Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijacked by a browser hijacker

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hijacked by a browser hijacker

Unread postby Crunchyhippo » February 3rd, 2009, 7:43 pm

When I try and do Google searches, it will usually give me results, but when I try and click a result, I more often than not get another site peddling its wares and not the one I wanted. This affliction also seems to block certain websites - such as yours. It kept me from going to malwareremoval.com. I guess it means you're being effective, huh? :king:

I cleared the cookies and temporary Internet files, and I made sure "third party browser extensions" is unchecked in Advanced Options in the browser, but none of that had any effect. I've also had McAfee turned on all this time, and I did a full scan with it, not just on the hard drive, but on my external HD and flash drive, which I use with this computer, too. No change.

I sure hope someone can help. I'm posting my Hijackthis log below.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:26, on 2009-02-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SmartDisk\FlashPath\sdstat.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
C:\WINDOWS\SYSTEM32\WINMINE.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll (file missing)
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\NETWOR~1\protect.dll,_IWMPEvents@16
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O4 - Startup: Introducing Media Manager.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\SPLASHA.EXE
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download all by NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Download by NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: {0441781A-3075-4C8F-9FDB-A6BCAE8769A1} (vmLaunch Class) - http://downloads.comcast.net/videomail/vmLauncher.cab
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Share ... mCtl32.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {87587503-20F0-4FF5-8DA3-0107C4C03FDC} (vmLaunch Class) - http://downloads.comcast.net/videomail/vmLauncher.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O18 - Protocol: ebk - {1E411CE8-FE8B-4973-B8E0-6EA2CC3C6B06} - C:\WINDOWS\system32\ebkp.dll (file missing)
O23 - Service: McAfee Application Installer Cleanup (0135981232946127) (0135981232946127mcinstcleanup) - Unknown owner - C:\DOCUME~1\jeffrey\LOCALS~1\Temp\013598~1.EXE (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

--
End of file - 7097 bytes
Crunchyhippo
Regular Member
 
Posts: 46
Joined: February 5th, 2008, 9:11 am
Location: Florida
Advertisement
Register to Remove

Re: Hijacked by a browser hijacker

Unread postby dan12 » February 7th, 2009, 6:38 pm

welcome to malwareremoval forums

My name is Dan, and I will be helping you to remove any infection(s) that you may have.

Please note! that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
  • Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
  • Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.


It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


Installed Programs

Please could you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

I'm presently looking over your log and hope not to be too long.
Will be back with you as soon as I can.
Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Hijacked by a browser hijacker

Unread postby Crunchyhippo » February 8th, 2009, 3:27 pm

Here's the list of programs.

(Hmm - I wonder why there's so many "Windows XP Security Update" and "Hotfix" entries?)


Abstract Dance Screensaver v1.0
Active@ ISO Burner v 1.1
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Photoshop 7.0
Adobe Photoshop CS3
Adobe Reader 7.0.8
Adobe Setup
Adobe Shockwave Player
Apple Software Update
Backup To DVD/CD 5.1
Banctec Service Agreement
Broadcom Management Programs
Canon Camera Support Core Library
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
CDR Tools Front End v1.4 final
Cisco Press CCNA ICND Test
Comcast Video Mail - Version 3.4 Build 3778
Compatibility Pack for the 2007 Office system
Creative WebCam Center
Creative WebCam Instant Driver (1.01.02.0729)
Creative WebCam Instant User's Guide (English)
DeepBurner v1.8.0.224
Dell Driver Reset Tool
Dell Media Experience
Dell Picture Studio v3.0
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DXG-518
EarthLink setup files
ExtractNow
FlashPath
Get Yahoo! Messenger
GiPo@FileUtilities 3.2
Google Earth
Google Updater
GPL MPEG-1/2 DirectShow Decoder Filter
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Extreme Graphics Driver
Intel(R) Integrated Performance Primitives RTI 4.0
Internet Explorer Default Page
J2SE Runtime Environment 5.0 Update 3
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Java 2 Runtime Environment, SE v1.4.2_03
K-Lite Codec Pack 4.1.0 (Standard)
Learn2 Player (Uninstall Only)
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Media Manager 1.5
Microsoft Office Converter Pack
Microsoft Office Excel Viewer 2003
Microsoft Office PowerPoint Viewer 2003
Microsoft Office XP Media Content
Microsoft Office XP Standard for Students and Teachers
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0 (Beta2)
Microsoft Web Publishing Wizard 1.52
Microsoft Windows XP Video Decoder Checkup Utility
Modem Event Monitor
Modem Helper
ModemTest V1.3
Mozilla Firefox (2.0.0.11)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Music Visualizer Library 1.4.00
Netscape Communicator 4.77
NetXfer 2.22.331
NetZeroInstallers
OLYMPUS CAMEDIA Master 2.5
OpenMG Limited Patch 3.2-03-02-21-08
OpenMG Limited Patch 3.2-03-04-14-02
OpenMG Limited Patch 3.2-03-04-17-02
OpenMG Secure Module 3.2
Palm Desktop
Publix Preschool Pals
RealPlayer
ScanCraft CS-P
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB953838)
SonicStage 1.5.53
Sony Picture Utility
Sony USB Driver
STOIK Video Converter 2
The Print Shop Premier Edition 5.0
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Viewpoint Media Player
Windows Backup Utility
Windows Defender
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows Media Player Hotfix [See Q828026 for more information]
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WordPerfect Office 12
Crunchyhippo
Regular Member
 
Posts: 46
Joined: February 5th, 2008, 9:11 am
Location: Florida

Re: Hijacked by a browser hijacker

Unread postby dan12 » February 8th, 2009, 5:04 pm

Optional - VIEWPOINT MANAGER
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
Additional info:Here
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar
Your call.

___________________

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint.
Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player.
The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information.
CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.'




Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)

O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\NETWOR~1\protect.dll,_IWMPEvents@16
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O18 - Protocol: ebk - {1E411CE8-FE8B-4973-B8E0-6EA2CC3C6B06} - C:\WINDOWS\system32\ebkp.dll (file missing)

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit



Download and Run OTMoveIt3

Download OTMoveIt3 by Old Timer and save it to your Desktop.
  • Double-click OTMoveIt3.exe. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the lines in the codebox below.
Code: Select all
:files 
C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
C:\DOCUME~1\NETWOR~1\protect.dll,_IWMPEvents@16
C:\WINDOWS\system32\ebkp.dll
:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
[Reboot]

    

  • Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3

----------------------------------

Run your malwarebytes program, update it first
Remember to check fix selected items!

Please make sure that all programs are closed when installing Java.

  1. Click here to visit Java's website.
  2. Scroll down to Java Runtime Environment (JRE) 6 Update 6. Click on Download.
  3. Select Windows from the drop-down list for Platform.
  4. Select Multi-language from the drop-down list for Language.
  5. Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.
  6. Click on jre-6u6-windows-i586-p.exe link to download it and save this to a convenient location.
  7. Double click on jre-6u6-windows-i586-p.exe to install Java.
  8. After the Java installation has finished, please go to Kaspersky website and perform an online antivirus scan.
  9. Read through the requirements and privacy statement and click on Accept button.
  10. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  11. When the downloads have finished, click on Settings.
  12. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  13. Click on My Computer under Scan.
  14. Once the scan is complete, it will display the results. Click on View Scan Report.
  15. You will see a list of infected items there. Click on Save Report As....
  16. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  17. Please post this log in your next reply.


Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Adobe Reader is a large program and uses unnecessary space.
If you prefer a smaller program you can get Foxit 3.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << Recommended

There is a newer version of Adobe Acrobat Reader available.
  • Please go to this link Adobe Acrobat Reader Download Link
  • Click Download
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts

When the installation is complete go to Add/Remove Programs and uninstall all previous versions.



Post the otmoveit3 report
malwarebytes report.
Fresh HJT report
Kaspersky scan and javara report.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Hijacked by a browser hijacker

Unread postby Crunchyhippo » February 8th, 2009, 8:32 pm

I'm working on your instructions now. I should be through shortly, but I need some clarification - in the Java update which you said I needed, there isn't a Java Runtime Environment (JRE) 6 Update 6 available at the site that I can immediately see - just the Update 12. Do you want this one instead?

(Also, there's two to pick from:
- JRE 6 Update 12: This release includes the highly anticipated 64-bit Java Plug-In (for 64-bit browsers only), Windows Server 2008 support, and performance improvements of Java and JavaFX applications
- JRE 6 Update 12: This JDK includes the JRE and command-line development tools that are useful for developing applets and applications.)
Crunchyhippo
Regular Member
 
Posts: 46
Joined: February 5th, 2008, 9:11 am
Location: Florida

Re: Hijacked by a browser hijacker

Unread postby dan12 » February 8th, 2009, 8:59 pm

HI, my apology my post should of said - JRE 6 Update 11.
I will find you the link for update 11 and post to you tomorrow I can't lay my hands on it at the moment.
continue with the rest of that post I gave.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Hijacked by a browser hijacker

Unread postby dan12 » February 8th, 2009, 9:02 pm

I knew I had it somewhere here you go
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Hijacked by a browser hijacker

Unread postby Crunchyhippo » February 9th, 2009, 4:57 pm

I'm attaching the three log files you requested. Boy, the Kaspersky scan took almost four hours(!) (I do have a maxed-out HD, though.)

I installed the latest Adobe Acrobat reader, and I think it over-wrote the older version, since I only see the new one now. Also, I did have McAfee on my computer, but it kept interfering with the diagnosis process to the point that I just un-installed it. I hated it anyway. I hope this doesn't affect your diagnosis. I'm putting my new HijackThis log in this message instead of adding it as a file.

Let me know if you need anything further.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:44, on 2009-02-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\SmartDisk\FlashPath\sdstat.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll (file missing)
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - Startup: ChkDisk.dll
O4 - Startup: Introducing Media Manager.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\SPLASHA.EXE
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download all by NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Download by NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: {0441781A-3075-4C8F-9FDB-A6BCAE8769A1} (vmLaunch Class) - http://downloads.comcast.net/videomail/vmLauncher.cab
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Share ... mCtl32.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {87587503-20F0-4FF5-8DA3-0107C4C03FDC} (vmLaunch Class) - http://downloads.comcast.net/videomail/vmLauncher.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O18 - Protocol: ebk - {1E411CE8-FE8B-4973-B8E0-6EA2CC3C6B06} - C:\WINDOWS\system32\ebkp.dll (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

--
End of file - 5955 bytes
You do not have the required permissions to view the files attached to this post.
Crunchyhippo
Regular Member
 
Posts: 46
Joined: February 5th, 2008, 9:11 am
Location: Florida

Re: Hijacked by a browser hijacker

Unread postby dan12 » February 10th, 2009, 3:59 am

Can you delete items in Microsoft Outlook Express "Deleted folder"

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)

O4 - Startup: ChkDisk.dll
O18 - Protocol: ebk - {1E411CE8-FE8B-4973-B8E0-6EA2CC3C6B06} - C:\WINDOWS\system32\ebkp.dll (file missing)

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit



Download and Run OTMoveIt3

Download OTMoveIt3 by Old Timer and save it to your Desktop.
  • Double-click OTMoveIt3.exe. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the lines in the codebox below.
Code: Select all
:files 
C:\Documents and Settings\jeffrey\protect.dll
C:\Documents and Settings\jeffrey\Start Menu\Programs\Startup\ChkDisk.dll
C:\SDFix
H:\Downloads\fileutil.exe

    

  • Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3

Post report and a HJT report, let me know how things are!
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Hijacked by a browser hijacker

Unread postby Crunchyhippo » February 10th, 2009, 5:59 pm

Things seem to be better now. I don't get the Google redirects anymore, and I can actually go to this website on this computer now (whereas before I just got a blank screen).

Here are the log files you requested.


OTMoveIt3 Log

========== FILES ==========
DllUnregisterServer procedure not found in C:\Documents and Settings\jeffrey\protect.dll
C:\Documents and Settings\jeffrey\protect.dll NOT unregistered.
C:\Documents and Settings\jeffrey\protect.dll moved successfully.
DllUnregisterServer procedure not found in C:\Documents and Settings\jeffrey\Start Menu\Programs\Startup\ChkDisk.dll
C:\Documents and Settings\jeffrey\Start Menu\Programs\Startup\ChkDisk.dll NOT unregistered.
C:\Documents and Settings\jeffrey\Start Menu\Programs\Startup\ChkDisk.dll moved successfully.
C:\SDFix\backups moved successfully.
C:\SDFix\apps\Replace\xp moved successfully.
C:\SDFix\apps\Replace\w2k moved successfully.
C:\SDFix\apps\Replace moved successfully.
C:\SDFix\apps moved successfully.
C:\SDFix moved successfully.
File/Folder H:\Downloads\fileutil.exe not found.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02102009_165503


Hijack This Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:56, on 2009-02-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\Program Files\SmartDisk\FlashPath\sdstat.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll (file missing)
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\jeffrey\protect.dll,_IWMPEvents@16
O4 - Startup: ChkDisk.lnk = ?
O4 - Startup: Introducing Media Manager.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\SPLASHA.EXE
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download all by NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Download by NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: {0441781A-3075-4C8F-9FDB-A6BCAE8769A1} (vmLaunch Class) - http://downloads.comcast.net/videomail/vmLauncher.cab
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Share ... mCtl32.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {87587503-20F0-4FF5-8DA3-0107C4C03FDC} (vmLaunch Class) - http://downloads.comcast.net/videomail/vmLauncher.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

--
End of file - 5993 bytes
Crunchyhippo
Regular Member
 
Posts: 46
Joined: February 5th, 2008, 9:11 am
Location: Florida

Re: Hijacked by a browser hijacker

Unread postby dan12 » February 11th, 2009, 4:52 am

Would you let me know how things are with the pc at this time?
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Hijacked by a browser hijacker

Unread postby Crunchyhippo » February 11th, 2009, 5:06 am

It all seems to be fine now. I can't detect any problematic issues. (That Malwarebytes program is really the cats meow as far as security programs go. Great stuff.)

Thanks for the assistance. McAfee alone never would have done it.
Crunchyhippo
Regular Member
 
Posts: 46
Joined: February 5th, 2008, 9:11 am
Location: Florida

Re: Hijacked by a browser hijacker

Unread postby dan12 » February 11th, 2009, 6:53 am

Your Antivirus and Firewall programs you only need to be running one of each.


You aren't running Anti Virus Software

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network.
Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition
-Anti-virus program for Windows.
-The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition
-Free edition of the AVG anti-virus program for Windows.
CLEAN UP


There is no sign of a Third Party Firewall installed on your system.
As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

There are several possible reasons for the Firewall not showing.
  1. You are using Windows Firewall. This is not recommended as it will only stop incoming material. It permits all outgoing traffic.
  2. You are using a hardware firewall. It should be complemented with a Third Party Software Firewall
  3. You have a firewall, but you disabled it. Please re-enable it.
  4. You don't have a firewall at all.

If you don't have a third party firewall, please get ONE firewall and install it. Restart the computer for changes to take effect.

Online Armor
Comodo Personal Firewall



  • Double-click OTMoveIt3.exe. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
------------------

Please note! The HijackThis O6 section corresponds to an Administrative lock down for changing the options or the homepage in Internet explorer by changing certain settings in the registry.
This entry would legitimately show if an administrator set the restriction on purpose or if the user utilized Spybot S&D's Home Page and Option Lock down features in the Mode ->Advanced Mode -> Tools -> IE Tweaks section. (Or there could be other similar tools with similar options/functions.
Are you the administrator and did you set the restriction? If you didn't, then you can fix the following entry.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


let me know when done and post another HJT log
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Hijacked by a browser hijacker

Unread postby Crunchyhippo » February 11th, 2009, 6:52 pm

I did as you suggested and installed Antivir PersonalEditionClassic as well as Comodo Personal Firewall. I downloaded them onto my external HD at work, then installed them onto my formerly-infected desktop at home after work. However, after successful installation, when I tried to go back to this website to update you, I again couldn't access the website. I got only a blank white page like before. :x

So I ran the Malwarebytes program again, and it found about a half-dozen trojans(!) I guess I got them on download somehow. But after the program did its cleaning, I could get to your website again, so it did its job. And for security reasons, I deleted the anti-virus and firewall programs that I installed, and made sure they're gone from the Recycle Bin, too. I'll have to do another download at some point.

I'm posting the logfile for Malwarebytes, along with a new HJT. I also removed the selected item in the registry with OTMoveIt3.

Malwarebytes Log

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 2

2009-02-11 16:06:32
mbam-log-2009-02-11 (16-06-32).txt

Scan type: Quick Scan
Objects scanned: 55199
Time elapsed: 5 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\autochk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\jeffrey\protect.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\jeffrey\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:34, on 2009-02-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\SmartDisk\FlashPath\sdstat.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll (file missing)
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - Startup: ChkDisk.dll
O4 - Startup: Introducing Media Manager.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\SPLASHA.EXE
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all by NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Download by NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: {0441781A-3075-4C8F-9FDB-A6BCAE8769A1} (vmLaunch Class) - http://downloads.comcast.net/videomail/vmLauncher.cab
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Share ... mCtl32.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {87587503-20F0-4FF5-8DA3-0107C4C03FDC} (vmLaunch Class) - http://downloads.comcast.net/videomail/vmLauncher.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O20 - AppInit_DLLs:
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

--
End of file - 6429 bytes
Crunchyhippo
Regular Member
 
Posts: 46
Joined: February 5th, 2008, 9:11 am
Location: Florida

Re: Hijacked by a browser hijacker

Unread postby dan12 » February 11th, 2009, 7:18 pm

You were with out security for a short time before you installed your protection, could well be where you picked them up from.

And for security reasons, I deleted the anti-virus and firewall programs that I installed, and made sure they're gone from the Recycle Bin, too. I'll have to do another download at some point.
Can you just clarify this for me, are you saying you downloaded and Installed the antivirus program and firewall that I gave you then uninstalled them?
As I see these in the returned HJT report!

Fix this with HJT
O20 - AppInit_DLLs:

Post a fresh Log.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 49 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware