Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

browser hijacked

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

browser hijacked

Unread postby plumfield » December 31st, 2008, 1:46 am

At first, a day ago, I noticed the first page of searches led to bogus sites. Now it is the first three pages of searches. And lately the screen will unexpectedly scroll down. I installed IE 7 hoping it would fix this (even though I preferred IE6). Didn't help. Oh, and earlier today I installed Browser Hijack Recover (BHR) but it didn't make sense to me so I left it alone. I would like to do some online banking but I'm afraid to open that up. Should I be worried? Thank you for any help! Merry Christmas and Happy New Year! Here is the logfile.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:24 PM, on 12/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\CAROLM~1\LOCALS~1\Temp\500064-PMLPatch\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/ ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resourc ... se8460.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 8939979886
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/Visitor ... EFlash.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v ... b34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.21.13/ttinst.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/w ... uncher.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://remote.mercy.net/dana-cached/se ... tupSP1.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://www.arkansashighways.com/road/acgm.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\DOCUME~1\CAROLM~1\LOCALS~1\Temp\500064-PMLPatch\HPZipm12.exe

--
End of file - 8089 bytes
plumfield
Active Member
 
Posts: 12
Joined: December 31st, 2008, 1:36 am
Advertisement
Register to Remove

Re: browser hijacked

Unread postby flashh4 » January 6th, 2009, 10:28 pm

Hello plumfield and welcome to the forums.

Please do not run any other programs with out my permission !!
Run all programs in the order posted !!!!!


My name is flashh4 and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
4. Please note you'll need to have Administrator privileges to perform the fixes. (XP accounts are Administrator by default)
5. Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.
6. Please post all request .......... not as a Attachment.

If you can do those things, everything should go smoothly.

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Note: I am still in training at Malware Removal, however I will be working under the direct supervision of one of our Malware Experts. Any recommendations will first be approved before being given to you. Because of this, there may be a short delay in getting our responses to you, however be assured that we will be working diligently on your problem.

I will be back as soon as possible with a fix !!
In the mean time can you give me an Uninstall list please !!


  1. Open HijackThis.
  2. Click on the Open the Misc Tools section button.
  3. Look under System tools.
  4. Click on the Open Uninstall Manager... button.
  5. Click on the Save list... button.
  6. It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  7. Notepad will open. Please post this log in your next reply.


*Note == There is a 5 day limit which you must respond to this topic or it will be closed. Then you will have to ask for it to be reopened or start a new topic.


Please post these:
1. New HJT log
2. Uninstall List if not already posted

Thanks
Chuck
User avatar
flashh4
Regular Member
 
Posts: 2276
Joined: June 7th, 2005, 8:36 pm
Location: wyoming

Re: browser hijacked

Unread postby plumfield » January 7th, 2009, 1:53 am

Hi Chuck!! Thank you!

Okay, a little confession: It took so long to get an answer, that I called my local internet provider on the phone today, and he did some stuff (he can work on my computer from where he is without me needing a house call or having to unhook everything and run the box into town. Small town in Arkansas here, we trust local people like that.). Browser helper objects were removed, and he reset the internet options to the defaults. He told me he doesn't trust Spybot Search and Destroy anymore, since he has had problems with it, and doesn't trust AVG, same reason, and doesn't run a firewall on computers like mine, that connect to the internet with a wireless router and not a phone line or ethernet cable. He actually got Windows to quit warning me there was no firewall (with that little red shield in the bottom corner), but said it would come back if I installed the next service pack. I hope that information helps and you're still with me here.

Please don't excommunicate me. Mercy? I will agree not to let Alex the Local Guy do anything else while we are working, if you will keep me. I know this changes the parameters of what you would be working on, but I would really feel better knowing this thing is getting looked at from all possible angles. Watchers watching the watchers kind of thing. After reading in your forum, I'm afraid of having a Trojan that he could have missed, and getting my bank account wiped out, here, basically. Also I am asking for a second opinion on Spybot, AVG, and firewalls. Still have the first two, thought I was running a firewall with AVG, but--apparently not? That was news to me. He said my Belkin router has one and that's enough.

I think the hijacker is gone, but I have no way to be sure something's not hiding out. I haven't had time to do a lot of internet searches; I've done two, and they seem okay. I will post the uninstall list and the new Hijack This log. (Looking over them myself and seeing all the Preschool Games, I feel the need to tell you: I'm a homeschooling mother of four, and we use this computer all the time, all day long to look up all sorts of educational material. I would be devastated to have a nasty thing pop up on my 10 year old son while he searches for railroads or astronomy or something. Even the four year old knows how to get onto Nick Jr, to play educational games. We want to be safe here, and protect innocent children from anything graphic.)

I am really interested to hear what you have to say when you analyze it. Thank you very much for helping me. Even if you have to kick me out for breaking the rules and running like a scared bunny to the local guy, God bless you and this forum for the help you provide those of us who don't have time to catch up to your level of learning.

Oh, P.S.: the browser hijacker hit right after I visited classmates.com looking for a friend's address to put on a Christmas card. Hated the site, vowed never to return because of the heavy load of advertising and constant requests to "upgrade" (for a nice fee), and bam, there was the hijacker when I went to look something up on yahoo. I mention it now because I've been reading the forums while I wait, and heard something about that site having problems in Dec. 2008.

Which reminds me of another P.S. : I saw the warning elsewhere about P2P sites. If Rhapsody is one of them, and you don't allow that one, it can sure go. I got all of one song off there. Not much use for it.


uninstall list follows:

2 Player Chess
Acey Deucy Backgammon
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player ActiveX
Adobe Reader 7.0
Amazon Trail 3rd Edition
AvantGo Client
Bejeweled 2 Deluxe 1.0
BVHE-Beauty and the Beast Magical Ballroom
C2D Digital Microscope
Card and Board Games
CCScore
Checkers
Chinese Checkers Special Edition
Curious George Reading and Phonics
Dell Digital Jukebox Driver
Dell Media Experience
Dell Solution Center
Digital Photo Navigator 1.5
Dig'nRigs
Disney Interactive Global Compatibility Update June 2003
Disney's Magic Artist Deluxe
Disney's Mickey Mouse Toddler
Disney's Winnie the Pooh Toddler
Dominoes Deluxe
Dora`s Magic Castle (remove only)
Dr. Seuss Preschool
DXG-506V
eBookMan Desktop Manager
Edmark - FrippleTown
Edmark - Thinkin' Science
Edmark - Thinkin' Things 1
Edmark Mighty Math Number Heroes (remove)
Edmark Mighty Math Zoo Zillions
eGames GameButler
Elf Bowling - Bocce Style! (remove only)
ePocrates Essentials
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
Euchre
FA Addition Subtraction
fflink
Four Field Kono
Gadgets
Galaxy Man
GdiplusUpgrade
Geo Jump
Google Earth
Google Updater
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Extended Capabilities 4.7
HP Image Zone 4.7
HP Image Zone Express
HP PSC & OfficeJet 4.7
HP Software Update
Imaginext Pirate Raider Demo
Intel(R) Extreme Graphics Driver
Internet Explorer Default Page
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 7
J2SE Runtime Environment 5.0 Update 9
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java 2 Runtime Environment, SE v1.4.2
Java(TM) 6 Update 11
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 7
JumpStart Learning Games ABC's
JumpStart Numbers
JumpStart Numbers
JumpStart Phonics
Juniper Networks Network Connect 6.0.0
kgcbaby
kgcbase
kgchday
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
KSU
Learn to Play Bridge
Learn to Play Bridge 2
Learn2 Player (Uninstall Only)
Lexicon Special Edition
LNW 802.11g Wireless USB Card LSC-710
Macromedia Flash Player
Mahjongg Master 5
Malwarebytes' Anti-Malware
Math 1-2
Math Facts NOW!
Mattel Vidster
Mavis Beacon Teaches Typing 15
Mega Match
Memory Match
MetaFrame Presentation Server Web Client for Win32
Mickey Mouse Kindergarten
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft Picture It! Express 2000
Microsoft Picture It! Express 7.0
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.52
Mini Go
Monopoly - SpongeBob SquarePants Edition
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Music Library
muvee autoProducer 3.5 magicMoments
My Wal-Mart Digital Photo Center
Nero 7 Essentials
netbrdg
NetWaiting
Nick Aracde Toolbar
Notifier
OfotoXMI
Palm Desktop
Palm Desktop and Synchronization Software
palmOne
Passport to 35 Languages
PC Pitstop Optimize2 2.0
Photo Viewer V2.4
PhotoParade Player
PrintMaster 12
Puzzle Master 2 Special Edition
QuickTime
QuickTime 3.0
Reader Rabbit Kindergarten
Reader Rabbit(R) I Can Read! With Phonics
Reader Rabbit's Math Ages 4-6
Recovery for WordPerfect
Reversi
Rhapsody MP3 Download Manager
Rolie Polie Olie
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB960714)
SFR
SHASTA
Shockwave
SignLink V1.00
Simba's Pride Gamebreak
SKIN0001
SKINXSDK
Solitaire 2 Special Edition
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spirit (remove only)
SpongeBob SquarePants Obstacle Odyssey 2
SpongeBob SquarePants® Operation Krabby Patty
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
StatCoder.com STAT Cholesterol_GrowthCharts_Cardiac Clearance_JNC 7_GRACE
staticcr
Super Bubble Pop
The Print Shop 22
The Print Shop®
Tic Tac Toe
tooltips
Treasure Cove! CD
Tropical Poker Special Edition
U.S. Robotics V.92 PCI Faxmodem
Uninstall Digital Camera Drivers
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Viewpoint Media Player
VPRINTOL
WB Minesweeper 1.1.09
Winamp (remove only)
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
Winnie the Pooh Preschool
WIRELESS
Word Skramble
Word Slinger
Word Wiz
WordPerfect Office 12
Zoombinis Logical Journey(TM)




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:36 PM, on 1/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\DOCUME~1\CAROLM~1\LOCALS~1\Temp\500064-PMLPatch\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resourc ... se8460.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 8939979886
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/Visitor ... EFlash.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v ... b34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/w ... uncher.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://remote.mercy.net/dana-cached/se ... tupSP1.cab
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\DOCUME~1\CAROLM~1\LOCALS~1\Temp\500064-PMLPatch\HPZipm12.exe

--
End of file - 4987 bytes
plumfield
Active Member
 
Posts: 12
Joined: December 31st, 2008, 1:36 am

Re: browser hijacked

Unread postby flashh4 » January 7th, 2009, 9:06 am

Hi plumfield, your log looks better, than the first one but lets do some more checking. I do see some things that needs taken care of, we are very busy right now but i will get back with you as soon as possible. So stay with me until we get you clean and running stable.

Chuck
User avatar
flashh4
Regular Member
 
Posts: 2276
Joined: June 7th, 2005, 8:36 pm
Location: wyoming

Re: browser hijacked

Unread postby plumfield » January 7th, 2009, 3:37 pm

Well, God Bless you, and thank you! I sure will stay with you. It's great to get a chance to learn these things.
plumfield
Active Member
 
Posts: 12
Joined: December 31st, 2008, 1:36 am

Re: browser hijacked

Unread postby plumfield » January 7th, 2009, 3:53 pm

Here are some more clues. I did a search on yahoo for "bho wormradar" to see what was up with one of the things I already removed. Here are the results. I thought the results looked odd, but clicked on "cached" under the listing for pctools.com, and got a page calling itself pctools.com, but selling Spy Doctor. The search results quote about worm radar was nowhere to be seen on the page. Otherwise, it looked so legitimate, with all kinds of gold stars and awards. Sigh. I guess the hijacker is still at it. And I clicked on the blue highlighted part because I'm in a fatalistic mood about this computer for a tiny momnent here, and got a page with an orange box at striking offers.com, with mentions of Trojans and boxes to click. I don't dare copy and paste that. Optimism starting to kick back in......

Notice the listing for MalWare Removal, on down the list, and it's being redirected to hotjobs.com. Oh, and that security-antivirus.com has been on every bogus search, I do believe. It's a constant in this.


Did you mean: bho worm radar

SPONSOR RESULTS
Malware Bho

WARNING - Don't Download Any Spyware Removers Until You read this.
spyware-removers-review.net

WEB RESULTS
Bho: Wormradar.com Iesiteblocker.navfilter - Laptop Compromised ...
Bho: Wormradar.com Iesiteblocker.navfilter - Laptop Compromised!, After getting ... O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E ...
www.stopzilla.com - 75k - Cached

Am I Infected? - Suggest A Fix PC Support Forums
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} ... O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E ...
www.pctools.com - 103k - Cached

BHO: WormRadar.com IESiteBlocker.NavFilter in XP/ Computer 2
hi and thanks for looking.Ran MBAM and found 16 infections all deleted successfuly, but still having lots of weird stuff going on.Any thoughts for me about this...
security-antivirus.com - 55k - Cached

Analysis: BHO: WormRadar (://URLFAN)
BHO: WormRadar. Post Date: Dec 26, 2008 11:40 a.m. ... het maken van een hijack log zag ik in sectie 02 de regel met WormRadar staan. ...
www.strikingoffers.com - Cached

Java Somehow Disable can not download any Antivirus
Java Somehow Disable can not download any Antivirus : Attach is some of the stuff on my computer I have been told to do ... O2 - BHO: WormRadar.com ...
www.monstermarketplace.com - 180k - Cached

BHO trojan, possibly fixed [CLOSED]
BHO trojan, possibly fixed [CLOSED] : I went through all of the VERY helpful and ... O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E ...
www.nexplore.com - 93k - Cached

COMUI.DLL spreading Trojan horse BHO.O - PC Pitstop Forums
The threat name is "Trojan horse BHO.O" and it is "detected on open" ... O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E ...
find-more-here.com - 126k - Cached

BHO Backdoor Trojans Help - PC Pitstop Forums
... other posts will be removed. BHO Backdoor Trojans Help. Options. dentay99. Today, ... O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E ...
www.mit-iqexam.com - 91k - Cached

MalWare Removal • View topic - Please check HJT log - I'm getting BSODs ...
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E ... O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C: ...
www.hotjobs.com - 557k - Cached

CastleCops® Zedo.
Making the Internet a Safer and Enjoyable Experience ... O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E ...
www.shopica.org - 160k
plumfield
Active Member
 
Posts: 12
Joined: December 31st, 2008, 1:36 am

Re: browser hijacked

Unread postby flashh4 » January 9th, 2009, 9:27 am

Hi plumfield, i am sorry for the wait but the teachers who check our fixes are very busy, and they have personal lives also. But i wanted to let you know i had not forgotten you. I will post some instructions as soon as i hear from them.

Thanks
Chuck
User avatar
flashh4
Regular Member
 
Posts: 2276
Joined: June 7th, 2005, 8:36 pm
Location: wyoming

Re: browser hijacked

Unread postby flashh4 » January 10th, 2009, 3:49 pm

Hi plumfield, i would not do any online banking until i give you the all clear to do so.

Disable Spybot's TeaTimer. This is a two step process.

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
Don't forget to re-enable it, when your computer is clean.




NEXT



Please download and run the following !

RSIT

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<< will be maximized) and info.txt (<< will be minimized)



1. Please post the 2 rsit logs. No need to post a HJT log RSIT makes one.
2. The Uninstall List if not already included.

Thanks
Chuck
User avatar
flashh4
Regular Member
 
Posts: 2276
Joined: June 7th, 2005, 8:36 pm
Location: wyoming

Re: browser hijacked

Unread postby plumfield » January 11th, 2009, 9:33 pm

Howdy again. There was no Spybot icon in my system tray, but I did start it from the icon on my desktop and unchecked the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active, there were no prompts to okay, and used File, Exit to terminate Spybot. Have rebooted, downloaded the RSIT thing, and here's the log.


Logfile of random's system information tool 1.05 (written by random/random)
Run by Carol Malone at 2009-01-11 19:18:50
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 11 GB (28%) free of 38 GB
Total RAM: 766 MB (65% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:19:13 PM, on 1/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\DOCUME~1\CAROLM~1\LOCALS~1\Temp\500064-PMLPatch\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Carol Malone\Local Settings\Temporary Internet Files\Content.IE5\MAWFKC3H\RSIT[1].exe
C:\Program Files\Trend Micro\HijackThis\Carol Malone.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resourc ... se8460.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 8939979886
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/Visitor ... EFlash.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v ... b34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/w ... uncher.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://remote.mercy.net/dana-cached/se ... tupSP1.cab
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\DOCUME~1\CAROLM~1\LOCALS~1\Temp\500064-PMLPatch\HPZipm12.exe

--
End of file - 4702 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2005-10-19 155648]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2005-10-19 126976]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2004-09-13 49152]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2006-09-01 282624]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-11-10 136600]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2006-06-01 94208]
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2004-11-22 307200]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe [2004-03-15 122933]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe [2005-10-19 126976]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe [2005-10-19 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe [2002-07-16 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2006-01-12 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
C:\Program Files\Dell\Media Experience\PCMService.exe [2004-04-11 290816]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2006-09-01 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2003-08-19 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eBookMan Monitor.lnk]
C:\PROGRA~1\FRANKL~1\EBOOKM~1\EbmMgr.exe [2002-04-16 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
C:\PROGRA~1\HANDSP~1\Hotsync.exe [2004-06-09 471040]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
C:\PROGRA~1\Kodak\KODAKE~1\bin\EASYSH~1.EXE [2007-02-20 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk]
C:\PROGRA~1\BRODER~1\MAVISB~1\MINIMA~1.EXE [2002-08-30 2392064]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Carol Malone^Start Menu^Programs^Startup^Mobipocket Web Companion.lnk]
C:\PROGRA~1\FRANKL~1\EBOOKM~1\webcomp\webcomp.exe [2002-02-26 651264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Event Reminder.lnk - C:\Program Files\Broderbund\PrintMaster\pmremind.exe
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2005-10-19 348160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2006-06-19 702768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=36
"NoDriveAutoRun"=FFFFFFFF

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\GameHouse\FeedingFrenzy\FeedingFrenzy.exe"="C:\Program Files\GameHouse\FeedingFrenzy\FeedingFrenzy.exe:*:Enabled:Feeding Frenzy"
"C:\Program Files\Yahoo! Games\Bejeweled 2 Deluxe\WinBej2.exe"="C:\Program Files\Yahoo! Games\Bejeweled 2 Deluxe\WinBej2.exe:*:Enabled:Bejeweled2"
"C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe"="C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e61e318b-d9e5-11d8-abab-806d6172696f}]
shell\AutoRun\command - D:\PlaySpirit.exe


======List of files/folders created in the last 1 months======

2009-01-11 19:18:50 ----D---- C:\rsit
2009-01-06 14:03:23 ----D---- C:\Documents and Settings\All Users\Application Data\Avg8
2008-12-30 22:52:55 ----D---- C:\WINDOWS\ie7updates
2008-12-30 19:59:30 ----D---- C:\Program Files\Browser Hijack Recover
2008-12-27 13:18:30 ----D---- C:\Documents and Settings\Carol Malone\Application Data\Help
2008-12-19 03:01:08 ----HDC---- C:\WINDOWS\$NtUninstallKB960714$

======List of files/folders modified in the last 1 months======

2009-01-11 19:18:45 ----D---- C:\WINDOWS\Prefetch
2009-01-11 18:43:53 ----D---- C:\WINDOWS\temp
2009-01-11 13:44:44 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-11 12:52:02 ----D---- C:\WINDOWS\SYSTEM32
2009-01-07 12:34:24 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2009-01-07 12:20:05 ----D---- C:\WINDOWS\Help
2009-01-06 15:44:44 ----D---- C:\WINDOWS\system32\DRIVERS
2009-01-06 14:16:46 ----D---- C:\WINDOWS\system32\CatRoot2
2009-01-06 14:04:18 ----D---- C:\WINDOWS
2009-01-06 14:01:33 ----SD---- C:\Documents and Settings\Carol Malone\Application Data\Microsoft
2009-01-06 13:50:11 ----A---- C:\WINDOWS\NeroDigital.ini
2009-01-06 02:27:15 ----RSHD---- C:\WINDOWS\system32\DLLCACHE
2009-01-06 02:27:14 ----D---- C:\WINDOWS\system32\en-US
2009-01-06 02:27:14 ----D---- C:\Program Files\Internet Explorer
2009-01-06 02:23:31 ----HD---- C:\WINDOWS\INF
2009-01-05 13:29:08 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-01-05 10:25:35 ----SHD---- C:\WINDOWS\Installer
2009-01-05 10:25:35 ----HD---- C:\Config.Msi
2009-01-05 10:25:34 ----A---- C:\WINDOWS\ODBC.INI
2009-01-04 21:40:47 ----D---- C:\WINDOWS\network diagnostic
2009-01-02 11:26:50 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-01 03:01:20 ----A---- C:\WINDOWS\imsins.BAK
2009-01-01 03:01:12 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-31 03:02:32 ----D---- C:\WINDOWS\system32\CatRoot
2008-12-30 22:56:30 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-12-30 22:51:23 ----D---- C:\WINDOWS\WBEM
2008-12-30 22:51:14 ----D---- C:\WINDOWS\Media
2008-12-30 19:59:30 ----RD---- C:\Program Files
2008-12-28 10:04:08 ----D---- C:\Library
2008-12-27 19:57:40 ----D---- C:\Audible
2008-12-27 19:44:07 ----D---- C:\My Music
2008-12-27 19:43:36 ----D---- C:\Program Files\Windows Media Player
2008-12-27 14:34:20 ----D---- C:\Contents
2008-12-20 17:09:33 ----D---- C:\Program Files\Learn to Play Bridge
2008-12-16 10:10:07 ----A---- C:\WINDOWS\WIN.INI
2008-12-12 11:01:00 ----A---- C:\WINDOWS\system32\mshtml.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-07 35840]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 omci;OMCI WDM Device Driver; C:\WINDOWS\System32\DRIVERS\omci.sys [2002-11-08 17217]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2004-01-14 5621]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2004-01-14 23219]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2004-02-27 40480]
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2004-03-15 25685]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2004-03-15 34837]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2004-03-15 4117]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2004-03-15 2233]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2004-03-15 85972]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2004-03-15 14229]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2004-03-15 6357]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2004-03-15 98580]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2004-03-15 100597]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys [2003-05-23 43136]
R3 dsNcAdpt;Juniper Network Connect Adapter; C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2007-08-09 23552]
R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2004-12-14 51120]
R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2004-12-14 16496]
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2004-12-14 21744]
R3 HSF_DP;HSF_DP; C:\WINDOWS\System32\DRIVERS\USR_MDM.sys [2004-01-14 1041152]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\System32\DRIVERS\USR_BSC2.sys [2004-01-14 207616]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2005-10-19 807998]
R3 SIS163u;SiS163 USB Wireless LAN Adapter Driver; C:\WINDOWS\system32\DRIVERS\sis163u.sys [2006-04-21 215552]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-11-18 591808]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSF_USR.sys [2004-01-14 687488]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\System32\DRIVERS\p3.sys [2008-04-13 42752]
S2 BulkUsb;Science-Tech C2D Device Driver; C:\WINDOWS\System32\Drivers\c2dwin2k.sys [2000-08-07 14000]
S3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R) Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-04-15 113504]
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R) Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-04-15 78752]
S3 ebookman;FEP_USB Driver; C:\WINDOWS\System32\Drivers\ebookman.sys [2001-05-11 19677]
S3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\System32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 i81x;i81x; C:\WINDOWS\System32\DRIVERS\i81xnt5.sys [2004-08-03 161020]
S3 iAimFP0;iAimFP0; C:\WINDOWS\System32\DRIVERS\wADV01nt.sys [2004-08-03 12415]
S3 iAimFP1;iAimFP1; C:\WINDOWS\System32\DRIVERS\wADV02NT.sys [2004-08-03 12127]
S3 iAimFP2;iAimFP2; C:\WINDOWS\System32\DRIVERS\wADV05NT.sys [2004-08-03 11775]
S3 iAimFP3;iAimFP3; C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys [2004-08-03 12063]
S3 iAimFP4;iAimFP4; C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys [2004-08-03 19455]
S3 iAimTV0;iAimTV0; C:\WINDOWS\System32\DRIVERS\wATV01nt.sys [2004-08-03 29311]
S3 iAimTV1;iAimTV1; C:\WINDOWS\System32\DRIVERS\wATV02NT.sys [2004-08-03 19551]
S3 iAimTV2;iAimTV2; C:\WINDOWS\System32\DRIVERS\wATV03nt.sys []
S3 iAimTV3;iAimTV3; C:\WINDOWS\System32\DRIVERS\wATV04nt.sys [2004-08-03 33599]
S3 iAimTV4;iAimTV4; C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys [2004-08-03 23615]
S3 MLFILEM;MLFILEM; \??\C:\WINDOWS\system32\drivers\MLFILEM.SYS []
S3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 PalmUSBD;PalmUSBD; C:\WINDOWS\system32\drivers\PalmUSBD.sys [2008-02-03 16694]
S3 sermouse;Serial Mouse Driver; C:\WINDOWS\System32\DRIVERS\sermouse.sys [2001-08-17 17664]
S3 VisorUsb;Handspring USB; C:\WINDOWS\System32\DRIVERS\VisorUsb.sys []
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys []
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\System32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\System32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\System32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 dsNcService;Juniper Network Connect Service; C:\Program Files\Juniper Networks\Common Files\dsNcService.exe [2007-08-09 423280]
R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-13 168432]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-11-10 152984]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\DOCUME~1\CAROLM~1\LOCALS~1\Temp\500064-PMLPatch\HPZipm12.exe [2007-02-20 73728]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------
plumfield
Active Member
 
Posts: 12
Joined: December 31st, 2008, 1:36 am

Re: browser hijacked

Unread postby flashh4 » January 12th, 2009, 9:17 pm

Hi plumfield, looks good so far. One last scan to check.

Please go to Kaspersky website and perform an online antivirus scan. Please use Internet Explorer as it uses ActiveX.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an ActiveX from Kaspersky. Click Yes.
  3. When the downloads have finished, click on Next button.
  4. Click on Scan Settings button.
  5. Select extended under Scan using the following antivirus database:
  6. Check (tick) these boxes under Scan options:
    • Scan Archives
    • Scan Mail Bases
  7. Click OK
  8. Click on My Computer under Please select a target to scan:
  9. Once the scan is complete it will display if your system has been infected. Click on Save as text button and save it to your desktop.
  10. Copy and paste this log in your next reply.


Please post the results of Kaspersky Scan

Thanks
Chuck
User avatar
flashh4
Regular Member
 
Posts: 2276
Joined: June 7th, 2005, 8:36 pm
Location: wyoming

Re: browser hijacked

Unread postby plumfield » January 13th, 2009, 10:29 pm

Wow, that took so long! The Kaspersky program warned me to turn off anti-virus programs. I could not find AVG on my desktop, and Malawarebytes Antimalware didn't seem to have an off button, and we turned off Spybot last time, so I went ahead and downloaded.

I clicked yes to a Java thing, then it downloaded, and there was no Next button. There was no Scan Settings button.
There was no "extended under Scan using the following antivirus database."

I noticed the tiny print saying that it was ready to scan, so I looked around on the buttons some more, and I saw Please select a target to scan, and I accidentally hit the first one (Critical Areas, I think. Don't quote me). Got a result, will post it.

Ran it again, saw a Scan Settings link (not button), found My Computer under Please select a target to scan, ran that, took two hours. It was at 1 hour 57 minutes and 99% done with no infections, then all of a sudden it found the same one as the first scan. Will post that too.

I hope I did it right. I didn't see "Save as text" but I did see "Save as..." and it opened my documents so I named it and saved it. Why did it need to be saved on my desktop? Is there something I need to do to compy with that instruction?

Well, here are the saved logs:

KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, January 13, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, January 13, 2009 18:03:52
Records in database: 1615127


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area Critical Areas
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Carol Malone\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics
Files scanned 62609
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 01:41:18

File name Threat name Threats count
C:\WINDOWS\SYSTEM32\wdmaud.sys Infected: Rootkit.Win32.Agent.fwt 1

The selected area was scanned.


KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, January 13, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, January 13, 2009 20:48:30
Records in database: 1615680


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
F:\

Scan statistics
Files scanned 94462
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 02:27:18

File name Threat name Threats count
C:\WINDOWS\SYSTEM32\wdmaud.sys Infected: Rootkit.Win32.Agent.fwt 1

The selected area was scanned.
plumfield
Active Member
 
Posts: 12
Joined: December 31st, 2008, 1:36 am

Re: browser hijacked

Unread postby flashh4 » January 15th, 2009, 8:55 am

Hi plumfield, lets do some more checking.

Download RegSearch by Bobbi Flekman.
  • Create a folder in your C: drive C:\Regsearch, and extract all the files from the zip archive into that folder.
  • Double click regsearch.exe to launch the programme.
  • Copy/Paste the following into the Search Box wdmaud
  • Click OK.
Regsearch will now search your Registry for the required strings, when it is finished it will open a Notepad file RegSearch.txt, saved to the Regsearch folder.

Copy/Paste that file into your next post.

Thanks
Chuck
User avatar
flashh4
Regular Member
 
Posts: 2276
Joined: June 7th, 2005, 8:36 pm
Location: wyoming

Re: browser hijacked

Unread postby plumfield » January 15th, 2009, 10:07 pm

This gave me a little trouble. I hope I did it correctly. I clicked the link in your post, and hit the save button, but it hung up and would not finish downloading. So I cancelled that and clicked the link again, and hit the run button this time, and got a box with the RegSearch.zip file, and clicked it, and said yes to unzipping it, and ran it.

It is hung up now and turns the cursor to an hourglass on the RegSearch window. But it did open a Notepad file and so I will post that and see if I can click the x to get Registry Search to close. Thanks!

By the way, I keep meaning to tell you that I love the jackalope. Got a few of them on our trip out to Yellowstone last year.


Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0

; Results at 1/15/2009 7:55:52 PM for strings:
; 'wdmaud'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\drivers.desc]
"wdmaud.drv"="SoundMAX Integrated Digital Audio"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"wave"="wdmaud.drv"
"midi"="wdmaud.drv"
"mixer"="wdmaud.drv"
"aux"="wdmaud.drv"
"wdmaud.drv"="wdmaud.drv"
"aux2"="wdmaud.sys"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Userinstallable.drivers]
"wave"="wdmaud.drv"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0005]
"AssociatedFilters"="wdmaud,swmidi,redbook"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0005\Drivers\midi\wdmaud.drv]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0005\Drivers\midi\wdmaud.drv]
"Driver"="wdmaud.drv"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0005\Drivers\mixer\wdmaud.drv]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0005\Drivers\mixer\wdmaud.drv]
"Driver"="wdmaud.drv"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0005\Drivers\wave\wdmaud.drv]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0005\Drivers\wave\wdmaud.drv]
"Driver"="wdmaud.drv"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0012]
"InfPath"="wdmaudio.inf"
"InfSection"="WDM_WDMAUD"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0013]
"InfPath"="wdmaudio.inf"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SW\{cd171de3-69e5-11d2-b56d-0000f8754380}\{9B365890-165F-11D0-A195-0020AFD156E4}]
"Service"="wdmaud"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SW\{cd171de3-69e5-11d2-b56d-0000f8754380}\{9B365890-165F-11D0-A195-0020AFD156E4}\Control]
"ActiveService"="wdmaud"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wdmaud]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wdmaud]
; Contents of value:
; system32\drivers\wdmaud.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,77,00,64,00,6d,00,61,00,75,00,64,\
00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wdmaud\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wdmaud\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0005]
"AssociatedFilters"="wdmaud,swmidi,redbook"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0005\Drivers\midi\wdmaud.drv]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0005\Drivers\midi\wdmaud.drv]
"Driver"="wdmaud.drv"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0005\Drivers\mixer\wdmaud.drv]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0005\Drivers\mixer\wdmaud.drv]
"Driver"="wdmaud.drv"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0005\Drivers\wave\wdmaud.drv]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0005\Drivers\wave\wdmaud.drv]
"Driver"="wdmaud.drv"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0012]
"InfPath"="wdmaudio.inf"
"InfSection"="WDM_WDMAUD"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0013]
"InfPath"="wdmaudio.inf"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\SW\{cd171de3-69e5-11d2-b56d-0000f8754380}\{9B365890-165F-11D0-A195-0020AFD156E4}]
"Service"="wdmaud"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wdmaud]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wdmaud]
; Contents of value:
; system32\drivers\wdmaud.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,77,00,64,00,6d,00,61,00,75,00,64,\
00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wdmaud\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0005]
"AssociatedFilters"="wdmaud,swmidi,redbook"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0005\Drivers\midi\wdmaud.drv]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0005\Drivers\midi\wdmaud.drv]
"Driver"="wdmaud.drv"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0005\Drivers\mixer\wdmaud.drv]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0005\Drivers\mixer\wdmaud.drv]
"Driver"="wdmaud.drv"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0005\Drivers\wave\wdmaud.drv]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0005\Drivers\wave\wdmaud.drv]
"Driver"="wdmaud.drv"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0012]
"InfPath"="wdmaudio.inf"
"InfSection"="WDM_WDMAUD"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0013]
"InfPath"="wdmaudio.inf"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SW\{cd171de3-69e5-11d2-b56d-0000f8754380}\{9B365890-165F-11D0-A195-0020AFD156E4}]
"Service"="wdmaud"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SW\{cd171de3-69e5-11d2-b56d-0000f8754380}\{9B365890-165F-11D0-A195-0020AFD156E4}\Control]
"ActiveService"="wdmaud"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wdmaud]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wdmaud]
; Contents of value:
; system32\drivers\wdmaud.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,77,00,64,00,6d,00,61,00,75,00,64,\
00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wdmaud\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wdmaud\Enum]

; End Of The Log...
plumfield
Active Member
 
Posts: 12
Joined: December 31st, 2008, 1:36 am

Re: browser hijacked

Unread postby flashh4 » January 16th, 2009, 1:48 pm

Hi plumfield, not many people know that the "Jackalope" is associated with Wyoming. I live 45 minutes from Yellowstone.

We are getting close. ok lets get rid of that file.
First we need to backup the registry.

Backup Your Registry with ERUNT
  • Please use the following link to download ERUNT
  • Use the setup program to install ERUNT on your computer
Click Erunt.exe to backup your registry to the folder of your choice.

Note:If we need to restore your registry, go to the folder and start ERDNT.exe



NEXT



  1. Please download OTMoveIt3.exe from Geeks to Go and save it to your desktop.
  2. Double click on OTMoveIt3.exe to run it.
  3. Please copy and paste the following in the Code box into OTMoveIt3 (1).

    Warning: Do not type it out to prevent any typo errors and damaging your machine.

    Code: Select all
    :Files
    C:\WINDOWS\SYSTEM32\wdmaud.sys
    
    :Reg
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux2"=-
    
    :Commands
    [EmptyTemp]
    [Reboot]


    Please refer to this image to use OTMoveIt3.

    Image

  4. Click on MoveIt! (2)
  5. Click Exit (3) when done.

Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.
A log will be produced at C:\_OTMoveIt\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.



Also run a new Kaspersky Scan and post it.
New HJT log please.

Thanks
Chuck
User avatar
flashh4
Regular Member
 
Posts: 2276
Joined: June 7th, 2005, 8:36 pm
Location: wyoming

Re: browser hijacked

Unread postby plumfield » January 16th, 2009, 9:35 pm

========== FILES ==========
C:\WINDOWS\SYSTEM32\wdmaud.sys moved successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\\aux2 deleted successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\CAROLM~1\LOCALS~1\Temp\hpodvd09.log scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_5b0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01162009_172551

Files moved on Reboot...
C:\DOCUME~1\CAROLM~1\LOCALS~1\Temp\hpodvd09.log moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_5b0.dat not found!



[that's what came up after the reboot; going to do the other scans now]
plumfield
Active Member
 
Posts: 12
Joined: December 31st, 2008, 1:36 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 60 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware