "c:\documents and settings\jim mattson\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [PPMemCheck] c:\progra~1\pestpa~1\PPMemCheck.exe
mRun: [CookiePatrol] c:\progra~1\pestpa~1\CookiePatrol.exe
mRun: [HostManager] c:\program files\common files\aol\1102875947\ee\AOLSoftware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [Spyware Doctor] "c:\program files\spyware doctor\swdoctor.exe" /Q
dRunOnce: [SetDefaultMidi] MIDIDEF.EXE
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021}
Trusted Zone: ameritrade.com
Trusted Zone: authorize.net\account
Trusted Zone: authorize.net\secure
Trusted Zone: microsoft.com\*.update
Trusted Zone: schwab.com\investing
Trusted Zone: schwab.com\paybills
Trusted Zone: tdameritrade.com
Trusted Zone: usfood.com\www
Trusted Zone: vanguard.com\flagship2
Trusted Zone: wa.gov\dor
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://support.gateway.com/support/profiler/PCPitStop.CAB
DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} - file:///D:/win/setup/iaieplay.dll
DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} - hxxp://support.gateway.com/support/serialharvest/gwCID.CAB
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: CShellExecuteHookImpl Object: {54d9498b-cf93-414f-8984-8ce7fde0d391} - c:\program files\ewido anti-malware\shellhook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jimmat~1\applic~1\mozilla\firefox\profiles\un47yt5v.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - prefs.js: network.proxy.http -
FF - prefs.js: network.proxy.http_port - 87
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\jim mattson\local settings\application data\google\update\\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 driverdrv;driverdrv;c:\program files\driver\driver.sys [2009-6-17 9472]
R1 ikhfile;File Security Kernel Anti-Spyware Driver;c:\windows\system32\drivers\ikhfile.sys [2006-5-3 30656]
R1 ikhlayer;Kernel Anti-Spyware Driver;c:\windows\system32\drivers\ikhlayer.sys [2006-5-3 51456]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R2 driver;driver;c:\windows\system32\svchost.exe -k driver [2003-3-31 14336]
R2 ewido security suite control;ewido security suite control;c:\program files\ewido anti-malware\ewidoctrl.exe [2005-11-30 13888]
R2 SAVRTPEL;SAVRTPEL;c:\windows\system32\drivers\SAVRTPEL.SYS [2002-7-25 35552]
R3 MauiIIIG;Emuzed Maui III-G Device;c:\windows\system32\drivers\MauiIIIG.sys [2004-2-26 175232]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S0 ccEvtMgr;Symantec Event Manager;\SystemRoot\"c:\program files\common files\symantec shared\ccevtmgr.exe" --> \systemroot\c:\program files\common files\symantec shared\ccEvtMgr.exe [?]
S0 navapsvc;Norton AntiVirus Auto Protect Service;\SystemRoot\"c:\program files\norton antivirus\navapsvc.exe" --> \systemroot\c:\program files\norton antivirus\navapsvc.exe [?]
S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2001-8-14 54408]
S3 ccPwdSvc;Symantec Password Validation Service;c:\program files\common files\symantec shared\ccPwdSvc.exe [2002-8-19 99352]
S3 iscFlash;iscFlash;\??\c:\windows\system32\drivers\iscflash.sys --> c:\windows\system32\drivers\iscflash.sys [?]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20050202.034\NAVENG.Sys [2005-2-2 73728]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20050202.034\NavEx15.Sys [2005-2-2 631040]
S3 SAVRT;SAVRT;c:\windows\system32\drivers\SAVRT.SYS [2002-7-25 235744]
S4 Power Compress;Power Compress;c:\windows\system32\pcmserv.exe [2005-7-5 65536]

=============== Created Last 30 ================

2009-06-22 07:03 473,088 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-06-22 07:03 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-06-22 07:03 399,360 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-06-22 07:03 283,648 -c------ c:\windows\system32\dllcache\pdh.dll
2009-06-22 07:03 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-06-22 07:03 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-06-22 07:03 60,416 -c------ c:\windows\system32\dllcache\colbact.dll
2009-06-22 07:03 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-06-22 07:03 616,960 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-06-22 07:02 1,193,414 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-06-22 07:02 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-06-18 12:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-18 12:31 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-18 12:31 <DIR> --d----- c:\docume~1\jimmat~1\applic~1\SUPERAntiSpyware.com
2009-06-18 12:30 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-18 11:35 <DIR> --d----- c:\docume~1\jimmat~1\applic~1\Malwarebytes
2009-06-18 11:35 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-18 11:35 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-18 11:35 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-18 11:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-17 18:20 1 ----h--- c:\windows\jmmark2.dat
2009-06-17 18:20 2 ----h--- c:\windows\zaponce52621.dat
2009-06-17 18:20 <DIR> --d----- c:\program files\driver
2009-06-17 18:20 2 ----h--- c:\windows\zaponce52592.dat
2009-06-17 18:20 2 ----h--- c:\windows\zaponce52597.dat
2009-06-17 18:20 1 ----h--- c:\windows\bf23567.dat
2009-06-17 18:20 2 ----h--- c:\windows\zaponce52689.dat

==================== Find3M ====================

2009-06-18 16:55 53,622 a------- c:\docume~1\jimmat~1\applic~1\wklnhst.dat
2009-05-07 08:44 344,064 a------- c:\windows\system32\localspl.dll
2009-04-28 21:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 21:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 02:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-15 08:26 583,168 a------- c:\windows\system32\rpcrt4.dll
2006-08-08 17:34 74,976 a------- c:\docume~1\jimmat~1\applic~1\GDIPFONTCACHEV1.DAT
2004-11-03 21:34 32 a--sh--- c:\windows\{48CD14BA-2A41-4490-94CD-C182AAF66C45}.dat
2004-11-03 21:34 32 a--sh--- c:\windows\system32\{D3C43067-E736-4C04-9837-EB7E136F6FA6}.dat

============= FINISH: 6:18:44.81 ===============

Attached Files

BC AdBot (Login to Remove)


#2 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:57 AM

Posted 30 June 2009 - 09:57 PM

Hello and welcome to Bleeping Computer.

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:
  • Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
  • Copy and paste all logs requested in you reply, Do not attach them unless asked too.
  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
  • Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
  • If I do not hear back from you within 5 days of my last post, then this topic will be closed.
First I would like to see a new log since alot could have changed since your origional post.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)


#3 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:57 AM

Posted 05 July 2009 - 06:15 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users