Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

clickover.cn browser hijack


  • This topic is locked This topic is locked
2 replies to this topic

#1 CooperA3

CooperA3

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 09 August 2009 - 08:01 PM

Hello,

My computer was infected with the Personal Antivirus. I downloaded Malwarebytes anti-malware and was able to successfully rid my computer of PAV. However, it appears that my computer still has some sort of browser hijack occurring as my browsers (both IE and Firefox) get a clickover.cn redirect whenever I try to click on anything thats related to antivirus (I actually had to post to this forum from another computer as my infected computer won't let me access bleepingcomputer.com). I have pasted and attached the DDS and GMER data per the instructions. I'm unsure if this browser hijack is even related to the PAV or is something additional. Please help!


DDS (Ver_09-07-30.01) - NTFSx86
Run by Cooper Anderson at 19:40:28.87 on Sun 08/09/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1299 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
c:\tt\guardian\guardianctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NDAS\System\ndassvc.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DrvMon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\tt\guardian\guardian.exe
c:\tt\guardian\GuardianMFC.exe
C:\tt\ttm\ttmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Cooper Anderson\Application Data\U3\4857410C54C14F50\LaunchPad.exe
F:\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070425
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DrvMon.exe] c:\windows\system32\DrvMon.exe
uRun: [Aim6]
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton antivirus\osCheck.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [NSWosCheck] c:\program files\norton systemworks\osCheck.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\startg~1.lnk - c:\tt\guardian\GuardianStart.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {5E638779-1818-4754-A595-EF1C63B87A56} - c:\program files\norton systemworks\norton cleanup\WCQuick.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {197ACF11-A86B-11D1-92E0-0004ACB64296} - hxxps://inform.bnymellon.com/Apollo/cabs/sgAsyncRead.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6A2DCD5D-C16E-417F-A883-E7AA0A97B9DD} - hxxps://inform.bnymellon.com/Apollo/cabs/ioReportViewer.CAB
DPF: {7B604FD8-E2C8-11D4-A338-00609773BFCD} - hxxps://inform.bnymellon.com/Apollo/cabs/sgDtPicker.cab
DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} - hxxp://www.parallelgraphics.com/bin/cortvrml.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://ml.webex.com/client/T25L10NSP41EP2/webex/ieatgpc.cab
TCP: {5FCBC6FE-1394-408F-8F3E-38FFA5657731} = 64.238.96.12,66.180.96.12
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cooper~1\applic~1\mozilla\firefox\profiles\lp7uvs4h.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - plugin: c:\documents and settings\cooper anderson\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 lfsfilt;Lean File Sharing;c:\windows\system32\drivers\lfsfilt.sys [2007-10-3 254440]
R0 lpx;LPX Protocol;c:\windows\system32\drivers\lpx.sys [2007-6-29 62056]
R1 ndasfat;NDAS FAT;c:\windows\system32\drivers\ndasfat.sys [2007-10-3 372584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2006-10-28 108648]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2006-10-28 108648]
R2 guardianctrl;TT Guardian Control;c:\tt\guardian\GuardianCtrl.exe [2007-10-26 54784]
R2 NProtectService;Norton UnErase Protection;c:\progra~1\norton~1\norton~1\NPROTECT.EXE [2005-11-3 95832]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-1-18 109616]
R3 guardian;TT Guardian;c:\tt\guardian\guardian.exe [2007-10-26 2288128]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20080429.003\NAVENG.SYS [2008-4-29 82256]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20080429.003\NAVEX15.SYS [2008-4-29 895408]
R3 ndasbus;NDAS Bus Driver;c:\windows\system32\drivers\ndasbus.sys [2007-6-29 75880]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]
R3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-4-30 1251720]
R3 ttmd;TT Messaging;c:\tt\ttm\ttmd.exe [2008-12-8 1081344]
S0 dpm30dc;dpm30dc;\SystemRoot\\SystemRoot\System32\drivers\dpm30dc.sys --> \SystemRoot\\SystemRoot\System32\drivers\dpm30dc.sys [?]
S1 2ed282ee.sys;2ed282ee.sys;\??\c:\windows\system32\drivers\2ed282ee.sys --> c:\windows\system32\drivers\2ed282ee.sys [?]
S2 gupdate1c993ac9db1a8b6;Google Update Service (gupdate1c993ac9db1a8b6);c:\program files\google\update\GoogleUpdate.exe [2009-2-20 133104]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-4-26 29744]
S3 pmxscan;USB ScanModule V5.1 Driver;c:\windows\system32\drivers\usbscan.sys [2007-6-27 15104]
S3 sassvc;ProgramCheckerPro;c:\program files\zenturi\programchecker\sassvc.exe [2005-8-25 122880]
S3 TT FIXLinkService;TT FIXLinkService;c:\tt\prof serv\toes\FIXLinkService.exe [2008-4-14 16384]

=============== Created Last 30 ================

2009-08-09 17:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-08-09 17:14 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-09 17:14 <DIR> --d----- c:\docume~1\cooper~1\applic~1\SUPERAntiSpyware.com
2009-08-09 16:30 <DIR> --d----- c:\program files\CCleaner
2009-08-09 16:30 <DIR> --d----- c:\program files\Trend Micro
2009-08-09 16:29 26,000 a------- c:\windows\system32\E3TL.DLL
2009-08-09 16:29 <DIR> --d----- c:\program files\Zenturi
2009-08-09 16:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Zenturi
2009-08-09 14:38 <DIR> --d----- c:\docume~1\cooper~1\applic~1\Malwarebytes
2009-08-09 14:38 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-09 14:38 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-09 14:38 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-09 14:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-09 13:27 45,344 a------- c:\windows\system32\drivers\dpm30dc.sys
2009-08-02 22:07 <DIR> --d----- c:\program files\DivX
2009-08-02 22:07 <DIR> --d----- c:\program files\common files\DivX Shared
2009-07-31 12:15 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-31 12:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-31 11:44 <DIR> --d----- c:\program files\rjrrag

==================== Find3M ====================

2009-05-13 17:54 90,112 a------- c:\windows\system32\dpl100.dll
2009-05-13 17:54 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-05-13 17:54 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-05-13 17:54 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-05-13 17:54 811,008 a------- c:\windows\system32\divx_xx16.dll
2009-05-13 17:54 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-05-13 17:54 685,056 a------- c:\windows\system32\DivX.dll
2009-01-08 17:42 726,008 a------- c:\documents and settings\cooper anderson\gotomypc_438.exe
2008-03-07 16:06 56,912 a------- c:\documents and settings\cooper anderson\g2mdlhlpx.exe
2009-04-17 14:29 168 ---shr-- c:\windows\system32\E2E121791B.sys
2009-04-17 14:29 5,486 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 19:42:05.57 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CooperA3

CooperA3
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 11 August 2009 - 07:50 AM

Attention Moderator: Please close my thread here - I am being helped at techsupportforum.com - Thanks!!!

#3 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 11 August 2009 - 05:33 PM

Thank you for letting us know CooperA3.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users