| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 98359 | 2009-03-22 01:56:00 | malware? | nerd (109) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 758410 | 2009-03-22 01:56:00 | i think i have malware or spyware because every time i searxch something in google and i click on a link it redirects me to some love calculator crush thing its really annoying. when i go back and click on it again its fine though. its only in ie as well, thats another thing iv realised it doesnt happen on firefox. thanks also il post a hjt log as well cuz i seems relevant, lol. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:56:21 p.m., on 22/03/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Iconize\Iconize.exe C:\WINDOWS\system32\spoolsv.exe C:\Documents and Settings\swikar rules\My Documents\Installations\ProcessExplorer\procexp.ex e C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\slserv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer: brought to you by Swikar O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll O4 - HKLM\..\Run: [ avast! ] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Startup: Iconize.lnk = C:\Program Files\Iconize\Iconize.exe O4 - Startup: Porcess Explorer.lnk = C:\Documents and Settings\swikar rules\My Documents\Installations\ProcessExplorer\procexp.ex e O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201 O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204 O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203 O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\WINDOWS\System32\shdocvw.dll O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - support.microsoft.com O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - www.kaspersky.com O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - www.bebo.com O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - housecall65.trendmicro.com O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - messenger.zone.msn.com O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - download.bitdefender.com O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - www.crucial.com O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - update.videoegg.com O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - messenger.zone.msn.com O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe -- End of file - 8364 bytes |
nerd (109) | ||
| 758411 | 2009-03-22 02:19:00 | Looks ok to me but you can tick these then tick fix checked Close browsers Get IEPro and install it, if you havent installed it yet O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - Startup: Porcess Explorer.lnk = C:\Documents and Settings\swikar rules\My Documents\Installations\ProcessExplorer\procexp.ex e You probably dont see it, if flashblock/adblock is installed for FF |
Speedy Gonzales (78) | ||
| 758412 | 2009-03-22 02:24:00 | Download MBAM from this direct link: majorgeeks.com Do it in Firefox, then update and run a full scan Your browsers Hijacked, but your HijackThis log seems clean to me Blam |
Blam (54) | ||
| 758413 | 2009-03-22 02:47:00 | As Blam posted - get Malwarebytes - this thing is riddled with an infection. O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - update.videoegg.com Make sure you run it in FULL mode - it should locate MANY locations of Videoegg. Remove every thing it finds. Also from my sig get Spyware Terminator - install update and run in FULL scan mode. Change the following settings as well - open the program - Setting ( top right) - then on the left - Scan Settings, put ticks in the two unticked boxes. Run FULL scan. Also get Spybot S&D - install and run. Remove any infections the 3 programs find. make sure you disable system restore before scanning. |
wainuitech (129) | ||
| 758414 | 2009-03-22 02:57:00 | Run ccleaner too-and delete ALL temporary files | Blam (54) | ||
| 758415 | 2009-03-22 05:37:00 | why do turn off system restore? also blam that link was dead but i googled it tho... lol |
nerd (109) | ||
| 758416 | 2009-03-22 06:05:00 | You turn off restore because some infections are hiding in there - when you reboot after doing a clean up, they reinfect and you are right back where you started. If you have problems download malwarebytes - get it from my sig - that is working fine. or if infections are stopping you - Direct Download Link (dw.com.com kHOCCpNn_RDj8UqrOpCAXjQoKmnxhCnHldrDmVXpFamWxOHmZu alyBhJLHFswu0Pe-OziBH6%2fsoftware%2f11004434%2f10804572%2f3%2fmbam-setup.exe%3flop%3dlink%26ptype%3d1901%26ontid%3d80 22%26siteId%3d4%26edId%3d3%26spi%3d2dca71fbbe246f7 662419364b761d26f%26pid%3d11004434%26psid%3d108045 72) |
wainuitech (129) | ||
| 758417 | 2009-03-22 07:23:00 | i got it okay it just takes so long to run the scan though also i figured out what site they take me to now its www.abcjmp.com (dont click it) but instead of pcworld nz it has what i searched in google. spybot also comes up and says that it is a malacious site |
nerd (109) | ||
| 758418 | 2009-03-22 21:36:00 | If you go to start / run and type regedit, does it open?? And if you go to all programs / accessories, then run command prompt, does it open??? I came across something about 3 weeks ago (while I was checking out someone's PC using Teamviewer) Something had hijacked his system (he had backdoor.trojan.small.xx or something). Regedit and the command prompt crashed explorer.exe (you'll know because both of them crash (they wont open, and you'll see the icons on the desktop disappear / reappear). I noticed it in FF and IE. I was testing the Xtra site ( he's with Xtra), and saw the site redirected to another site He tried everything to remove it, but nothing worked. There were only 2 options left, use Comobofix or reformat. He decided to reformat |
Speedy Gonzales (78) | ||
| 758419 | 2009-03-23 04:30:00 | they both open when i tried it just then the ads have stopped coming up and wainutech- you were right most of them were video egg. i also notices another thing just recently i dont know if its realted but somethime the view of the screen e.g the taskbar, start menu and the meny bar... ets sometimes go to the windows 98/95 thing for a while then it goes back. another thing is that when i turned on sysinternals process explorer i noticsd that there is about 10 svchost.exe files opened in the background and whenever i kill one of them another one coems up. i was wanting to run an online scanner what would you recommend? Edit: lol spoke too soon as soon as i posted this, an ie window popped up and it was another one of those ad things |
nerd (109) | ||
| 1 2 | |||||