1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

1 Bad Hijaker!

Discussion in 'Virus & Other Malware Removal' started by Gibbo M8, Sep 29, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. Gibbo M8

    Gibbo M8 Thread Starter

    Joined:
    Sep 28, 2008
    Messages:
    25
    [​IMG] Search Engine Links Redirect!
    Hi, I'm using a computer that is around 3 years old and it is run on windows xp. Recently when AVG Anti Virus Protection stopped their free memberships I ran my computer for atleast a month and a half without any protection what-so-ever.

    I woke up one day and my screen saver had changed to like some thing saying your computer is infected with spyware go on this site and buy this to remove it. Also a fake anti-virus/spyware was installed called anti-virus xp 2008 or something and said I had like 2800 Viruses lol! I'm pretty good on computers (but I'm no profesional) and I worked out how to delete it. I also found a apparently very good Internet Security Suite that is run by F-Secure and is called Optus Internet Security Suite 2008 (Scans, Firewall, Virus/Spyware/Malware...) anywayz it got rid of a heap of viruses prob around 200 and around 100 spyware. So I assumed my computer was all safe again...

    I worked out my computer definetely isn't in a safe state a few days ago when whenever i tryed to open a link on google it would re-direct me! I tryed to go on technical support sites but they wouldn't work so ATM im restricted to a proxy server. Also Blue error screens (BSOD) come up after the computer hasnt been in use for around 10mins. Fortunately i worked out these were fake after a bit of study... Anywayz enough chatter lol i just want you to help me get rid of the last stage of my computers infection!

    I've read one other persons issue that is very closely related to mine and i followed the tech dude's instructions even though they weren't aimed at me and i downloaded MalwareBytes Anti-Malware [​IMG] and scanned and got rid of a few things and all my problems went away and then came back like 10 mins later lol... I also downloaded Hijackthis and i'v also done a scan on that. So here i'll send them in a sec lol... just realised this comp wont let me attatch... FRIGGEN SPYWARE AND VIRUSES[​IMG]

    EDIT- Also downloaded ComboFix and that found nothing but I'll show log anywayz!
     
  2. Gibbo M8

    Gibbo M8 Thread Starter

    Joined:
    Sep 28, 2008
    Messages:
    25
    COMBO FIX LOG!

    Start Time= Mon 29/09/2008 19:19:28.71
    QuickScan did not find any signs of infected files
    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

    2008-09-28 21:00:24 ( .D... ) "C:\Documents and Settings\Jordan Gibbings.ROBIN\Application Data\Malwarebytes"
    2008-09-28 21:00:18 ( .D... ) "C:\Program Files\Malwarebytes' Anti-Malware"
    2008-09-28 19:18:20 ( .D... ) "C:\Program Files\AML Products"
    2008-09-28 19:10:30 ( .D... ) "C:\Program Files\Max Registry Cleaner"
    2008-09-28 19:08:18 ( .D... ) "C:\Program Files\IZArc"
    2008-09-28 12:48:26 43520 ( A.... ) "C:\WINDOWS\system32\CmdLineExt03.dll"
    2008-09-25 20:58:50 ( .D... ) "C:\Program Files\Dachshund Software"
    2008-09-18 14:53:08 0 ( A.... ) "C:\WINDOWS\system32\windows_update.exe"
    2008-09-17 18:14:50 ( .D... ) "C:\Program Files\[email protected]"
    2008-09-17 18:14:50 ( .D... ) "C:\Program Files\Common Files\Gibinsoft Shared"
    2008-09-17 15:15:56 ( .D... ) "C:\Documents and Settings\Jordan Gibbings.ROBIN\Application Data\F-Secure"
    2008-09-16 13:52:28 ( .D... ) "C:\Program Files\nzrdkcb"
    2008-09-11 17:51:06 ( .D... ) "C:\Program Files\Canon"
    2008-09-11 17:12:54 ( .D.H. ) "C:\Program Files\CanonBJ"
    2008-09-11 10:43:40 ( .D... ) "C:\Program Files\Common Files\L&H"
    2008-09-11 10:43:02 ( .D... ) "C:\Program Files\Microsoft Works"
    2008-09-11 10:42:56 ( .D... ) "C:\Program Files\Microsoft Visual Studio"
    2008-09-11 09:31:16 ( .D... ) "C:\Program Files\Trend Micro"
    2008-09-11 09:21:30 44 ( A.... ) "C:\WINDOWS\system32\msssc.dll"
    2008-09-10 18:47:04 ( .D... ) "C:\Documents and Settings\Jordan Gibbings.ROBIN\Application Data\Help"
    2008-09-10 18:43:16 62 ( A.SH. ) "C:\Documents and Settings\Jordan Gibbings.ROBIN\Application Data\desktop.ini"
    2008-09-10 18:39:06 ( .D..R ) "C:\Program Files\Tremulous"
    2008-09-10 18:31:16 ( .D... ) "C:\Documents and Settings\Jordan Gibbings.ROBIN\Application Data\Macromedia"
    2008-09-10 18:30:10 ( .D... ) "C:\Documents and Settings\Jordan Gibbings.ROBIN\Application Data\Adobe"
    2008-09-10 18:22:08 ( .D... ) "C:\Documents and Settings\Jordan Gibbings.ROBIN\Application Data\Identities"
    2008-09-10 18:22:02 ( .DS.. ) "C:\Documents and Settings\Jordan Gibbings.ROBIN\Application Data\Microsoft"
    2008-09-03 11:15:10 ( .D... ) "C:\Program Files\Windows Resource Kits"
    2008-09-01 09:56:36 ( .D... ) "C:\Program Files\Uniblue"
    2008-08-30 21:48:24 ( .DSH. ) "C:\Program Files\Common Files\WindowsLiveInstaller"
    2008-08-30 21:48:10 ( .D... ) "C:\Program Files\Windows Live"
    2008-08-26 13:28:14 16208504 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
    2008-08-03 21:49:12 50 ( A.... ) "C:\AUTOEXEC.BAT"
    2008-08-03 21:48:18 ( .D... ) "C:\Program Files\PIXELA"
    2008-08-03 21:47:04 ( .D... ) "C:\Program Files\Common Files\muvee Technologies"
    2008-08-03 21:33:10 ( .D... ) "C:\Program Files\Sony Corporation"
    2008-07-31 17:09:22 ( .D... ) "C:\Program Files\PICTUREPACKAGES"
    2008-07-29 09:10:46 ( .D... ) "C:\Program Files\Sun"
    2008-07-18 22:10:40 45768 ( A.... ) "C:\WINDOWS\system32\wups2.dll"
    2008-07-14 19:09:18 62976 ( A.... ) "C:\WINDOWS\system32\tzchange.exe"
    2008-07-03 17:14:02 351744 ( A.... ) "C:\WINDOWS\system32\xpsp3res.dll"

    ((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries are not shown
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
    "ASUS Probe"="C:\\Program Files\\ASUS\\Probe\\AsusProb.exe"
    "Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMTray.exe"
    "F-Secure Manager"="\"D:\\Program Files\\Optus Internet Security Suite\\Common\\FSM32.EXE\" /splash"
    "F-Secure TNB"="\"D:\\Program Files\\Optus Internet Security Suite\\FSGUI\\TNBUtil.exe\" /CHECKALL /WAITFORSW"
    "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\jusched.exe\""
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
    "Installed"="1"
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
    "Installed"="1"
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "NoDispBackgroundPage"=dword:00000000
    "NoDispScrSavPage"=dword:00000000
    "DisableRegistryTools"=dword:00000000
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091
    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
    "CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
    "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysrest32.exe]
    "item"="sysrest32.exe"
    "hkey"="HKLM"
    "key"="Run"

    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\Scheduled scanning task.job
    Completion time: Mon 29/09/2008 19:19:51.29
    ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt
     
  3. Gibbo M8

    Gibbo M8 Thread Starter

    Joined:
    Sep 28, 2008
    Messages:
    25
    TREND MICRO LOG!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:59:54 PM, on 28/09/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Optus Internet Security Suite\Anti-Virus\fsgk32st.exe
    D:\Program Files\Optus Internet Security Suite\Anti-Virus\FSGK32.EXE
    D:\Program Files\Optus Internet Security Suite\Common\FSMA32.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    D:\Program Files\Optus Internet Security Suite\Common\FSMB32.EXE
    D:\Program Files\Optus Internet Security Suite\Common\FCH32.EXE
    D:\Program Files\Optus Internet Security Suite\Anti-Virus\fssm32.exe
    D:\Program Files\Optus Internet Security Suite\Anti-Virus\fsqh.exe
    D:\Program Files\Optus Internet Security Suite\Common\FAMEH32.EXE
    D:\Program Files\Optus Internet Security Suite\FSAUA\program\fsaua.exe
    D:\Program Files\Optus Internet Security Suite\FSPC\fspc.exe
    D:\Program Files\Optus Internet Security Suite\FWES\Program\fsdfwd.exe
    D:\Program Files\Optus Internet Security Suite\FSAUA\program\fsus.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    D:\Program Files\Optus Internet Security Suite\Common\FSM32.EXE
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    D:\Program Files\Optus Internet Security Suite\FSGUI\fsguidll.exe
    D:\Program Files\Optus Internet Security Suite\Anti-Virus\fsav32.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Internet Explorer\Iexplore.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [F-Secure Manager] "D:\Program Files\Optus Internet Security Suite\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "D:\Program Files\Optus Internet Security Suite\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - D:\Program Files\Optus Internet Security Suite\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - D:\Program Files\Optus Internet Security Suite\FSPC\fspcmsie.dll
    O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - D:\Program Files\Optus Internet Security Suite\FSPC\fspcmsie.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .PDF: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.download.com
    O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    O20 - Winlogon Notify: epabhaio - epabhaio.dll (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - D:\Program Files\Optus Internet Security Suite\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - D:\Program Files\Optus Internet Security Suite\FSAUA\program\fsaua.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - D:\Program Files\Optus Internet Security Suite\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - D:\Program Files\Optus Internet Security Suite\Common\FSMA32.EXE
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    --
    End of file - 6027 bytes
     
  4. Gibbo M8

    Gibbo M8 Thread Starter

    Joined:
    Sep 28, 2008
    Messages:
    25
    Malwarebytes' Anti-Malware 1.28
    Database version: 1218
    Windows 5.1.2600 Service Pack 2
    28/09/2008 9:49:57 PM
    mbam-log-2008-09-28 (21-49-57).txt
    Scan type: Quick Scan
    Objects scanned: 97356
    Time elapsed: 12 minute(s), 59 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 2
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
    Registry Values Infected:
    (No malicious items detected)
    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    C:\WINDOWS\system32\ (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\ (Trojan.Agent) -> Quarantined and deleted successfully.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/754402

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice