Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Internet Explorer Hijacked! [CLOSED]


  • This topic is locked This topic is locked

#1
collrest

collrest

    Member

  • Member
  • PipPip
  • 93 posts
My internet explorer was hijacked and I need help to remove it. I did a scan with AVG anti-virus and ad ware scanner and I did not come up with any results. I also did a scan with Spybot but it did not come up with any results. I guess it is my fault since I download a codec without noticing that it came from out from a malicious site...

While scanning with Hijack, it came up with a message that Hijack cannot access the host file. Is it because Vista block it or the malware is causing it?

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:12:50 PM, on 2/20/2008Platform: Windows Vista  (WinNT 6.00.1904)MSIE: Internet Explorer v7.00 (7.00.6000.16609)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Windows Defender\MSASCui.exeC:\Windows\System32\igfxtray.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files\Veoh Networks\Veoh\VeohClient.exeC:\Windows\ehome\ehtray.exeC:\Windows\system32\taskeng.exeC:\Windows\ehome\ehmsas.exeC:\Program Files\HyperEngines\Turf Battles\Bin\Sep.exeC:\Program Files\Internet Explorer\ieuser.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Users\splinter\Desktop\HiJackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://google.com/"]http://google.com/[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhostO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: MS Video Control 1.0 - {463F66BC-3B6F-4FDE-969C-94F594FECE07} - (no file)O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dllO4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hideO4 - HKLM\..\Run: [UltraSaver] C:\Program Files\G7PS\VersaJette UltraSaver\UltraSaver.exeO4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHideO4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exeO4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO13 - Gopher Prefix: O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url="http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab"]http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab[/url]O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dllO20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLLO20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dllO22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dllO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeO23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exeO23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exeO23 - Service: SpyHunter3 Service - Enigma Software Group, Inc. - C:\Program Files\Enigma Software Group\SpyHunter\SHService.exeO23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe--End of file - 6138 bytes
Uninstall List
I also did a scan with FixIEdef and it also did not remove the problem that I am having.

*********************************************************************************                                                                              **                                 FixIEDef Log                                 **                              Version 1.2.8.2261                              **                                                                              *********************************************************************************Created at 12:21:10 on Sunday, February 17, 2008Time Zone         : (GMT-08:00) Pacific Time (US & Canada)Operating System  : Microsoft® Windows Vista™ Ultimate Service Pack Level: System Langauge   : EnglishProcessor         : X86Boot State        : Normal boot--------------------------------------------------------------------------------!!! Files that have been deleted !!!C:\Windows\AcroIEHelper.dll--------------------------------------------------------------------------------!!! Directories that have been removed !!!No malicious directories to be removed--------------------------------------------------------------------------------!!! Registry entries that have been removed !!!HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\DateTime================================================================================All Done <img src='http://www.geekstogo.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />ShadowPuterDudeSafe Surfing!!!

It also keep showing this dialog. I already know this is already a fake so I clicked no, I tried to click yes to see what it will come up with but it came up with a download.

Click OK to download the antispyware program to clean your system! (Recommended) _linenums:0'>System Error!Your compter was infcted by unknown trojan. It's dangerous for your system (critical files can be lost)!Click OK to download the antispyware program to clean your system! (Recommended)

While waiting for someone to respond, I am constantly looking for a solution on google but it really difficult because of the malicious malware. I am also downloading new anti malware programs to find the cause of this and get rid of this infuriating malware.

I have scanned w ith Spyhunter 3 (A free version which required me to buy the software to remove the infected objects.) and found 2 infected files. The scanner does not come with a log so I have to type it myself.

Name/Type/Location (I cannot find the HKML in regedit)
Launcher/Registry Key/ HKML\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Launcher
Launcher/Registry Value/ HKML\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Launcher\Displayname
Launcher/Registry Value/ HKML\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Launcher\UninstallString
igfxcui/Registry Key/ HKML\SOFTWARE\MICROSOFT\WINDOWs NT\CURRENT VERSION\WINLOGON\NOTIFY\igfxcui

#
# For example _linenums:0'># This is a sample HOSTS file used by Microsoft TCP/IP for Windows.## This file contains the mappings of IP addresses to host names. Each# entry should be kept on an individual line. The IP address should# be placed in the first column followed by the corresponding host name.# The IP address and the host name should be separated by at least one# space.## Additionally, comments (such as these) may be inserted on individual# lines or following the machine name denoted by a '#' symbol.## For example:## 102.54.94.97 rhino.acme.com # source server# 38.25.63.10 x.acme.com # x client host127.0.0.1 localhost::1 localhost# Start of entries inserted by Spybot - Search & Destroy

Edited by collrest, 20 February 2008 - 11:20 PM.

  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download WinPFind35U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.
  • Open the WinPFind35u folder and double-click on WinPFind35U.exe to start the program.
  • Under Additional Scans check the boxes beside Reg - Bot Check, Reg - Disabled MS Config Items, Reg - File Additional Folder Scans, File - Lop Check and File - Purity Scan.
  • Under Drivers change it to Non-Microsoft.
  • Under Rootkit Search change that to Yes.
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and post the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.


Make sure you attach the report in your reply.
  • 0

#3
collrest

collrest

    Member

  • Topic Starter
  • Member
  • PipPip
  • 93 posts
Thank you for your reply.

I am really sorry since the attachment failed since the file for the attachment was 844 kilobyte. I uploaded the file in filefront since you do not need to wait in any lines XD.

http://files.filefro...;/fileinfo.html
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Start WinPFind35U. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> Windows Defender -> MSASCui.exe
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> ->
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {463F66BC-3B6F-4FDE-969C-94F594FECE07} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [MS Video Control 1.0]
[Files/Folders - Created Within 30 days]
YY -> tmp.bat -> %SystemDrive%\tmp.bat
[Files Created - Additional Folder Scans - Non-Microsoft Only]
YY -> ComboFix.exe -> %UserProfile%\Desktop\ComboFix.exe
YY -> @Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\ComboFix.exe:Zone.Identifier
YY -> FixIEDef.exe -> %UserProfile%\Desktop\FixIEDef.exe
YY -> @Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\FixIEDef.exe:Zone.Identifier
YY -> @Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\HiJackThis.exe:Zone.Identifier
YY -> @Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\WoKFSetup.exe:Zone.Identifier
[Files/Folders - Modified Within 30 days]
YY -> tmp.bat -> %SystemDrive%\tmp.bat
YY -> G5169-tmpui.exe -> C:\Users\splinter\AppData\Local\Temp\G5169-tmpui.exe
YY -> 126 C:\Users\splinter\AppData\Local\Temp\*.tmp files -> C:\Users\splinter\AppData\Local\Temp\*.tmp
YY -> 1 C:\Users\splinter\AppData\Local\Temp\nsc90FA.tmp\*.tmp files -> C:\Users\splinter\AppData\Local\Temp\nsc90FA.tmp\*.tmp
YY -> 1 C:\Users\splinter\AppData\Local\Temp\nsu3A72.tmp\*.tmp files -> C:\Users\splinter\AppData\Local\Temp\nsu3A72.tmp\*.tmp
YY -> 126 C:\Users\splinter\AppData\Local\Temp\*.tmp files -> C:\Users\splinter\AppData\Local\Temp\*.tmp
YY -> 126 C:\Users\splinter\AppData\Local\Temp\*.tmp files -> C:\Users\splinter\AppData\Local\Temp\*.tmp
[Extra Files]
Purity
[Empty Temp Folders]
[Start Explorer]
[Reboot]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.



Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Don't attach the DSS reports please

Edited by Rorschach112, 22 February 2008 - 05:37 AM.

  • 0

#5
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP