Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked


  • This topic is locked This topic is locked
2 replies to this topic

#1 OstrichSack

OstrichSack

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 27 August 2011 - 04:50 PM

First I got the "HDD Repair" virus, it hid all of my Desktop and Start Programs so I rkilled it, hunted it out as best I could, unhid everything, & used Malwarebytes. It looked as though I got rid of it after I rebooted, but when I tried to use any search engines on Firefox clicking the results would get hijacked (it does that to just about all browsers except the old Netscape). Then I started to see that two hidden iexplore.exe were running in the Task Manager from startup. I used Security Task Manager to get a look at them, the first went to sites like MTV & Mevio, the other just said SysFader. When I end their process they just show back up in 3-5 munutes. I've used all the programs I have in SafeMode (Malwarebytes, Spybot, Dr. Web, Startup Mechanic, & RegistryBooster 2, plus, SuperAntiSpyware wouldn't work. I'm stuck.

(GMER wouldn't scan anything other than Services, Registry, & Files because of "error 0xC000010E: Cannot create a stable subkey under volatile parent key.")


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25
Run by Administrator at 14:52:25 on 2011-08-27
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.633 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Common Files\MAGIX Services\Database\bin\FABS.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\VERIZONDM\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\VERIZONDM\bin\tgsrvc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Startup Mechanic\StartupMonitor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\VERIZONDM\bin\sprtcmd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://verizon.yahoo.com
uSearch Page = hxxp://www.google.com
uSearch Bar = about:blank
uWindow Title =
mSearch Bar = about:blank
mWindow Title =
uSearchAssistant = about:blank
uSearchURL,(Default) = about:blank
mSearchAssistant = about:blank
mCustomizeSearch = about:blank
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {35065594-9169-4A34-B167-FC4865038E53} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [Startup Manager Scanner] c:\program files\startup mechanic\StartupMonitor.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [VERIZONDM] "c:\program files\verizondm\bin\sprtcmd.exe" /P VERIZONDM
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [<NO NAME>]
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{082CE2E4-FEE4-4042-9BAB-2B4F02DA554F} : DhcpNameServer = 192.168.1.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {097F10A7-487F-4457-AB1F-827C59479A72} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 nwprovau
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator.jay\application data\mozilla\firefox\profiles\2i9c4bap.default\
FF - prefs.js: browser.search.selectedEngine - Search the Web
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=62133&p=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\administrator.jay\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\documents and settings\all users.windows\application

data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users.windows\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\all users.windows\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\worldwinner.com, inc\worldwinner games\npwwload.dll
FF - plugin: c:\windows\system32\npmirage.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - plugin: c:\windows\system32\npwmsdrm.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-5-28 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 55024]
R2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files\common files\magix services\database\bin\FABS.exe [2009-8-27 1253376]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\verizondm\bin\sprtsvc.exe [2011-2-1 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\verizondm\bin\tgsrvc.exe [2011-2-1 185640]
S0 pnfqph;pnfqph;c:\windows\system32\drivers\wlpbofhv.sys --> c:\windows\system32\drivers\wlpbofhv.sys [?]
S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\creative\creative centrale\CTUPnPSv.exe [2008-5-21 64000]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 7408]
S3 SMALUSB;Digital Camera Driver;c:\windows\system32\drivers\smalidt.sys [2006-7-23 9216]
S3 utdrv;utdrv;\??\c:\windows\system32\drivers\utdrv.sys --> c:\windows\system32\drivers\utdrv.sys [?]
.
=============== Created Last 30 ================
.
2011-08-26 22:42:52 -------- d-----w- c:\documents and settings\all users.windows\application data\Spybot - Search & Destroy
2011-08-26 22:39:54 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2011-08-26 22:39:54 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2011-08-26 22:39:51 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2011-08-26 22:39:51 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2011-08-26 20:13:21 -------- d-----w- c:\documents and settings\administrator.jay\local settings\application data\Netscape
2011-08-26 20:12:49 -------- d-----w- c:\program files\Netscape
2011-08-26 20:00:27 -------- d-----w- c:\windows\ie8updates
2011-08-26 19:55:50 -------- dc-h--w- c:\windows\ie8
2011-08-26 19:41:15 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-08-26 19:41:15 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-08-26 19:41:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-08-26 19:41:13 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-08-26 19:41:13 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-08-26 19:41:12 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-08-26 19:41:08 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-08-26 18:53:53 520496 ----a-w- c:\windows\Listdlls.exe
2011-08-26 14:54:37 -------- d-----w- c:\documents and settings\administrator.jay\DoctorWeb
2011-08-26 04:14:01 -------- d-----w- c:\documents and settings\administrator.jay\local settings\application data\Google
2011-08-24 20:27:34 -------- d-----w- c:\program files\Nautilus 3D Screensaver
2011-08-22 18:04:52 -------- d-----w- c:\documents and settings\administrator.jay\application data\Character Creator
2011-08-12 01:46:47 11776 ----a-w- c:\program files\mozilla firefox\plugins\nprjplug.dll
2011-08-12 01:46:24 -------- d-----w- c:\program files\common files\xing shared
2011-08-12 01:46:10 150712 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
2011-08-12 01:46:05 105472 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll
2011-08-10 05:12:58 -------- d-----w- c:\program files\The Lost Watch 3D Screensaver
2011-08-10 05:11:31 -------- d-----w- c:\program files\Watermill 3D Screensaver
2011-08-01 00:57:11 -------- d-----w- c:\documents and settings\administrator.jay\local settings\application data\Unity
.
==================== Find3M ====================
.
2011-08-18 10:16:37 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-12 01:45:58 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-07-17 21:37:46 345518 ----a-w- c:\windows\uninstall 3dfictio.exe
2011-07-17 21:37:44 37472073 ----a-w- c:\windows\3dfictio.scr
2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-04 07:39:44 54016 ----a-w- c:\windows\system32\drivers\fqmaiu.sys
2011-06-04 07:38:21 54016 ----a-w- c:\windows\system32\drivers\idxyhm.sys
2009-01-25 21:18:29 8834753 ----a-w- c:\program files\common files\UltimateSuiteFull7.8.7.6.cnxb2.exe
2009-01-25 21:17:50 8834753 ----a-w- c:\program files\common files\UltimateSuiteFull7.8.7.6.cnxb.exe
2009-01-25 21:17:12 0 ----a-w- c:\program files\common files\chd.exe
2009-01-25 21:07:03 8834753 ----a-w- c:\program files\common files\UltimateSuiteFull7.8.7.6.cnxb1.exe
.
============= FINISH: 14:59:06.78 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 OstrichSack

OstrichSack
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 29 August 2011 - 02:53 PM

I think I fixed it.

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:23 AM

Posted 29 August 2011 - 04:29 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users