Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Large amt, of hijacked domains in hijack this- Google is in dutch

Started by madmaven , Nov 20 2009 08:26 PM

  • Please log in to reply

#1
madmaven
Posted 20 November 2009 - 08:26 PM

madmaven

    Member

  • Member
  • PipPip
  • 24 posts
Iam running XP and had some stuff like my web search, backdoor bot etfd here is h\mbam log


superanti spy only found 2 cookies ran cookie cleaner
all seemed good ntil my google opens up and redirects to google.nl
so ran hijack this and it told me system denied access to host files.
Large amt of hijacked domains.maybe should consider deleting hosts file so I am now losst. here is hijack this.
could not attach so here it is longhand


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:49 PM, on 11/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alltel\QuickLink Mobile\QuickLink Mobile.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ncr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 93.174.89.9 google.ae
O1 - Hosts: 93.174.89.9 google.as
O1 - Hosts: 93.174.89.9 google.at
O1 - Hosts: 93.174.89.9 google.az
O1 - Hosts: 93.174.89.9 google.ba
O1 - Hosts: 93.174.89.9 google.be
O1 - Hosts: 93.174.89.9 google.bg
O1 - Hosts: 93.174.89.9 google.bs
O1 - Hosts: 93.174.89.9 google.ca
O1 - Hosts: 93.174.89.9 google.cd
O1 - Hosts: 93.174.89.9 google.com.gh
O1 - Hosts: 93.174.89.9 google.com.hk
O1 - Hosts: 93.174.89.9 google.com.jm
O1 - Hosts: 93.174.89.9 google.com.mx
O1 - Hosts: 93.174.89.9 google.com.my
O1 - Hosts: 93.174.89.9 google.com.na
O1 - Hosts: 93.174.89.9 google.com.nf
O1 - Hosts: 93.174.89.9 google.com.ng
O1 - Hosts: 93.174.89.9 google.ch
O1 - Hosts: 93.174.89.9 google.com.np
O1 - Hosts: 93.174.89.9 google.com.pr
O1 - Hosts: 93.174.89.9 google.com.qa
O1 - Hosts: 93.174.89.9 google.com.sg
O1 - Hosts: 93.174.89.9 google.com.tj
O1 - Hosts: 93.174.89.9 google.com.tw
O1 - Hosts: 93.174.89.9 google.dj
O1 - Hosts: 93.174.89.9 google.de
O1 - Hosts: 93.174.89.9 google.dk
O1 - Hosts: 93.174.89.9 google.dm
O1 - Hosts: 93.174.89.9 google.ee
O1 - Hosts: 93.174.89.9 google.fi
O1 - Hosts: 93.174.89.9 google.fm
O1 - Hosts: 93.174.89.9 google.fr
O1 - Hosts: 93.174.89.9 google.ge
O1 - Hosts: 93.174.89.9 google.gg
O1 - Hosts: 93.174.89.9 google.gm
O1 - Hosts: 93.174.89.9 google.gr
O1 - Hosts: 93.174.89.9 google.ht
O1 - Hosts: 93.174.89.9 google.ie
O1 - Hosts: 93.174.89.9 google.im
O1 - Hosts: 93.174.89.9 google.in
O1 - Hosts: 93.174.89.9 google.it
O1 - Hosts: 93.174.89.9 google.ki
O1 - Hosts: 93.174.89.9 google.la
O1 - Hosts: 93.174.89.9 google.li
O1 - Hosts: 93.174.89.9 google.lv
O1 - Hosts: 93.174.89.9 google.ma
O1 - Hosts: 93.174.89.9 google.ms
O1 - Hosts: 93.174.89.9 google.mu
O1 - Hosts: 93.174.89.9 google.mw
O1 - Hosts: 93.174.89.9 google.nl
O1 - Hosts: 93.174.89.9 google.no
O1 - Hosts: 93.174.89.9 google.nr
O1 - Hosts: 93.174.89.9 google.nu
O1 - Hosts: 93.174.89.9 google.pl
O1 - Hosts: 93.174.89.9 google.pn
O1 - Hosts: 93.174.89.9 google.pt
O1 - Hosts: 93.174.89.9 google.ro
O1 - Hosts: 93.174.89.9 google.ru
O1 - Hosts: 93.174.89.9 google.rw
O1 - Hosts: 93.174.89.9 google.sc
O1 - Hosts: 93.174.89.9 google.se
O1 - Hosts: 93.174.89.9 google.sh
O1 - Hosts: 93.174.89.9 google.si
O1 - Hosts: 93.174.89.9 google.sm
O1 - Hosts: 93.174.89.9 google.sn
O1 - Hosts: 93.174.89.9 google.st
O1 - Hosts: 93.174.89.9 google.tl
O1 - Hosts: 93.174.89.9 google.tm
O1 - Hosts: 93.174.89.9 google.tt
O1 - Hosts: 93.174.89.9 google.us
O1 - Hosts: 93.174.89.9 google.vu
O1 - Hosts: 93.174.89.9 google.ws
O1 - Hosts: 93.174.89.9 google.co.ck
O1 - Hosts: 93.174.89.9 google.co.id
O1 - Hosts: 93.174.89.9 google.co.il
O1 - Hosts: 93.174.89.9 google.co.in
O1 - Hosts: 93.174.89.9 google.co.jp
O1 - Hosts: 93.174.89.9 google.co.kr
O1 - Hosts: 93.174.89.9 google.co.ls
O1 - Hosts: 93.174.89.9 google.co.ma
O1 - Hosts: 93.174.89.9 google.co.nz
O1 - Hosts: 93.174.89.9 google.co.tz
O1 - Hosts: 93.174.89.9 google.co.ug
O1 - Hosts: 93.174.89.9 google.co.uk
O1 - Hosts: 93.174.89.9 google.co.za
O1 - Hosts: 93.174.89.9 google.co.zm
O1 - Hosts: 93.174.89.9 google.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: QuickLink Mobile.lnk = C:\Program Files\Alltel\QuickLink Mobile\QuickLink Mobile.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0FB8DE1A-E991-40E5-83CA-5172084B2073} (CISdownsampler Object) - http://service.eshar...downsampler.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D2A7BB5-97D6-4731-8528-5281C42BD214}: NameServer = 69.78.96.14 66.174.95.44
O17 - HKLM\System\CS1\Services\Tcpip\..\{1D2A7BB5-97D6-4731-8528-5281C42BD214}: NameServer = 69.78.96.14 66.174.95.44
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 9839 bytes



I hope you can help. It is beyond me realm.
Thanks in advance.
Leslie aka Madmaven

Attached Files


  • 0

Advertisements

#2
RKinner
Posted 20 November 2009 - 10:16 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
If you have it running, first disable Spybot's teatimer per the instructions here:

http://forum.aumha.o...1dbb93292201b1d


Run Hijackthis and select Misc Tools then Open Hosts file Manager then Open in Notepad. Find the two (good) lines that say
127.0.0.1 localhost
::1 localhost
and delete everything underneath. (Lines that start with # are comments and can be ignored.) Close and Save.

That should take care of the hosts file entries you see in HJT.

If the Quick MBAM scan finds something I think it's worth the hour or two that it will take to do the full scan.

Once you do that (have it delete whatever it finds) then do the following:

Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:

Reboot now, please :!:

Post Back (copy/paste the .txt files, do not use attachments)
After following the above, post back with:

1.Contents of C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

2. Contents of C:\Combofix.txt;


Ron
  • 0

#3
madmaven
Posted 21 November 2009 - 08:16 PM

madmaven

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi and thanks
first there ws only 1 good line 127.0.0.1 and I deleted the rest
and when I tried to save it is said the path was invalid C:\WINDOWS|system32\etc\hosts
when I hit ok it came up with the save window with the name etc. so i hit save.
closed it.
I ran the mbam complete and had to copy paste and ttransfer to this computer because the sick one has
its own version of internet. Mbam found nothing this time.




I tried to transferthe combofix logalso to this computer .
couldnt find it and the netherlands google was popping up so I had to cut my losses and saved to disk
and formatting as soon as I send this.
I realy appreciate your help and wish I had time to follow through and
w ork on it longer but the constraints of time force me to switch direction
I wil post XP home with COA and protect and send on its way.
it is a senior couples computer very nice . their grandson was on Dancing with the stars.
VIto last name I think Louie is first, a skateboarder I think????
They went to look at the blond from poland who just got eliminated and found a nude phots.
they thought that was the file that the infection came from.
well thanks again. I do appreciate you time in addressing this problem. I just cant concentrate enough to overcome all the obstacles to fix it right now....... thats long for "its tough Im old!" thanks again!!!!
Madmaven Leslieo
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP