Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacker?


  • This topic is locked This topic is locked
2 replies to this topic

#1 JPCharme

JPCharme

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 09 July 2009 - 09:43 PM

I can not access webpages via my browsers (Firefox or IE 7). I am connected to the internet and can run AOL 9.1 software and browse the internet. I can also browse from any browser while in safe mode. I suspect a hijacker. I have disabled all services and startups and can not figure this problem out.

Her is my log file form DDS.


DDS (Ver_09-06-26.01) - NTFSx86 NETWORK
Run by Shannon Padilla at 22:41:40.84 on Thu 07/09/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3068.2135 [GMT -4:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Users\Shannon Padilla\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = Preserve
uWindow Title = Internet Explorer provided by Dell
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4070522
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4070522
mStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4070522
mDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4070522
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet

explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search &

destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search

helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft

shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
dRunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0

\bin\npjpi160.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows

live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12

\ONBttnIE.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 5.0

\aoltb.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program

files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12

\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search &

destroy\SDHelper.dll
LSP: c:\windows\system32\wpclsp.dll
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\shanno~1\appdata\roaming\mozilla\firefox\profiles\8scvh2e2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0

============= SERVICES / DRIVERS ===============

R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-7-9 348752]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-5-29 179712]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-7-9 28544]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-7-9 130936]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-3-17 1153368]
S2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
S2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3

-30 1533808]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2008-7-25 42280]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-7-4 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;c:\windows\system32\drivers\mr97310v.sys [2006-3-7 111872]
S3 SaiH0461;SaiH0461;c:\windows\system32\drivers\SaiH0461.sys [2009-5-9 182528]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]
S4 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative

labs shared\service\CTAELicensing.exe [2009-5-9 79360]
S4 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop

search\GoogleDesktop.exe [2007-5-22 29744]
S4 nvrd32;NVIDIA nForce RAID Driver;c:\windows\system32\drivers\nvrd32.sys [2007-5-22 131368]

=============== Created Last 30 ================

2009-07-09 22:31 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-07-09 22:31 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-07-09 22:31 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-09 22:31 <DIR> a-d----- c:\programdata\TEMP
2009-07-09 22:31 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-07-09 22:31 <DIR> --d----- c:\program files\common files\PC Tools
2009-07-09 22:31 <DIR> --d----- c:\users\shanno~1\appdata\roaming\PC Tools
2009-07-09 22:31 <DIR> --d----- c:\programdata\PC Tools
2009-07-09 22:31 <DIR> --d----- c:\program files\Spyware Doctor
2009-07-09 22:31 <DIR> --d----- c:\progra~2\PC Tools
2009-07-09 21:18 <DIR> --d----- c:\program files\Safer Networking
2009-07-09 21:14 <DIR> --d----- c:\program files\Trend Micro
2009-07-09 01:38 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-07-09 01:36 <DIR> --d----- c:\program files\Panda Security
2009-07-09 01:35 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-07-09 01:34 <DIR> --d----- c:\users\shannon padilla\.housecall6.6
2009-07-08 16:02 61,224 a------- c:\users\shannon padilla\GoToAssistDownloadHelper.exe
2009-07-08 15:02 <DIR> --d----- c:\programdata\Citrix
2009-07-08 15:02 <DIR> --d----- c:\progra~2\Citrix
2009-07-08 14:57 <DIR> --d----- c:\program files\Citrix
2009-07-04 22:58 <DIR> --d----- c:\users\shannon padilla\Tracing
2009-07-04 22:49 55,280 a------- c:\windows\system32\drivers\fssfltr.sys
2009-07-04 22:48 <DIR> --d----- c:\program files\Microsoft SQL Server Compact Edition
2009-07-04 22:47 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-07-04 22:22 <DIR> --d----- c:\program files\common files\Windows Live
2009-07-04 22:08 <DIR> --d----- c:\program files\Microsoft
2009-06-19 11:29 <DIR> --d----- c:\program files\iPod
2009-06-13 17:41 428,544 a------- c:\windows\system32\EncDec.dll
2009-06-13 17:41 293,376 a------- c:\windows\system32\psisdecd.dll
2009-06-13 17:41 217,088 a------- c:\windows\system32\psisrndr.ax
2009-06-13 17:41 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-06-13 17:41 80,896 a------- c:\windows\system32\MSNP.ax
2009-06-11 14:16 2,033,152 a------- c:\windows\system32\win32k.sys

==================== Find3M ====================

2009-07-04 23:01 143,360 a------- c:\windows\inf\infstrng.dat
2009-07-04 23:01 51,200 a------- c:\windows\inf\infpub.dat
2009-07-04 23:01 86,016 a------- c:\windows\inf\infstor.dat
2009-07-04 21:32 65,973 a------- c:\programdata\nvModes.dat
2009-07-04 21:32 65,973 a------- c:\progra~2\nvModes.dat
2009-06-05 11:42 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-05 11:42 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-05-31 11:24 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-05-09 16:11 444,952 a------- c:\windows\system32\wrap_oal.dll
2009-05-09 16:11 109,080 a------- c:\windows\system32\OpenAL32.dll
2009-05-01 00:08 1,194,528 a------- c:\windows\system32\nvcplui.exe
2009-05-01 00:08 1,292,832 a------- c:\windows\system32\nvsvs.dll
2009-05-01 00:07 211,488 a------- c:\windows\system32\nvvsvc.exe
2009-05-01 00:07 143,360 a------- c:\windows\system32\nvshext.dll
2009-04-30 22:02 1,704,960 a------- c:\windows\system32\nvcuda.dll
2009-04-30 22:02 1,314,816 a------- c:\windows\system32\nvcuvenc.dll
2009-04-30 22:02 663,552 a------- c:\windows\system32\nvcuvid.dll
2009-04-30 22:02 143,360 a------- c:\windows\system32\nvcod146.dll
2009-04-24 12:05 827,904 a------- c:\windows\system32\wininet.dll
2009-04-24 12:02 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-24 09:44 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-04-23 08:43 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-04-23 08:42 636,928 a------- c:\windows\system32\localspl.dll
2008-10-09 20:21 24 a------- c:\users\shannon padilla\jagex_runescape_preferences.dat
2008-06-11 17:32 665,600 a------- c:\windows\inf\drvindex.dat
2008-05-29 21:16 174 a--sh--- c:\program files\desktop.ini
2007-11-25 21:03 32 a------- c:\programdata\ezsid.dat
2007-11-25 21:03 32 a------- c:\progra~2\ezsid.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-06-03 22:34 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2007-06-03 22:34 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2007-06-03 22:34 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat
2007-05-22 15:07 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 22:42:00.49 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 JPCharme

JPCharme
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 12 July 2009 - 10:24 AM

Ok...after 4 companies, 7 technicians and many hours of surfing techie websites, I determined my problem. Every tech was convinced that this problem was releated to an antivirus software. They were wrong, but were on the right track. I had recently uninstalled AOL parental controls from my computer and it did not completely uninstall, presumably because I uninstalled via Vista add/remove software feature.

I discovered this because I was on a different account logon and noticed the Parental Control icon on the task bar. I wondered why it was there, because I had removed the program from my admin account, which no longer showed the icon.

The fix: I logged back to my admin account, navigated my list of programs via start and found the AOL Parental Contol folder still listed. I opened it and was presented with Repair or Uninstall. I chose repair and it reloaded the program to my computer and requested I log in. I logged in and was able to surf the web again. I then went back to the folder and chose uninstall and let it uninstall. Voila...it has been completely removed and I can still surf the web via all my browsers and from each account user.

Moral: Never underestimate the power of AOL to hijack a computer. I should have known, remember when AOL forced itself to be the default browser. I should have checked there first.

Hope this helps others.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,903 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:15 AM

Posted 12 July 2009 - 11:34 AM

Hello

Thank you for posting back. I'm glad that your computer problems have been fixed. Since this issue seems to be resolved, this thread will now be closed.

In case you experience any problems with the computer, please start a new topic.

Happy computing,

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users