|
WE HAVE MOVED. Please see our NEW Computer Forums |
3-12-2010: Sorry for the inconvenience. We finally upgraded to vBulletin 3 !! See you there, Larry Browser hijackGo to the Tech-Forums Discussion Home PagePosted by: kb-resq My computer has been infected by an IE hijacker of some type. I can't get rid of Home Search Assistent, Search Extender, and Shopping Wizard. When I open IE, my homepage is always reset to "about :blank" and I always get pop ups from "Only the Best". Also IE frequently generates an error and shuts down. I ran ad-aware and it didn't get rid of the problem. I have also run spybot, updated my Norton antivirus definitions and ran a full system scan and it didn't pick anything up. I've rebooted to safe mode and then deleted contents of all temp folders, and cleaned out the recycle bin. Then I reran Adaware, spybot, and the antivurus scan while still in safe mode. I then rebooted and ran the free on-line scan from bitdefender. Here is what it couldn't clean: E:\WINDOWS\apilf.dll: infected with Trojan.Clicker.Fet.A E:\WINDOWS\apilf.dll: disinfection failed E:\WINDOWS\apirn.dll: infected with Trojan.Clicker.Fet.A E:\WINDOWS\apirn.dll: disinfection failed E:\WINDOWS\appua32.dll: infected with Trojan.Clicker.Fet.A E:\WINDOWS\appua32.dll: disinfection failed E:\WINDOWS\d3tl32.dll: infected with Trojan.Clicker.Fet.A E:\WINDOWS\d3tl32.dll: disinfection failed E:\WINDOWS\Downloaded Program Files\YSBactivex.dll: infected with Trojan.Downloader.IstBar.GP E:\WINDOWS\Downloaded Program Files\YSBactivex.dll: disinfection failed E:\WINDOWS\msaz32.dll: infected with Trojan.Clicker.Fet.A E:\WINDOWS\msaz32.dll: disinfection failed E:\WINDOWS\msxmidi.exe: infected with Trojan.Downloader.Fet.S E:\WINDOWS\msxmidi.exe: disinfection failed E:\WINDOWS\system32\adddm32.dll: infected with Trojan.Clicker.Fet.A E:\WINDOWS\system32\adddm32.dll: disinfection failed E:\WINDOWS\system32\apijj.dll: infected with Trojan.Clicker.Fet.A E:\WINDOWS\system32\apijj.dll: disinfection failed E:\WINDOWS\system32\javaab32.dll: infected with Trojan.Clicker.Fet.A E:\WINDOWS\system32\javaab32.dll: disinfection failed E:\WINDOWS\system32\msxf32.dll: infected with Trojan.Clicker.Fet.A E:\WINDOWS\system32\msxf32.dll: disinfection failed Next I tried running the "hijackthis", and my Norton kept detecting a virus and posted this message: Object Name: E:\HJT\hijackthis.log Virus name: MHTLMRedir.Exploit Action Taken: The file was deleted automatically This would delete the hijackthis.log I disabled Norton Auto Protect, then captured this HJT.log: Logfile of HijackThis v1.99.0 Scan saved at 7:31:36 AM, on 1/4/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: E:\WINDOWS\System32\smss.exe E:\WINDOWS\system32\winlogon.exe E:\WINDOWS\system32\services.exe E:\WINDOWS\system32\lsass.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\System32\svchost.exe E:\WINDOWS\system32\LEXBCES.EXE E:\WINDOWS\system32\spoolsv.exe E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe E:\WINDOWS\system32\LEXPPS.EXE E:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe E:\WINDOWS\System32\svchost.exe E:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe E:\WINDOWS\system32\apijq.exe E:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe E:\WINDOWS\Explorer.EXE E:\Program Files\Common Files\Symantec Shared\ccApp.exe E:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe E:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe E:\WINDOWS\system32\apihh.exe E:\Program Files\iTunes\iTunesHelper.exe E:\Program Files\QuickTime\qttask.exe E:\Program Files\Messenger\msmsgs.exe E:\WINDOWS\System32\ctfmon.exe E:\Program Files\iPod\bin\iPodService.exe E:\WINDOWS\System32\wuauclt.exe E:\Program Files\Internet Explorer\iexplore.exe E:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE E:\Documents and Settings\kyle\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://E:\WINDOWS\osrmh.dll/sp.html#89328 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\osrmh.dll/sp.html#89328 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://E:\WINDOWS\osrmh.dll/sp.html#89328 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://E:\WINDOWS\osrmh.dll/sp.html#89328 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\osrmh.dll/sp.html#89328 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://E:\WINDOWS\osrmh.dll/sp.html#89328 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = [url]http://proxy/:8080[/url] R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {2CE963D1-FD1B-D1F3-A21C-F800645351B3} - E:\WINDOWS\system32\adddm32.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "E:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [GhostStartTrayApp] E:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe O4 - HKLM\..\Run: [LyraHD2TrayApp] "E:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe" O4 - HKLM\..\Run: [AdaptecDirectCD] E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe O4 - HKLM\..\Run: [SSC_UserPrompt] E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [apihh.exe] E:\WINDOWS\system32\apihh.exe O4 - HKLM\..\Run: [iTunesHelper] E:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [EnigmaPopupStop] F:\Kyle's Stuff\downloads\popupstopper\EnigmaPopupStop.exe O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE O15 - Trusted Zone: *.awmdabest.com O15 - Trusted Zone: *.frame.crazywinnings.com O15 - Trusted Zone: *.awmdabest.com (HKLM) O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM) O15 - Trusted IP range: 206.161.125.149 O15 - Trusted IP range: (HKLM) O16 - DPF: Yahoo! Poker - [url]http://download.games.yahoo.com/games/clients/y/pt2_x.cab[/url] O16 - DPF: Yahoo! Word Racer - [url]http://download.games.yahoo.com/games/clients/y/wt1_x.cab[/url] O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - [url]http://support2.charter.com/sdccommon/download/tgctlcm.cab[/url] O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://C:one.MHT![url]http://www.t058.com//inst//x.chm::/open.exe[/url] O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [url]http://by1fd.bay1.hotmail.msn.com/resources/MsnPUpld.cab[/url] O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103814038540[/url] O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url] O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url] O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - [url]http://www.bitdefender.com/scan/Msie/bitdefender.cab[/url] O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - [url]http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab[/url] O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - [url]http://cdn.digitalcity.com/_media/dalaillama/ampx.cab[/url] O23 - Service: Symantec Event Manager - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: GhostStartService - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE O23 - Service: iPod Service - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server - Lexmark International, Inc. - E:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE O23 - Service: ScriptBlocking Service - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe O23 - Service: SymWMI Service - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: SystemSuite Task Manager - V Communications, Inc. - E:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - E:\WINDOWS\system32\apijq.exe If anyone could help me out with this "Nasty" thats infected my computer and walk me through the steps I would really appreciate it. Posted by: kb-resq I resolved this problem already by using Microsoft's Antispyware Beta program. [url]http://www.microsoft.com/athome/security/spyware/software/default.mspx[/url] :D :D :D Posted by: southernlady I just hadn't gotten to you. I work from the oldest posted. But I'm glad you got it fixed. SoI can close this one? Liz Posted by: kb-resq I understand that it must take sometime to analyze those log files. Those logs can be rather long. Yes you can close this thread. Have you tried Microsoft's Antispyware Beta Program? They did a nice job with it, and it'll probably help with most IE hijack troubles. Please Visit the Online Configurator, Email Hosting, Internet Marketing , Computer Schools , Software for Real Estate , AAOutlook , Search Engine Site |