| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 98169 | 2009-03-14 07:02:00 | [HijackThis] Getting rid of adware | Wardog (6821) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 756256 | 2009-03-14 07:02:00 | I have this adware that redirects me to this site after I search some things in the Google. I downloaded HJT, could someone please look over it and assist with the removal of this shizzle? It redirects me to: http://67.29.139.253/ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:48:24 p.m., on 14/03/2009 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16386) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\System32\rundll32.exe C:\Windows\RtHDVCpl.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Internet Download Manager\IDMan.exe C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe C:\Program Files\FastStone Capture\FSCapture.exe C:\Program Files\Marvell\61xx\tray\zRaidTray.exe C:\Program Files\Internet Download Manager\IEMonitor.exe C:\Windows\system32\wuauclt.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Windows Live\Contacts\wlcomm.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\system32\SearchFilterHost.exe C:\Users\Joshua\Downloads\Programs\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020 O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Startup: FastStone Capture.lnk = C:\Program Files\FastStone Capture\FSCapture.exe O4 - Startup: MarvellTrayStartup.lnk = C:\Program Files\Marvell\61xx\tray\RaidTray.bat O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file) O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file) O13 - Gopher Prefix: O17 - HKLM\System\CCS\Services\Tcpip\..\{B2FE3611-AC6A-44C1-827E-7A566E73CF09}: NameServer = 85.255.115.2,85.255.112.6 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.2,85.255.112.6 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.2,85.255.112.6 O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Marvell RAID Event Agent (Marvell RAID) - Unknown owner - C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe O23 - Service: MRU Web Service (MRUWebService) - Apache Software Foundation - C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe -- End of file - 5978 bytes |
Wardog (6821) | ||
| 756257 | 2009-03-14 07:09:00 | These can go: O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file) O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file) O17 - HKLM\System\CCS\Services\Tcpip\..\{B2FE3611-AC6A-44C1-827E-7A566E73CF09}: NameServer = 85.255.115.2,85.255.112.6 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.2,85.255.112.6 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.2,85.255.112.6 here is where they are redirecting you to : 85.255.115.2 org-name: UkrTeleGroup Ltd. address: UkrTeleGroup Ltd. address: Mechnikova 58/5 65029 Odessa From My Sig, download , Malwarebytes, spyware Terminator - install, run and remove any infections they find. make sure you select FULL SCAN on both - a quick scan wont catch everything. |
wainuitech (129) | ||
| 756258 | 2009-03-14 07:10:00 | Tick and click Fix checked: O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O17 - HKLM\System\CCS\Services\Tcpip\..\{B2FE3611-AC6A-44C1-827E-7A566E73CF09}: NameServer = 85.255.115.2,85.255.112.6 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.2,85.255.112.6 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.2,85.255.112.6 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file) O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file) O13 - Gopher Prefix: There may also be a few unneeded startup entries that can be removed, the above are the nasty/obvious ones Blam |
Blam (54) | ||
| 756259 | 2009-03-14 07:19:00 | Wainuitech, MalwareBytes is down. Downloading Spyware Terminator. | Wardog (6821) | ||
| 756260 | 2009-03-14 07:26:00 | Its not, just tried. Prob just the virus redirecting it. Try this <--DIRECT LINK--> (download.cnet.com) | Blam (54) | ||
| 756261 | 2009-03-14 07:35:00 | Could be infections - if Blams link doesn't work ( just tried it and it still needs to load a page) try This one it is direct (dw.com.com e%2f11004434%2f10804572%2f3%2fmbam-setup.exe%3flop%3dlink%26ptype%3d1901%26ontid%3d80 22%26siteId%3d4%26edId%3d3%26spi%3d827ab4adf868d88 42d6b588abce494b4%26pid%3d11004434%26psid%3d108045 72) | wainuitech (129) | ||
| 756262 | 2009-03-14 08:23:00 | I've downloaded OneCare, Spyware Terminator and MalwareBytes. OneCare has deleted some stuff, but I think there might be more on here. This is really p'ing me off, I just reformatted a few weeks back, old installation was filled with crap, now this one has been infected with AIDS. :\ |
Wardog (6821) | ||
| 756263 | 2009-03-14 08:30:00 | Do a full scan with all those programs. Onecare sucks. remove it Disable System restore first. Right Click My computer>Properties>system restore tab>Tick "Disbale system restore on all drives" |
Blam (54) | ||
| 756264 | 2009-03-14 08:39:00 | !!!!!!!!!! Can't even go on live.com or Google now! FFFFFFFFFFFFFF this is total bs. Can someone get me a link to Spybot please? NVM, I have it, it won't install, i'm trying to upload a screenshot but no sites will work. :D |
Wardog (6821) | ||
| 756265 | 2009-03-14 10:15:00 | Restart the PC in safe Mode, spybot should run like that. You can also try running Combofix (www.bleepingcomputer.com) - but a WARNING - make sure system restore IS enabled - on the odd occasion combofix will make the PC unbootable if the infections are deep in the system files.Most of the time it works fine. Direct Download (download.bleepingcomputer.com) - if you run it, let it do its work, dont stop it once it starts, it may look like its not doing anything sometimes but it is. |
wainuitech (129) | ||
| 1 2 | |||||