Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another poor sap with Browser Hijack


  • This topic is locked This topic is locked
2 replies to this topic

#1 User One

User One

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 09 February 2010 - 10:13 PM

Browser hijack problems in Windows XP.
Redirects to cheesy sales sites.
I can get a Google search but links redirect.
Experienced geek needs help.


DDS.txt
******************************************************************************************

DDS (Ver_09-12-01.01) - NTFSx86
Run by Ed at 17:45:33.76 on Tue 02/09/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1690 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Ed\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.refdesk.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [MBM 5] "c:\program files\motherboard monitor 5\MBM5.EXE"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
StartupFolder: c:\docume~1\ed\startm~1\programs\startup\mbm5~1.lnk - c:\program files\motherboard monitor 5\MBM5.exe
uPolicies-explorer: NoSMHelp = 01000000
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263657643062
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1263657638062
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ed\applic~1\mozilla\firefox\profiles\qlimekae.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.refdesk.com/
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R2 devdpl;devdpl;c:\windows\system32\drivers\devdpl.sys [2009-6-30 7168]
R3 CoreTemp;Core Temp Monitor Driver;c:\windows\system32\drivers\coretemp.sys [2007-3-25 5120]
S2 MLPTDR_C;MLPTDR_C;c:\windows\system32\MLPTDR_C.SYS [2002-9-3 19296]
S2 MLPTDR_Q;MLPTDR_Q;c:\windows\system32\MLPTDR_Q.SYS [2004-11-18 18848]
S3 DrmRAudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [2009-3-22 23096]
S3 DrmRVideo;DrmRVideo;c:\windows\system32\drivers\DrmRVideo.sys [2009-3-22 3768]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2007-1-11 194304]
S4 Aetm10uipmq;Aetm10uipmq; [x]
S4 litdpl;litdpl;c:\windows\system32\drivers\litdpl.sys [2009-6-30 4736]

=============== Created Last 30 ================

2010-02-10 01:45:13 0 ----a-w- c:\documents and settings\ed\defogger_reenable
2010-02-10 01:10:18 0 d-sha-r- C:\cmdcons
2010-02-10 01:09:45 98816 ----a-w- c:\windows\sed.exe
2010-02-10 01:09:45 77312 ----a-w- c:\windows\MBR.exe
2010-02-10 01:09:45 261632 ----a-w- c:\windows\PEV.exe
2010-02-10 01:09:45 161792 ----a-w- c:\windows\SWREG.exe
2010-02-09 12:00:41 0 d-----w- c:\docume~1\alluse~1\applic~1\CA
2010-02-09 11:00:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-09 11:00:02 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-09 04:56:56 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-09 03:10:37 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-09 03:10:35 0 d-----w- c:\docume~1\ed\applic~1\SUPERAntiSpyware.com
2010-02-09 03:01:36 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-07 21:05:46 0 d-----w- c:\program files\QuickPar
2010-01-27 13:16:35 0 d-----w- c:\windows\pss
2010-01-16 16:03:25 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-16 16:02:36 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat
2010-01-16 16:01:04 15064 ----a-w- c:\windows\system32\wuapi.dll.mui

==================== Find3M ====================

2006-06-23 06:48:54 32768 ----a-r- c:\windows\inf\UpdateUSB.exe

============= FINISH: 17:45:57.35 ===============




Thanks in advance, Ed.


Attached Files



BC AdBot (Login to Remove)

 


#2 User One

User One
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 14 February 2010 - 08:11 PM


The problem has been solved. Rootkit removed.

Thanks for helping all of us.

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,314 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:48 AM

Posted 16 February 2010 - 08:12 AM

Since the issue seems to be resolved, this topic will now be closed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users