Internet Explorer Hijacked! [CLOSED]

My internet explorer was hijacked and I need help to remove it. I did a scan with AVG anti-virus and ad ware scanner and I did not come up with any results. I also did a scan with Spybot but it did not come up with any results. I guess it is my fault since I download a codec without noticing that it came from out from a malicious site...

While scanning with Hijack, it came up with a message that Hijack cannot access the host file. Is it because Vista block it or the malware is causing it?

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:12:50 PM, on 2/20/2008Platform: Windows Vista  (WinNT 6.00.1904)MSIE: Internet Explorer v7.00 (7.00.6000.16609)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Windows Defender\MSASCui.exeC:\Windows\System32\igfxtray.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files\Veoh Networks\Veoh\VeohClient.exeC:\Windows\ehome\ehtray.exeC:\Windows\system32\taskeng.exeC:\Windows\ehome\ehmsas.exeC:\Program Files\HyperEngines\Turf Battles\Bin\Sep.exeC:\Program Files\Internet Explorer\ieuser.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Users\splinter\Desktop\HiJackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://google.com/"]http://google.com/[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhostO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: MS Video Control 1.0 - {463F66BC-3B6F-4FDE-969C-94F594FECE07} - (no file)O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dllO4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hideO4 - HKLM\..\Run: [UltraSaver] C:\Program Files\G7PS\VersaJette UltraSaver\UltraSaver.exeO4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHideO4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exeO4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO13 - Gopher Prefix: O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url="http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab"]http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab[/url]O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dllO20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLLO20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dllO22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dllO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeO23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exeO23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exeO23 - Service: SpyHunter3 Service - Enigma Software Group, Inc. - C:\Program Files\Enigma Software Group\SpyHunter\SHService.exeO23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe--End of file - 6138 bytes

Uninstall List

2007 Microsoft Office Suite Service Pack 1 (SP1)2007 Microsoft Office Suite Service Pack 1 (SP1)2007 Microsoft Office Suite Service Pack 1 (SP1)2007 Microsoft Office Suite Service Pack 1 (SP1)2007 Microsoft Office Suite Service Pack 1 (SP1)2007 Microsoft Office Suite Service Pack 1 (SP1)2007 Microsoft Office Suite Service Pack 1 (SP1)2007 Microsoft Office Suite Service Pack 1 (SP1)2007 Microsoft Office Suite Service Pack 1 (SP1)2007 Microsoft Office Suite Service Pack 1 (SP1)2007 Microsoft Office Suite Service Pack 1 (SP1)2007 Microsoft Office Suite Service Pack 1 (SP1)2007 Microsoft Office Suite Service Pack 1 (SP1)2007 Microsoft Office Suite Service Pack 1 (SP1)2007 Microsoft Office Suite Service Pack 1 (SP1)2007 Microsoft Office Suite Service Pack 1 (SP1)2007 Microsoft Office Suite Service Pack 1 (SP1)7-Zip 4.57Adobe Acrobat 5.0Adobe Flash Player 9 ActiveXAdobe Flash Player ActiveXAdobe Reader 8.1.2Adobe Shockwave PlayerAOL Instant MessengerApple Software UpdateAQUAZONE OpenWater "CoralSea, BlueOcean, ArcticSea, &DeepSea"AVG 7.5AVG Anti-Spyware 7.5Belltech Business Cards Designer Pro 2.3Belltech Small Business Publisher 3.0Business Contact Manager for Outlook 2007 SP1Business Contact Manager for Outlook 2007 SP1BusinessCards Infinity and ProLabels 8.5CABAL OnlineCheat Engine 5.4DivX CodecDivX PlayerDivX Web PlayerFeistaFLV PlayerGoogle DesktopHigh Impact eMail 4.0ijji - Gunzijji Auto InstallerIntel® Graphics Media Accelerator DriverJava(tm) 6 Update 2Java(tm) 6 Update 3KONICA MINOLTA magicolor 2530DLLabel Factory Deluxe 3.0LimeWire 4.14.10MapleStoryMicrosoft .NET Framework 1.1Microsoft .NET Framework 1.1Microsoft .NET Framework 1.1 Hotfix (KB929729)Microsoft Office 2003 Web ComponentsMicrosoft Office 2007 Primary Interop AssembliesMicrosoft Office Access MUI (English) 2007Microsoft Office Access Setup Metadata MUI (English) 2007Microsoft Office Accounting 2007Microsoft Office Accounting 2007Microsoft Office Accounting ADP Payroll AddinMicrosoft Office Accounting Equifax AddinMicrosoft Office Accounting Fixed Asset ManagerMicrosoft Office Accounting PayPal AddinMicrosoft Office Excel MUI (English) 2007Microsoft Office Groove MUI (English) 2007Microsoft Office Groove Setup Metadata MUI (English) 2007Microsoft Office InfoPath MUI (English) 2007Microsoft Office OneNote MUI (English) 2007Microsoft Office Outlook MUI (English) 2007Microsoft Office PowerPoint MUI (English) 2007Microsoft Office Proof (English) 2007Microsoft Office Proof (French) 2007Microsoft Office Proof (Spanish) 2007Microsoft Office Proofing (English) 2007Microsoft Office Publisher MUI (English) 2007Microsoft Office Shared MUI (English) 2007Microsoft Office Shared Setup Metadata MUI (English) 2007Microsoft Office Small Business Connectivity ComponentsMicrosoft Office Ultimate 2007Microsoft Office Ultimate 2007Microsoft Office Word MUI (English) 2007Microsoft SQL Server 2005Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)Microsoft SQL Server Native ClientMicrosoft SQL Server Setup Support Files (English)Microsoft SQL Server VSS WriterMicrosoft Web Publishing Wizard 1.52MSXML 4.0 SP2 (KB936181)MSXML 4.0 SP2 (KB941833)MSXML 4.0 SP2 Parser and SDKMyDeluxeInvoices & Estimates 5.5.0.0MyLogo Maker 1.0MyProfessionalBusinessCardsMySoftware FontsNETGEAR WN511T Wireless PC CardNewsflashOutspark LauncherPhotoImpact ProQuickBooks Pro 2007QuickTimeSpybot - Search & DestroySpyHunterSteamTurf BattlesUpdate for Outlook 2007 Junk Email Filter (kb944965)USB Mass Storage ToolboxVeohTV BETAViewpoint Media PlayerVista Codec PackageWeb Easy Professional 7Winamp (remove only)WinRAR archiverWriteExpress Easy LettersEasy Letters

I also did a scan with FixIEdef and it also did not remove the problem that I am having.

*********************************************************************************                                                                              **                                 FixIEDef Log                                 **                              Version 1.2.8.2261                              **                                                                              *********************************************************************************Created at 12:21:10 on Sunday, February 17, 2008Time Zone         : (GMT-08:00) Pacific Time (US & Canada)Operating System  : Microsoft® Windows Vista™ Ultimate Service Pack Level: System Langauge   : EnglishProcessor         : X86Boot State        : Normal boot--------------------------------------------------------------------------------!!! Files that have been deleted !!!C:\Windows\AcroIEHelper.dll--------------------------------------------------------------------------------!!! Directories that have been removed !!!No malicious directories to be removed--------------------------------------------------------------------------------!!! Registry entries that have been removed !!!HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\DateTime================================================================================All Done <img src='http://www.geekstogo.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />ShadowPuterDudeSafe Surfing!!!

It also keep showing this dialog. I already know this is already a fake so I clicked no, I tried to click yes to see what it will come up with but it came up with a download.


Click OK to download the antispyware program to clean your system! (Recommended) _linenums:0'>System Error!Your compter was infcted by unknown trojan. It's dangerous for your system (critical files can be lost)!Click OK to download the antispyware program to clean your system! (Recommended)

While waiting for someone to respond, I am constantly looking for a solution on google but it really difficult because of the malicious malware. I am also downloading new anti malware programs to find the cause of this and get rid of this infuriating malware.

I have scanned w ith Spyhunter 3 (A free version which required me to buy the software to remove the infected objects.) and found 2 infected files. The scanner does not come with a log so I have to type it myself.

Name/Type/Location (I cannot find the HKML in regedit)
Launcher/Registry Key/ HKML\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Launcher
Launcher/Registry Value/ HKML\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Launcher\Displayname
Launcher/Registry Value/ HKML\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Launcher\UninstallString
igfxcui/Registry Key/ HKML\SOFTWARE\MICROSOFT\WINDOWs NT\CURRENT VERSION\WINLOGON\NOTIFY\igfxcui

#
# For example _linenums:0'># This is a sample HOSTS file used by Microsoft TCP/IP for Windows.## This file contains the mappings of IP addresses to host names. Each# entry should be kept on an individual line. The IP address should# be placed in the first column followed by the corresponding host name.# The IP address and the host name should be separated by at least one# space.## Additionally, comments (such as these) may be inserted on individual# lines or following the machine name denoted by a '#' symbol.## For example:##      102.54.94.97     rhino.acme.com          # source server#       38.25.63.10     x.acme.com              # x client host127.0.0.1       localhost::1             localhost# Start of entries inserted by Spybot - Search & Destroy

Edited by collrest, 20 February 2008 - 11:20 PM.

Hello

Start WinPFind35U. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> Windows Defender -> MSASCui.exe
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> ->
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {463F66BC-3B6F-4FDE-969C-94F594FECE07} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [MS Video Control 1.0]
[Files/Folders - Created Within 30 days]
YY -> tmp.bat -> %SystemDrive%\tmp.bat
[Files Created - Additional Folder Scans - Non-Microsoft Only]
YY -> ComboFix.exe -> %UserProfile%\Desktop\ComboFix.exe
YY -> @Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\ComboFix.exe:Zone.Identifier
YY -> FixIEDef.exe -> %UserProfile%\Desktop\FixIEDef.exe
YY -> @Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\FixIEDef.exe:Zone.Identifier
YY -> @Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\HiJackThis.exe:Zone.Identifier
YY -> @Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\WoKFSetup.exe:Zone.Identifier
[Files/Folders - Modified Within 30 days]
YY -> tmp.bat -> %SystemDrive%\tmp.bat
YY -> G5169-tmpui.exe -> C:\Users\splinter\AppData\Local\Temp\G5169-tmpui.exe
YY -> 126 C:\Users\splinter\AppData\Local\Temp\*.tmp files -> C:\Users\splinter\AppData\Local\Temp\*.tmp
YY -> 1 C:\Users\splinter\AppData\Local\Temp\nsc90FA.tmp\*.tmp files -> C:\Users\splinter\AppData\Local\Temp\nsc90FA.tmp\*.tmp
YY -> 1 C:\Users\splinter\AppData\Local\Temp\nsu3A72.tmp\*.tmp files -> C:\Users\splinter\AppData\Local\Temp\nsu3A72.tmp\*.tmp
YY -> 126 C:\Users\splinter\AppData\Local\Temp\*.tmp files -> C:\Users\splinter\AppData\Local\Temp\*.tmp
YY -> 126 C:\Users\splinter\AppData\Local\Temp\*.tmp files -> C:\Users\splinter\AppData\Local\Temp\*.tmp
[Extra Files]
Purity
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Don't attach the DSS reports please

Edited by Rorschach112, 22 February 2008 - 05:37 AM.

#1
collrest

Posted 17 February 2008 - 02:14 PM

Advertisements

#2
Rorschach112

Posted 21 February 2008 - 06:59 AM

#3
collrest

Posted 21 February 2008 - 08:53 PM

#4
Rorschach112

Posted 22 February 2008 - 05:37 AM

#5
Rorschach112

Posted 26 February 2008 - 06:46 PM

Similar Topics

0 user(s) are reading this topic

As Featured On:

Forums

Downloads

Members

Connect With Us