Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Browser Hijack Virus

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Browser Hijack Virus

Unread postby frerom » January 5th, 2010, 2:36 am

Hi Shinybeast,
Re Help Assistant, I did contact Microsoft before I discovered the Malware forum. We were going to have a remote assistance session but it didn't work out. I reset IE and the browser appears to work very well now.

The GMER log is below and I believe it found something.

For your info: I had an OA crash on exit yesterday. I sent the minidump report to Microsoft today WIN Patrol warned me about new statup program %system%\system32\dumprep 0 -k.
Since Microsoft also explained that the crash was possibly due to a faulty driver and recommended using the Dell driver reset tool. I did that also. Again I don't like the way Dell does things. When I used the tool, you never know whether it completed successfully.

The GMER log follows

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85748158]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x85748158
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0923CA09
malicious code @ sector 0x0923CA0C !
PE file found in sector at 0x0923CA22 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
frerom
Regular Member
 
Posts: 141
Joined: December 23rd, 2009, 3:18 pm
Location: Ontario, Canada
Advertisement
Register to Remove

Re: Browser Hijack Virus

Unread postby shinybeast » January 5th, 2010, 5:30 pm

Hi frerom,

I have a couple of questions before we proceed.

Does this computer have a recovery partition on the hard drive that you know of or do you perhaps have recovery discs for it?

Do you have an Windows XP CD-ROM in your possession?
User avatar
shinybeast
Retired Graduate
 
Posts: 1187
Joined: October 29th, 2008, 6:56 pm
Location: -5 hrs GMT (EST)

Re: Browser Hijack Virus

Unread postby frerom » January 6th, 2010, 1:39 am

Hi Silentbeast,
Yes, I believe there is the standard Dell Partition. I have the 2 Dell disks. Reinstallation CD WinXP PRO SP2 and Divers and Utilities. I also have a WinXP home edition SP2 disk

Re IE8 operation. The Dell page during loading it says errors on page but when it finishes it just states Done.
frerom
Regular Member
 
Posts: 141
Joined: December 23rd, 2009, 3:18 pm
Location: Ontario, Canada

Re: Browser Hijack Virus

Unread postby shinybeast » January 7th, 2010, 11:41 am

Hi frerom,

Sorry for the delay.

Regarding your earlier post...

dumprep is the program responsible for logging the error and sending it to Microsoft as you elected to do. That is why it is wanting to run at startup.


You seem to have a Master Boot Record (MBR) infection and we need to be extra careful in how we address it. I want to be sure of the computer's setup. Please perform the following.

  • Click here to download Preformat Script by Noviciate
  • Extract Preformat.zip to your desktop.
  • Double-click Preformat.vbs file that was extracted to run the script.
  • A window will open and close.
  • After the script has run, there will be a text file, Preformat.txt, created in the same location as Preformat.vbs
  • Open Preformat.txt, copy the contents and post them in a reply to this topic.

Also, please check the discs you have again. Do you think you can restore the computer to it's original state with the discs you have?
User avatar
shinybeast
Retired Graduate
 
Posts: 1187
Joined: October 29th, 2008, 6:56 pm
Location: -5 hrs GMT (EST)

Re: Browser Hijack Virus

Unread postby frerom » January 7th, 2010, 1:56 pm

Hi Silentbeast,
Glad to have you back.

Re disks, before I discovered this forum I was trying to run SFC but I ran into problems because I have SP3 and SFC looks for the installation disk in drive D. I was thinking of trying to stream my SP2 installation disk with a downloaded SP3 to overcome that problem. Is this a possiblity now.

The other thing is my hard drive probably has 3800 hours on it and I was looking at the possibilitry of copying the whole hard drive to a new one some time in the future with one of the ghosting programs.

I should be able to use the disks I have now but I woiuld rather not have to since there will be lots of updating.

The computer is about 3.5 years old and never had a reinstallation of the operating system. So I never had to use the disks I have but it should be no problem if I have to. So lets go ahead, I appreciate your caution.

By the way, I have 2 other computers so I will be able to get back to you quickly if there are any serious problems.

For your added info. I used drive management to check the drive info. Partition 0 is a FAT (EISA config) Part 1 is NTFS (System Config) Part 2 is FAT32 (Unknown Partition) All partitions are healthy
Preformat log follows.

Partition ID: Disk #0, Partition #0
Size: 47.03 MB

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #0, Partition #1
Size: 70.07 GB

The computer boots from this partition.

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #0, Partition #2
Size: 3 GB

~~~~~~~~~~~~~~~~~~~~~~~~

BIOS Manufacturer: Dell Inc.
Name: Phoenix ROM BIOS PLUS Version 1.10 A17
Status: OK

This is the primary BIOS.

~~~~~~~~~~~~~~~~~~~~~~~~
frerom
Regular Member
 
Posts: 141
Joined: December 23rd, 2009, 3:18 pm
Location: Ontario, Canada

Re: Browser Hijack Virus

Unread postby shinybeast » January 8th, 2010, 4:52 pm

Hi frerom,

OK, here is the situation.

You have an infection in the MBR as I mentioned previously.

If we were to attempt to fix it, you will most certainly lose access to the recovery partition that the computer has and will not be able to use it to restore the computer to its original state.

Therefore, we cannot help further in this matter as we do not want to be responsible for doing any harm to the computer.


Using a third-party imaging program on the hard drive in it's current state will copy all of it's current problems as well which is not a good thing to do. I suggest you backup important documents, files, bookmarks, email, etc. before you do anything else.


After that, I suggest you seek out help/advice from Dell support and/or Dell Community forums before proceeding further in attempts to repair the computer. And/or seek out a local repair shop or professional with a strong knowledge of Dell computers.


OTL Cleanup

Please run OTL which should still be on your desktop
In the upper right click CleanUp
This will delete OTL and will clean up after it.


You may delete GMER, mbr.exe, fsbl.exe and other tools we have used.


I am sorry that I cannot help you further. Feel free to ask any questions and I'll answer the ones that I can.

Best of luck,
shinybeast
User avatar
shinybeast
Retired Graduate
 
Posts: 1187
Joined: October 29th, 2008, 6:56 pm
Location: -5 hrs GMT (EST)

Re: Browser Hijack Virus

Unread postby frerom » January 9th, 2010, 5:38 pm

Hi Silentbeast,
I did some research on the Dell Forum and decided that I would take a chance and run DSRFIX. Before I ran it I checked to see if the Dell PCrestore screen would appear when I used Ctrl F11. It did.
I then ran MBR rootkit detector again. The MBR log follows
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0923CA09
malicious code @ sector 0x0923CA0C !
PE file found in sector at 0x0923CA22 !

Do you mind reviewing the new log to see if we can or need to eliminate the malicious code or suggest who I should contact. The computer appears to be working all right.
I used the DSRFIX /F expecting the program to advise me to queu the changes that they would propose. But It came back with none. Previously when I ran DSRFIX (no switches) it stated that the MBR didn't match the Dell MBR.
Now I believe the DSRFIX identified the MBR as Dell mbr v3.
frerom
Regular Member
 
Posts: 141
Joined: December 23rd, 2009, 3:18 pm
Location: Ontario, Canada

Re: Browser Hijack Virus

Unread postby shinybeast » January 9th, 2010, 6:52 pm

Hi frerom,

Nice job! I think you did it.

The last three lines of the mbr log are not in a clean mbr log but the infection appears to be deactivated and those remnants of code should cause no issues.
There is no easy way to delete them and it's not worth the trouble to try.

I am glad you found the help you needed.

I am curious, does PCRestore (Crtl-F11) screen still come up after running dsrfix?


If you would like to continue here, please do the following.


Update Java

Older versions of Java may have vulnerabilities that can be exploited by malware.
Please follow the steps below to update the Java Runtime Enviornment

Download and install newest version:

  • Click here to visit Sun Java download page
  • Scroll down the page a bit and click Image under Image
  • Select your platform and agree to the license agreement (after having read it, of course) by clicking the checkbox. Click Continue.
  • Click the link (jre-6u17-windows-i586-p.exe) under Available Files and download the offline installer to your desktop.
  • Close any programs you may have running, including web browsers.
  • From your desktop, double-click on the download to install the newest version.


Remove older version(s):

  • Click Start, click Run...
  • Type appwiz.cpl and click OK
  • For each of the Java installations listed below, highlight them in the list and click Remove

    Java 2 Runtime Environment, SE v1.4.2_03
    Java(TM) 6 Update 13

  • Click here to download JavaRa and save it to your desktop
  • Extract JavaRa.zip to your Desktop
  • Double-click JavaRa.exe to start JavaRa
  • Choose language in the drop-down menu, then click Select
  • In the new JavaRa window click Remove Older Versions to remove leftovers from uninstalls
  • Click Yes in the dialog box that pops up to uninstall
  • Close all browser windows (you will get a warning from JavaRa)
  • Click OK in the dialog box that pops up to open the log. Close the log. It is saved in the root of the windows drive (i.e. C:\)
  • Reboot your computer.


Please post a new HijackThis log and let me know how the computer is running.
User avatar
shinybeast
Retired Graduate
 
Posts: 1187
Joined: October 29th, 2008, 6:56 pm
Location: -5 hrs GMT (EST)

Re: Browser Hijack Virus

Unread postby frerom » January 10th, 2010, 11:40 am

Hi Silentbeast,

Yes. Things appear to have worked out quite well. Thank you for pointing me in the right direction. I did run into some difficulty because I was supposed to save my old MBR. But since I don't have a floppy I tried to use my USB flash. I wasn't able to save the MBR or save the dump file as recommended. I believe I forgot to format the USB. I will have to try again later.

The PCRestore (Crtl-F11) screen still comes up after running dsrfix.

Java is updated and old versions and leftovers are removed.

Standby works fine now. I didn't try hibernate but I expect it to be okay.

Re IE8 Dell home page loading with errors. I discovered that the browser was not my regular browser but rather a browser supplied by myway. I noticed the program in the add/remove list. I changed the home page and deleted the program. IE8 appears to be fine now.

Remaining issues.

1.- Sometimes when I log on I still get the memory error associated with Ati2evxx.exe. I read where some people recommend to disable it. So far I ignore it.

2.- Deleted. I installed the sndvol32.exe from one of my other computers. Icon is now on the task bar.

3.- To remove the programs that I downloaded to my desktop, Do I just delete them from the Desktop?

4.- I would like to clean up the restore points.

5.- I had trouble installing the latest version of adobe Flash player (10.42). IE prevented me from downloading it. Finally I had to change the security level for IE and allow scripting. After installation I set it back to default (Medium - high) I will add the latest hijack log. Hope you have not started looking at it.



Hijack log follows
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:03:55 AM, on 10/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LaCie\Genie Backup Assistant\GBMAgent.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://support.dell.com/support/index.a ... l=en&s=dhs
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: ÿþ127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GBMLite8AgentLaCie] C:\Program Files\LaCie\Genie Backup Assistant\GBMAgent.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Norton Confidence Online - {144FDEB7-A23D-4D39-A00E-AA44195535B6} - C:\WINDOWS\wcidButton.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0460342453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 7243105250
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDow ... rtScan.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://acaeronet.aircanada.ca/http://y ... rview2.cab
O16 - DPF: {CCC46940-DED0-476C-A27E-115B10DAE0B4} - http://td.nortonconfidenceonline.com/plug-in/WSAS.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\OAcat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 7700 bytes

Latest Hijack log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:24 PM, on 10/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\LaCie\Genie Backup Assistant\GBMAgent.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcrobatInfo.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://support.dell.com/support/index.a ... l=en&s=dhs
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: ÿþ127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GBMLite8AgentLaCie] C:\Program Files\LaCie\Genie Backup Assistant\GBMAgent.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "C:\WINDOWS\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Norton Confidence Online - {144FDEB7-A23D-4D39-A00E-AA44195535B6} - C:\WINDOWS\wcidButton.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0460342453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 7243105250
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDow ... rtScan.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://acaeronet.aircanada.ca/http://y ... rview2.cab
O16 - DPF: {CCC46940-DED0-476C-A27E-115B10DAE0B4} - http://td.nortonconfidenceonline.com/plug-in/WSAS.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\OAcat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 8142 bytes
frerom
Regular Member
 
Posts: 141
Joined: December 23rd, 2009, 3:18 pm
Location: Ontario, Canada

Re: Browser Hijack Virus

Unread postby shinybeast » January 11th, 2010, 1:15 pm

Hi Fred,


RE: Remaining issues.

1.- I still get the memory error associated with Ati2evxx.exe. I read where some people recommend to disable it. So far I ignore it.

This is the control panel for your graphics adapter. I would suggest uninstalling graphics adapter drivers and software, reboot, and re-install the latest drivers and see if that helps. When I had an ATI card I only used ATI Display Driver and never installed ATI Catalyst Control Center. I had no use for it, but you might so it is your call. You can also disable the service through Services but you will not have access to the "advanced" settings for your graphics adapter.

If you elect to disable the service...
    click start, click run... type services.msc and press Enter
    locate Ati HotKey Poller in the list and double-click it
    on general tab, click Stop under Service status:
    next to Startup, select disabled from the drop down menu.
    Click OK. Close Services window.


2.- When I try to install the volume ctrl in the task bar I'm informed that sndvol32.exe is missing. Is the a safe place to get a copy.

The file is the same for SP2 and SP3 so if you do the following it should be replaced.

  • Insert XP Home SP2 disc into CD drive (not Dell CD).
  • Copy the following command in the code box.
    Code: Select all
    expand X:\i386\sndvol32.ex_ C:\system32\sndvol32.exe
  • Click Start, click Run...
  • Paste the command in to the Open: field
  • Change "X" in the command above to the drive letter of your CD drive
  • Click OK
This will hopefully get sndvol32.exe replaced.


3.- To remove the programs that I downloaded to my desktop, Do I just delete them from the Desktop?

If you did the OTL cleanup here, then just delete everything else.


4.- I would like to clean up the restore points.

Once we are satisfied that the computer is clean, we will deal with the restore points.


I suspect your Java may not be quite right. Please verify your Java installation.

Click here with Internet Explorer to visit Java verification page.
You should get a "Congratulations!" if current Java is installed.
If you do not, then re-install Java Runtime Environment
If you do get the "Congratulations!" then click the Test your Java Virtual Machine (JVM) link on that page to verify that Java is working.
If the applet doesn't display, follow the instructions to troubleshoot Java. A re-installation may be necessary.


HijackThis

Start HijackThis and select Do a system scan only
Place a check next to the lines listed below and Close all windows except for HijackThis
Click Fix checked:

O1 - Hosts: ÿþ127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll


Close HijackThis then reboot the computer


Download and Run Malwarebytes' Anti-Malware

Malwarebytes' is a good general anti-malware program. Occasionally updating it and running scans will remove most minor malware. I would like to do a scan now to check for anything ESET scan may have missed before we finish up.

Please download the free version of Malwarebytes' Anti-Malware and save to a convenient location.
Double-click the mbam-setup.exe file that you download to start the installation
Go through the install screens and before you click finish ensure that the two check boxes below are checked.
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware

The program will then check for updates. If you have a firewall installed and it throws up a warning, please allow Malwarebytes through.
  • Once it checks for and gets any updates tick Perform full scan
  • If you are asked to select drives to be scanned, leave all the drives selected and click Scan
  • The scan could take quite some time to complete, please be patient.
  • When it finishes, click OK in the window that pops up and then click Show Results in the main window
  • Check all items EXCEPT items in the C:\System Volume Information folder... then click on Remove Selected.
  • When the removal is complete, a logfile will open. Please copy and paste the entire contents of the logfile in your next reply. See NOTE below
  • If necessary, the logfile can also be accessed by running Malwarebytes' and clicking the Log tab. Double-click the current log to open it.
NOTE: If Malwarebytes' encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let it proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent Malwarebytes' from removing all the malware.

Please post back with the Malwarebytes' log, a new HijackThis log and results of other fixes. :)
User avatar
shinybeast
Retired Graduate
 
Posts: 1187
Joined: October 29th, 2008, 6:56 pm
Location: -5 hrs GMT (EST)

Re: Browser Hijack Virus

Unread postby frerom » January 12th, 2010, 3:00 pm

Hi Shinybeast,
Re: Remaining issues

1.a- I uninstalled the driver using device manager and rebooted. I removed the ATI control center using control panel. I'm not sure whether I should have removed the ATI display driver software listed in conrol panel or did it get reinstalled when I rebooted?

Ib.- also removed several other programs that I noticed in control panel list. (Avanquest, JD Secure 3.1 learn2 player)

1c. - There are 2 Broadcom 440x 10/100 integrated controller programs listed on control panel - Version 8.03.09 (.13 MBytes) and 10.03.09 (.14 MBytes). Should I try removing one of them or both. I am not using the ethernet connection at this time. Uninstall list at end of logs.

2.-Volume icon reinstalled on TASK BAR.

3.- OTL removed and cleaned. Other downloads removed. Except for TFC.

4.- Restore points - TBD

5.-Java is working. I had trouble getting the applet working. Clearing the temp files and enabling the Java console through Internet manage ADD-ONs got the Applet working.

6.- Checked 4 items in scan as requested. Ran Malwarebytes. No problems


Malware Log

Malwarebytes' Anti-Malware 1.44
Database version: 3548
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/01/2010 1:24:13 PM
mbam-log-2010-01-12 (13-24-13).txt

Scan type: Full Scan (C:\|)
Objects scanned: 304487
Time elapsed: 1 hour(s), 8 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:40:45 PM, on 12/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\LaCie\Genie Backup Assistant\GBMAgent.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://support.dell.com/support/index.a ... l=en&s=dhs
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GBMLite8AgentLaCie] C:\Program Files\LaCie\Genie Backup Assistant\GBMAgent.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O9 - Extra button: Norton Confidence Online - {144FDEB7-A23D-4D39-A00E-AA44195535B6} - C:\WINDOWS\wcidButton.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0460342453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 7243105250
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDow ... rtScan.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://acaeronet.aircanada.ca/http://y ... rview2.cab
O16 - DPF: {CCC46940-DED0-476C-A27E-115B10DAE0B4} - http://td.nortonconfidenceonline.com/plug-in/WSAS.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\OAcat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 7467 bytes


Uninstall list

Adobe Acrobat 7.1.0 Professional
Adobe Download Manager
Adobe Flash Player 10 ActiveX
ATI Display Driver
AutoCAD LT 2007 - English
Autodesk DWF Viewer
avast! Antivirus
Broadcom 440x 10/100 Integrated Controller
Broadcom 440x 10/100 Integrated Controller
Conexant HDA D110 MDC V.92 Modem
CorelDRAW Design Collection - 2
CorelDRAW Graphics Suite X3
CorelDRAW Graphics Suite X3
Cortona_ActiveX
Critical Update for Windows Media Player 11 (KB959772)
Dell Driver Reset Tool
Dell Media Experience
Dell ResourceCD
DellSupport
Digital Line Detect
EN
FontNav
Genie Backup Assistant
Google Chrome
Google Update Helper
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Image Zone 4.7
HP Scanjet 4070
HP Update
Image Expert
InstallActiveX
Internet Explorer Default Page
Isoview 5.0.011 (Airbus License)
Java(TM) 6 Update 17
LaCie Backup Software v1.5.2215
Malwarebytes' Anti-Malware
MCU
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Easy Assist v2
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Links 2001
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Office Live Meeting 2007
Microsoft Office PowerPoint Viewer 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Modem Helper
Mozilla Firefox (3.5.6)
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero Suite
NetWaiting
Norton Confidence Online
OGA Notifier 2.0.0048.0
Online Armor 4.0
PowerDVD 5.7
QuickSet
QuickTime
RealPlayer Basic
SeaTools for Windows
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SigmaTel Audio
SmartFTP Client
SmartFTP Client 3.0 Setup Files (remove only)
Sonic DLA
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sony Ericsson PC Suite 4.010.00
Synaptics Pointing Device Driver
Time Zone Data Update Tool for Microsoft Office Outlook
U3Launcher
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Manager
VBA
Viewpoint Media Player
WebCyberCoach 3.2 Dell
Windows Driver Package - Intel (w29n51) net (09/12/2005 9.0.3.9)
Windows Driver Package - Intel (w39n51) net (12/04/2005 10.1.0.13)
Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinPatrol 2009
frerom
Regular Member
 
Posts: 141
Joined: December 23rd, 2009, 3:18 pm
Location: Ontario, Canada

Re: Browser Hijack Virus

Unread postby shinybeast » January 12th, 2010, 6:33 pm

Hi Fred,

RE: issues

1a. It would have been ideal to uninstall both, then reinstall ATI Display Driver. ATI Display Driver is necessary for the adapter to work. Catalyst is unnecessary. If you are not having any more Ati2evxx.exe errors, then leave things be.

1c. I would recommend you leave Broadcom programs installed for future use, if necessary.

2. Glad to hear it.

3. TFC is a nifty program, so keep it if you wish.

5. My hunch was correct. Glad you got it working.


Well, your logs are clean!


Create a new System Restore point and clear old ones

Please clear old restore points in order to avoid reintroducing malware from a restore point in the future.

Create a new restore point
  • Navigate to Start > All Programs > Accessories > System Tools and click System Restore
  • On the right side of the welcome window, select (tick) Create a restore point, then click Next
  • Under Restore point desciption, name the restore point (I suggest post-malware removal or something similar)
  • Click Create, then click Close

Delete old restore points
  • Click Start, click Run..., type cleanmgr and press Enter
  • Select the drive XP is installed on (usually C: ) and click OK
  • Once the Disk Cleanup dialog opens, click the More Options tab
  • Under System Restore click Clean up...
  • You will be asked if you are sure you want to clean all restore points but the most recent one, click Yes
  • Close the Disk Cleanup dialog to finish.
Note: Do the above once. Restore points should not be routinely deleted.


Implementing the following suggestions will greatly reduce your chances of malware problems in the future.

Update Windows

It is important to keep Windows and Microsoft programs updated to close vulnerabilities as they are discovered.

I suggest that you occasionally visit Microsoft Update and install all important updates. Please visit Microsoft Update as soon as possible as described below.

Close all windows and temporarily disable your anti-virus (usually through a tray icon)

Use Internet Explorer to visit this site: http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-US

Once the page loads follow instructions to install all critical updates. You may need to repeat this process until fully updated.


Keep installed programs up to date

Anti-virus
Most important is keeping your anti-virus software up to date. An out of date anti-virus is not much better than no anti-virus. If your anti-virus is not set to update automatically (preferred), it is imperative that you occasionally update it manually. You usually can accomplish this through a tray icon.

Update Other Vulnerable Software
Malware writers are increasingly targeting vulnerabilities in commonly used applications. There are several online sites which will scan your computer for outdated software. I've listed two below. I recommend occasionally visiting and scanning your computer to detect vulnerable software that should be updated.
Secunia Online Software Inspector
F-Secure Health Check

Mozilla Firefox Plug-in Check
If using Firefox, Click here to visit Mozilla, check your plug-ins and update them as necessary.


Best Practices for Email and Downloaded Files.

  • Do not read emails from unknown sources.
  • Make it a habit to never open email attachments from anyone, including people you know, unless you absolutely have to. If you need to open an attachment, scan it with your anti-virus before you open it.
  • Do not use Peer to Peer software to "share" media and software. You will get more than you expected and the "bonus" will not be something you want and will bring you back seeking help.
  • Do not use keygens or hacked software. First, it is stealing. Second, it is almost always infected with something. If you cannot afford to buy something, there is likely a free alternative that will be a good substitute. Search around and seek out advice from a trusted forum. Most will be glad to tell you of their favorite free program that performs the job you want done.


Additional Protection Programs

The programs listed below are excellent for improving your computer's security.

WinPatrol by Bill Pytlovany - "WinPatrol is a multi-purpose utility designed to increase performance and protect against unwanted changes." Information on it's many features can be found here

MVPS Hosts file - A replacement HOSTS file that redirects known malicious and ad serving sites to the localhost, thus preventing connection to them.
Note: MVPS Hosts file can sometimes slow down the computer so read the information on the site to mitigate this effect.

I encourage you to check out Tony Klein's article "How did I get infected in the first place?"
and miekiemoes' article "How to prevent Malware:"

If you have any questions about these suggestions, I would be happy to answer them.

Regards,
shinybeast

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
User avatar
shinybeast
Retired Graduate
 
Posts: 1187
Joined: October 29th, 2008, 6:56 pm
Location: -5 hrs GMT (EST)

Re: Browser Hijack Virus

Unread postby frerom » January 13th, 2010, 4:08 pm

Hi Silentbeast,
I can not thank you enough for the help you provided me in the last month.
For the first time since I have started using computers (20 years) I feel like I have control over my computer. I always felt like I wasn't doing enough in regards to security and updating but it was difficult in deciding what to get. Why even today after cleaning my restore points I thought I was finished. I didn't realize there would be some more. The added info you provided made me realize I should keep all my programs updated. I started doing the additional updates and scans. I am confident I will be able to complete them.
I wish you success in your training and future endeavors.

Regards
Fred
ps You can consider this thread closed.
frerom
Regular Member
 
Posts: 141
Joined: December 23rd, 2009, 3:18 pm
Location: Ontario, Canada

Re: Browser Hijack Virus

Unread postby frerom » January 13th, 2010, 4:10 pm

Deleted
frerom
Regular Member
 
Posts: 141
Joined: December 23rd, 2009, 3:18 pm
Location: Ontario, Canada

Re: Browser Hijack Virus

Unread postby shinybeast » January 13th, 2010, 6:03 pm

Hi Fred,

It's been my pleasure assisting you.
Take care and stay safe! :)
User avatar
shinybeast
Retired Graduate
 
Posts: 1187
Joined: October 29th, 2008, 6:56 pm
Location: -5 hrs GMT (EST)
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 270 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware