Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google/Yahoo redirect/hijacker


  • This topic is locked This topic is locked
4 replies to this topic

#1 sicboy13

sicboy13

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 04 October 2009 - 03:30 AM

I just came down with this hijacker. I ran Malwarebytes Anti Malware, which caught 6 items, I thought the redirects were gone, but they are back. I tried to restore my laptop but it won't restore? Keeps failing. I ran all of the required scans and created the logs which I've pasted/attached as follows. PLease assist, this is driving me batty! I am ready to throw this thing in the toilet!


DDS (Ver_09-09-29.01) - NTFSx86
Run by Administrator at 2:10:07.59 on Sun 10/04/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.285 [GMT -5:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\72RWPFLU\dds[1].scr

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://www.msn.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188319539952
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Filter: text/html - {631469b9-7d08-46b3-9f81-2a536bdbb373} -
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\4uf59jpg.default\
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-7-16 104000]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-7-16 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-7-16 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-7-16 168776]

=============== Created Last 30 ================

2009-10-04 01:15 17,408 a------- c:\windows\system32\rpcnetp.exe
2009-10-04 01:03 <DIR> --d----- c:\program files\Trend Micro
2009-10-04 00:10 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-10-04 00:10 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-04 00:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-04 00:10 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-04 00:10 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-03 23:39 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-09-28 21:52 664 a------- c:\windows\system32\d3d9caps.dat
2009-09-24 18:01 <DIR> --d----- c:\program files\Shared
2009-09-20 19:52 0 a---h--- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
2009-09-20 19:52 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01009.Wdf
2009-09-20 19:52 0 a---h--- c:\windows\system32\drivers\MsftWdf_user_01_09_00.Wdf
2009-09-18 23:55 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_zumbus_01009.Wdf
2009-09-18 23:55 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2009-09-11 21:21 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-09-07 21:38 <DIR> --d----- C:\QUARANTINE
2009-09-04 13:17 447,216 a------- c:\windows\system32\ZuneWlanCfgSvc.exe
2009-09-04 13:16 58,592 a------- c:\windows\system32\ZuneBusEnum.exe

==================== Find3M ====================

2009-10-04 01:16 17,408 a------- c:\windows\system32\rpcnetp.dll
2009-10-04 01:16 56,680 a------- c:\windows\system32\rpcnet.dll
2009-09-02 00:29 74,240 a------- c:\windows\system32\ZuneUsbTransport.dll
2009-09-02 00:29 57,344 a------- c:\windows\system32\ZuneRegUtil.dll
2009-09-02 00:29 18,944 a------- c:\windows\system32\ZuneTcp2Udp.dll
2009-09-02 00:29 12,800 a------- c:\windows\system32\ZunePTDNS.dll
2009-09-02 00:29 310,784 a------- c:\windows\system32\ZuneNetProxy.dll
2009-09-02 00:29 147,456 a------- c:\windows\system32\ZuneMTPZ.dll
2009-09-02 00:28 40,832 a------- c:\windows\system32\drivers\zumbus.sys
2009-08-29 18:17 0 a---h--- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-08-29 18:17 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-08-29 18:16 0 a---h--- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-08-29 18:05 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2009-08-29 18:04 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-08-17 12:37 1,837,296 a------- c:\windows\system32\WUDFUpdate_01009.dll
2009-08-17 12:37 1,461,992 a------- c:\windows\system32\WdfCoInstaller01009.dll
2009-08-06 15:49 299,008 a------- c:\windows\system32\TubeFinder.exe
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 18:16 567,808 -------- c:\windows\system32\WUDFx.dll
2009-07-13 18:16 64,512 -------- c:\windows\system32\WudfSvc.dll
2009-07-13 18:16 39,936 -------- c:\windows\system32\WUDFCoinstaller.dll
2009-07-13 18:14 195,584 -------- c:\windows\system32\WudfHost.exe
2009-07-13 16:50 148,480 -------- c:\windows\system32\WudfPlatform.dll
2008-04-14 16:20 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2007-09-24 15:20 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007091720070924\index.dat
2007-09-21 17:57 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007092120070922\index.dat
2007-09-24 15:20 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007092420070925\index.dat
2007-09-27 19:45 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007092720070928\index.dat
2008-04-14 16:20 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008041420080415\index.dat
2008-07-16 12:06 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071620080717\index.dat

============= FINISH: 2:13:20.70 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:11 PM

Posted 21 October 2009 - 01:31 PM

Hello and welcome to Bleeping Computer.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please post a fresh DDS Log

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#3 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:11 PM

Posted 24 October 2009 - 12:12 PM

sicboy13? Do you still need help?

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#4 sicboy13

sicboy13
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 24 October 2009 - 12:31 PM

Oh, I am so sorry, I didnt see you replied,

I ended up doing a reformat, but thank you so much for your time :(

#5 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:11 PM

Posted 25 October 2009 - 12:35 AM

Ok, thanks for letting me know that you reformatted your computer.

Since the problem(s) with your computer has been resolved, I'll go ahead and close the thread. :(


Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.

MalWare Removal University Master

Member of ASAP
unite_Invision.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users