Hi jacked browser (RESOLVED)

  1. 26-08-2006  #1
    iarliarl
    iarliarl is offline Newbie

    Hi jacked browser (RESOLVED)

    When I search on google and click on one of the items come up it take me to some other webpage not the expected one. I have run Spy bot, Ad aware, and CW Shredder. Please see below for the Hi Jack this log. I would appreciate any help. Thanks!

    Logfile of HijackThis v1.99.1
    Scan saved at 10:14:09 AM, on 8/26/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\drwtsn32.exe
    C:\WINDOWS\system32\drwtsn32.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\ROGERL~1\LOCALS~1\Temp\Rar$EX00.734\Hi jackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.co.uk
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.co.uk
    F2 - REG:system.ini: UserInit=userinit.exe
    O4 - HKLM\..\Run: [dmbur.exe] C:\WINDOWS\system32\dmbur.exe
    O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
    O23 - Service: F-Secure product (BackWeb Plug-in - 4476822) - Unknown owner - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE (file missing)
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

  3. 26-08-2006  #2
    VopThis
    VopThis is offline Senior Member (Canada)
    Did you choose to setup aftonbladet.se as your main Start Page. Its Rating: Excessive popups - Too many (annoying) ads and popups!:

    http://www.siteadvisor.com/sites/aftonbladet.se



    You are not running HijackThis (HJT) from a desired location. You really need to setup a dedicated folder for HJT items – to avoid horrible clutter and/or potential lost backup issues.

    It's best that the HijackThis tool NOT be located in its current location (particularly on your Desktop or in a TEMP folder). This way you can more easily undo any changes if something goes wrong.
    • Create a new folder in your C: Drive.
    • Name the FOLDER HijackThis (or HJT) such as C:\Program Files\HijackThis or C:\HJT and move the HijackThis.exe file into it.
    • Run HJT from there (and revise your shortcut accordingly).



    Your HijackThis items appear to rather limited in O4 running processes. Did you put any such items in an 'Ignorlist', etc.?




    Download and install Ewido anti-spyware 4.0 (uninstall any previous version first).
    • Click the Download BUTTON. On the next page click the Download now BUTTON.
    • Save and then install (Run) from the save location.
    • Open/Run ewido anti-spyware
    • Wait a few moments and Ewido should Auto update itself (note date of last update). If it doesn't update, click the update ICON at top of screen:

    • Click on the Update now LINK at the top of the window
      • Click on the Start update button
      • Wait for the update to download and install
  4. This is very important to get the LATEST updates
  5. Click on the Status ICON
    • Under "Your computers Security"
      Click change status on Resident shield to inactive (ONLY consider activation of that feature once you are clean)
  6. Click on the Scanner ICON at the top of the window
  7. Click on the Settings tab then select Recommended Actions and choose Quarantine
  8. When updating has finished. Close Ewido.



    9. We will be using this tool in a later step.




    Reboot your computer in Safe Mode.
    • If the computer is running, shut down Windows, and then turn off the power.
    • Wait 30 seconds, and then turn the computer on.
    • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    • Ensure that the Safe Mode option is selected.
    • Press Enter. The computer then begins to start in Safe mode.
    • Login on your usual account.
    ______________________________



    Clean out your Temporary Internet files. Proceed like this:
    • Quit Internet Explorer and quit any instances of Windows Explorer.
    • Click Start, click Control Panel, and then double-click Internet Options.
    • On the General tab, click Delete Files under Temporary Internet Files.
    • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
    • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
    • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
    • Click OK.
    Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

    Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.


    ______________________________

    Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan:
    • Click on the default Status ICON and select the Scan now LINK.

      OR

    • Click on the Scanner ICON . Select the Scan TAB.

      • Select Complete System Scan. Ewido will now begin to scan your system.

    • If Ewido finds anything it will list them in the Preview WINDOW:
      • Make sure that Set all elements to: shows Quarantine, if not click on the link and choose Quarantine from the popup menu.
      • Select Apply all actions at the bottom of the window (and the items found will be quarantined – and recoverable, if any items are needed back).

    • When the scan has completed, click on the Save Scan Report button and save the scan to your Desktop where it can be easily found.
    • Copy and paste the EWIDO scan results into your next post.
    • Close Ewido.



    Also, please post your latest HijackThis LOG.
  • 27-08-2006  #3
    iarliarl
    iarliarl is offline Newbie
    I choose Aftonbladet as the homepage.

    I did not put anything in an ignore list when I run Hi Jack this. I have turned off and delete a lot of things to get my machine in order again.

    I have run ewido and a new Hi Jack this log. Please see below. I think it works now, thanks for your help.

    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 11:54:17 PM 8/26/2006

    + Scan result:



    C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\41B6702C-85F8-47CA-8E1C-637AD5.asq -> Adware.Thumper : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\gba155.exe -> Dialer.Generic : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\dba1799.exe -> Dialer.Juicy : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gba1799.exe -> Dialer.Juicy : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\CONFLICT.2\dba1799.exe -> Dialer.Juicy : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\CONFLICT.2\gba1799.exe -> Dialer.Juicy : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\CONFLICT.3\gba1799.exe -> Dialer.Juicy : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\dba1799.exe -> Dialer.Juicy : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\gba1799.exe -> Dialer.Juicy : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\CSBIW.0XE -> Downloader.Agent.uj : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\cskdl.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\CWSYHCYI.0XE -> Downloader.Dluca : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\xscan.0xe -> Dropper.Agent.hy : Cleaned with backup (quarantined).
    C:\Documents and Settings\Roger Liden\Cookies\roger liden@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\dmrms.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).


    ::Report end

    Logfile of HijackThis v1.99.1
    Scan saved at 1127 PM, on 8/26/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.co.uk
    F2 - REG:system.ini: UserInit=userinit.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
    O23 - Service: F-Secure product (BackWeb Plug-in - 4476822) - Unknown owner - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE (file missing)
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 27-08-2006  #4
    VopThis
    VopThis is offline Senior Member (Canada)
    Save 20% on AVG Internet Security 2012 Suite!
    To help avoid serious infection again, please look carefully at this post for some excellent preventative measures. Prevention must be made the first line of defense to improve upon.



    ONLY ONCE you are as clean as possible from any needed cleanup steps - As a final cleanup step (after serious infection), it may be advisable to Reset and Re-enable your System Restore to remove any bad files that MAY have been backed up by Windows . The files in System Restore are protected to prevent any programs changing them. And, this is the only complete way to clean these files: (You will lose all previous restore points which could likely be infected, anyway.)

    PLEASE NOTE: you will need to log into your computer with an account that has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account. Accordingly and of further note; it can be very unsafe to run with admin rights on any PC that you browse the Internet with.


    (Windows XP)
    FOLDER LOCATION: c:\System Volume Information\_restore….
    To Turn OFF System Restore.
    1. Click the Start button.
    2. Right-click My Computer, and then click Properties.
    3. On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.
    4. Click Apply.

    REBOOT.

    To Turn ON System Restore.
    1. Follow the steps in the previous section, but in step 3, uncheck Turn off System Restore or Turn off System Restore on all drives. Then click OK.
    2. Create new System Restore points.


    (Windows ME)
    FOLDER LOCATION: c:\_RESTORE\TEMP\….
    See the following link for instructions:
    http://service1.symantec.com/SUPPORT...rc=sec_doc_nam




    To reduce the re-infection potential for malware and protect your PC against spyware, here are a few helpful suggestions:
    1. Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft . This will patch many of the security holes through which attackers can gain access to your computer . You CANNOT complete this update using an alternate browser – you must use Internet Explorer.
      http://v5.windowsupdate.microsoft.com/v5co...t.aspx?ln=en-us
      http://www.microsoft.com/windows/ie/default.asp
      • http://www.securityfocus.com/news/11273
        If you surf to questionable (blockable) parts of the Web, you could encounter sites that compromise your PC without any user interaction. In experiments [reported Aug 2005], Microsoft identified 752 specific addresses owned by 287 Web sites that contain programs able to install themselves on a completely unpatched Windows XP system. Also, be aware that the WinXP Service Pack 2 was an update that focused almost exclusively on security. Also reported was that a fully patched Windows XP SP2 system cannot be compromised by any such discovered rogue Web sites.

    2. Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching (using a real-time AV tool only one at a time), there are some good free Antivirus programs that are decent, including AVG and Avast!.
      AVG: http://free.grisoft.com/doc/1
      Avast: http://www.avast.com/eng/avast_4_home.html

    3. In addition to using Ad-aware, consider using another free malware scanning/removal program :
      Adaware SE: http://www.download.com/Ad-Aware-SE-Person...ubj=dl&tag=top5
      Spybot S&D: http://www.download.com/Spybot-Search-Dest...tml?tag=lst-0-1
      Microsoft Windows Defender beta 2 : http://www.download.com/Microsoft-Wi...ml?tag=lst-0-1

    4. Consider using a free firewall if you are not already using one (use only one firewall at a time – normally you will need to disable the MS firewall). Some good free ones (for incoming and added outgoing traffic protection) are:
      Kerio Personal Firewall: http://www.sunbelt-software.com/Kerio.cfm
      *** After 30 days, Kerio shuts down selected features, but will continue to run in 'free' mode.
      Zone Alarm: http://www.zonelabs.com/store/content/company/products/znalm/comparison.jsp?lid=ho_za

      It is not a bad idea to also consider using a Router/Hardware firewall device where you have a High-Speed Internet access connection. A software firewall may occasionally need to be disabled or it gets/remains disabled by someone or something. Such an added layer of security consistency has a lot of merit to it.

    5. Consider using an alternate free browser for general web surfing but you must use IE for windows updates. The use of Firefox (or similar alternate) mitigates the many types of malware that are now possible when using IE ActiveX based components.
      Mozilla Firefox: http://www.mozilla.org/products/firefox/

    6. Consider increasing your browser security by using these programs:
      SpywareGuard will help protect your homepage from being hijacked: http://www.javacoolsoftware.com/spywareguard.html
      SpywareBlaster will increase browser protection by blocking access to thousands of known malware sites by adding them to IE's restricted sites zone. It essentially blocks known- bad ActiveX program items from being installed or running on your computer. Download it here: http://www.javacoolsoftware.com/spywareblaster.html
    7. A HOSTS file can block Internet access to thousands of known-bad sites by not allowing you any easy browser access to such sites knowingly or unknowingly. Use HJT to determine if a current HOSTS file exists and any contents therein:
      • Run the HiJackThis tool and select ‘Open the Misc Tools section’.
      • Next select ‘Open host file manager’ button.
      • Use the ‘Open in Notepad’ button in XP/W2K or use WORDPAD if necessary [type wordpad.exe in the RUN box (Start>Run)] and load the FILE PATH identified in HJT.
      • Go to http://www.mvps.org/winhelp2002/hosts.txt . # Read the initial instructions #. Copy and paste (append or replace) the RELEVANT host address entry contents of that file into Notepad or Wordpad and save the updated file contents.

        EXCERPT:
        #start of lines added by WinHelp2002
        # [Misc A - Z]
        127.0.0.1 phpadsnew.abac.com
        127.0.0.1 a.abnad.net
        127.0.0.1 e.abnad.net
        127.0.0.1 www.accoona.com #[Adware-Accoona][Adware.Atoolb][Panda.Accoona]
        .
        .
        .
        #end of lines added by WinHelp2002




    *Remember just like your primary anti-virus software, it is important to:
    • Keep all of these programs up-to-date (using auto-updates where possible), and
    • Use them on a regular (minimum weekly) basis.




    REALITY CHECK:
    • Who else uses your PC? What are the potential risks created by multiple (potentially loose cannon) users and why?
    • What about bad luck, simple mistakes, and bad browsing choices (SEE: www.siteadvisor.com and their BLOG)?
    • SEE: The Dangers of Popularity (for Popular SEARCH TERMS):
      http://blog.siteadvisor.com/2006/08/...pularity.shtml
      The correlation of search term popularity and search term riskiness illustrates how malicious activity tends to follow and exploit consumer behavior. Users demand "free," and bad actors flock to fill corresponding search results with their deceptive offerings. All too often, users don't realize the detrimental consequences of these sites until their systems crash from spyware or their inboxes become choked with spam.


    ABOVE ALL, it is most imperative that users exercise "safe surfing" habits such as banning or at least verifying email attachments (with scanning tools) before opening, and by not executing programs unless obtained from a trusted (or researched) source, etc.



    In general, always research any unfamiliar links or products that you might want to access or download. In particular, the SiteAdvisor site and other links listed in my signature have continued to make a significant difference to my clients’ PC health due to better-informed browsing habits and choices. Peer-to-Peer and FREE download sites add a level of risk that many should seriously take into account and adjust their behavior accordingly.

    Additionally, TEMPORARY files are both a significant source of clutter and potential hiding places for MALWARE content. Clean out those areas periodically - at least weekly.
    • + Reply to Thread
    « dl.exe/no internet connection | PC acting "weird" again-jephree sd post my log »

    Similar Threads