Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

browser hijacked


  • Please log in to reply
2 replies to this topic

#1 stlbob

stlbob

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 11 July 2011 - 11:51 PM

I have Windows XP Pro and recently was hit with a Microsoft Security essentials virus that gave me a fake warning and hid my files. I ran Rkill and Malware Bytes. Malware bytes removed 8 files. I then ran unhide.exe. It brought back my files.

My system operates now, but I am now having my browser hijacked. I also still show Microsoft Security Essentials running in my tray.

Any hlp would be appreciated.

BC AdBot (Login to Remove)

 


#2 stlbob

stlbob
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 12 July 2011 - 10:16 AM

I have also run Mini toolbox which got the following results:
========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= End of IE Proxy Settings ========================
=============== Hosts content: ============================================

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

=============== End of Hosts ==============================================

================= IP Configuration: =======================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : default-493c644

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller

Physical Address. . . . . . . . . : 00-1C-C0-69-44-A9

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.0.11

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.0.1

DHCP Server . . . . . . . . . . . : 192.168.0.1

DNS Servers . . . . . . . . . . . : 24.217.0.5

24.217.201.67

68.113.206.10

Lease Obtained. . . . . . . . . . : Tuesday, July 12, 2011 10:10:01 AM

Lease Expires . . . . . . . . . . : Tuesday, July 12, 2011 11:10:01 AM

Server: vip01olvemo.stls.mo.charter.com
Address: 24.217.0.5

Name: google.com
Addresses: 74.125.225.17, 74.125.225.19, 74.125.225.20, 74.125.225.16
74.125.225.18



Pinging google.com [74.125.225.52] with 32 bytes of data:



Reply from 74.125.225.52: bytes=32 time=17ms TTL=54

Reply from 74.125.225.52: bytes=32 time=16ms TTL=54



Ping statistics for 74.125.225.52:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 16ms, Maximum = 17ms, Average = 16ms

Server: vip01olvemo.stls.mo.charter.com
Address: 24.217.0.5

Name: yahoo.com
Addresses: 98.137.149.56, 209.191.122.70, 67.195.160.76, 69.147.125.65
72.30.2.43



Pinging yahoo.com [69.147.125.65] with 32 bytes of data:



Reply from 69.147.125.65: bytes=32 time=41ms TTL=52

Reply from 69.147.125.65: bytes=32 time=40ms TTL=52



Ping statistics for 69.147.125.65:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 40ms, Maximum = 41ms, Average = 40ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1c c0 69 44 a9 ...... Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.11 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.0.11 192.168.0.11 20
192.168.0.0 255.255.255.0 192.168.0.11 192.168.0.11 20
192.168.0.11 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.0.255 255.255.255.255 192.168.0.11 192.168.0.11 20
224.0.0.0 240.0.0.0 192.168.0.11 192.168.0.11 20
255.255.255.255 255.255.255.255 192.168.0.11 192.168.0.11 1
Default Gateway: 192.168.0.1
===========================================================================
Persistent Routes:
None
================= End of IP Configuration =================================

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/11/2011 10:03:55 PM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 7.0.6000.17093, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (07/11/2011 06:40:21 PM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (07/08/2011 11:17:41 PM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 7.0.6000.17093, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (06/27/2011 09:41:51 AM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 7.0.6000.17093, faulting module ntdll.dll, version 5.1.2600.5755, fault address 0x0001b21a.
Processing media-specific event for [iexplore.exe!ws!]

Error: (06/23/2011 06:22:13 PM) (Source: Application Hang) (User: )
Description: Hanging application hpqste08.exe, version 90.0.146.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (06/20/2011 07:15:54 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 7.0.6000.17093, faulting module hpswp_selection_ie7.dll, version 2.15.7.0, fault address 0x000284d2.
Processing media-specific event for [iexplore.exe!ws!]

Error: (06/11/2011 06:44:35 PM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 7.0.6000.17093, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (06/10/2011 02:06:34 PM) (Source: Google Update) (User: SYSTEM)SYSTEM
Description: Network Request Error.
Error: 0x80072ee7. Http status code: 0.
Url=https://tools.google.com/service/update2
Trying config: source=IE, direct connection.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.
Trying config: source=auto, wpad=1, script=.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.
Trying config: source=IE, direct connection.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.
Trying config: source=auto, wpad=1, script=.
trying CUP:WinHTTP.
Send request returned 0x80072ee7.

Error: (06/08/2011 10:21:13 AM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 7.0.6000.17093, faulting module hpswp_subclasser.dll, version 2.15.7.0, fault address 0x000091f3.
Processing media-specific event for [iexplore.exe!ws!]

Error: (06/04/2011 11:15:18 AM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 7.0.6000.17093, hang module hungapp, version 0.0.0.0, hang address 0x00000000.


System errors:
=============
Error: (07/11/2011 07:39:48 PM) (Source: 0) (User: )
Description: 0xC0000001HarddiskVolume1

Error: (06/06/2011 09:08:28 PM) (Source: 0) (User: )
Description: 0xC0000098mpengine.dllHarddiskVolume1

Error: (05/08/2011 10:56:43 AM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Error: (05/08/2011 10:56:43 AM) (Source: W32Time) (User: )
Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Error: (05/08/2011 10:28:52 AM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY61 has encountered an error trying to update signatures.

New Signature Version:

Previous Signature Version: 1.103.623.0

Update Source: %NT AUTHORITY51

Update Stage: 2.1.6805.00

Source Path: 2.1.6805.01

Signature Type: %NT AUTHORITY612

Update Type: %NT AUTHORITY614

User: NT AUTHORITY\NETWORK SERVICE

Current Engine Version: %NT AUTHORITY615

Previous Engine Version: %NT AUTHORITY616

Error code: %NT AUTHORITY617

Error description: %NT AUTHORITY618

Error: (05/08/2011 10:28:52 AM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY61 has encountered an error trying to update signatures.

New Signature Version:

Previous Signature Version: 1.103.623.0

Update Source: %NT AUTHORITY51

Update Stage: 2.1.6805.00

Source Path: 2.1.6805.01

Signature Type: %NT AUTHORITY612

Update Type: %NT AUTHORITY614

User: NT AUTHORITY\NETWORK SERVICE

Current Engine Version: %NT AUTHORITY615

Previous Engine Version: %NT AUTHORITY616

Error code: %NT AUTHORITY617

Error description: %NT AUTHORITY618

Error: (05/08/2011 10:28:52 AM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY61 has encountered an error trying to update signatures.

New Signature Version:

Previous Signature Version: 1.103.623.0

Update Source: %NT AUTHORITY51

Update Stage: 2.1.6805.00

Source Path: 2.1.6805.01

Signature Type: %NT AUTHORITY612

Update Type: %NT AUTHORITY614

User: NT AUTHORITY\NETWORK SERVICE

Current Engine Version: %NT AUTHORITY615

Previous Engine Version: %NT AUTHORITY616

Error code: %NT AUTHORITY617

Error description: %NT AUTHORITY618

Error: (05/08/2011 10:28:52 AM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY61 has encountered an error trying to update signatures.

New Signature Version:

Previous Signature Version: 1.103.623.0

Update Source: %NT AUTHORITY51

Update Stage: 2.1.6805.00

Source Path: 2.1.6805.01

Signature Type: %NT AUTHORITY612

Update Type: %NT AUTHORITY614

User: NT AUTHORITY\NETWORK SERVICE

Current Engine Version: %NT AUTHORITY615

Previous Engine Version: %NT AUTHORITY616

Error code: %NT AUTHORITY617

Error description: %NT AUTHORITY618

Error: (05/08/2011 10:28:52 AM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY61 has encountered an error trying to update signatures.

New Signature Version:

Previous Signature Version: 1.103.623.0

Update Source: %NT AUTHORITY59

Update Stage: 2.1.6805.00

Source Path: 2.1.6805.01

Signature Type: %NT AUTHORITY612

Update Type: %NT AUTHORITY614

User: NT AUTHORITY\SYSTEM

Current Engine Version: %NT AUTHORITY615

Previous Engine Version: %NT AUTHORITY616

Error code: %NT AUTHORITY617

Error description: %NT AUTHORITY618


Microsoft Office Sessions:
=========================
Error: (07/11/2011 10:03:55 PM) (Source: Application Hang)(User: )
Description: iexplore.exe7.0.6000.17093hungapp0.0.0.000000000

Error: (07/11/2011 06:40:21 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (07/08/2011 11:17:41 PM) (Source: Application Hang)(User: )
Description: iexplore.exe7.0.6000.17093hungapp0.0.0.000000000

Error: (06/27/2011 09:41:51 AM) (Source: Application Error)(User: )
Description: iexplore.exe7.0.6000.17093ntdll.dll5.1.2600.57550001b21a

Error: (06/23/2011 06:22:13 PM) (Source: Application Hang)(User: )
Description: hpqste08.exe90.0.146.0hungapp0.0.0.000000000

Error: (06/20/2011 07:15:54 PM) (Source: Application Error)(User: )
Description: iexplore.exe7.0.6000.17093hpswp_selection_ie7.dll2.15.7.0000284d2

Error: (06/11/2011 06:44:35 PM) (Source: Application Hang)(User: )
Description: iexplore.exe7.0.6000.17093hungapp0.0.0.000000000

Error: (06/10/2011 02:06:34 PM) (Source: Google Update)(User: SYSTEM)SYSTEM
Description: Network Request Error.
Error: 0x80072ee7. Http status code: 0.
Url=https://tools.google.com/service/update2
Trying config: source=IE, direct connection.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.
Trying config: source=auto, wpad=1, script=.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.
Trying config: source=IE, direct connection.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.
Trying config: source=auto, wpad=1, script=.
trying CUP:WinHTTP.
Send request returned 0x80072ee7.

Error: (06/08/2011 10:21:13 AM) (Source: Application Error)(User: )
Description: iexplore.exe7.0.6000.17093hpswp_subclasser.dll2.15.7.0000091f3

Error: (06/04/2011 11:15:18 AM) (Source: Application Hang)(User: )
Description: iexplore.exe7.0.6000.17093hungapp0.0.0.000000000


========================= End of Event log errors =========================

========================= Memory info: ====================================

Percentage of memory in use: 37%
Total physical RAM: 2035.77 MB
Available physical RAM: 1268.5 MB
Total Pagefile: 3928.75 MB
Available Pagefile: 3295.43 MB
Total Virtual: 2047.88 MB
Available Virtual: 1995.58 MB

======================= Partitions: =======================================

1 Drive c: () (Fixed) (Total:232.88 GB) (Free:195.55 GB) NTFS

================= Users: ==================================================

User accounts for \\DEFAULT-493C644

-------------------------------------------------------------------------------
Administrator ASPNET Bob
Guest HelpAssistant SUPPORT_388945a0
The command completed successfully.

================= End of Users ============================================

#3 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,759 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:54 PM

Posted 12 July 2011 - 09:37 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users