1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Browser Hijacked

Discussion in 'Virus & Other Malware Removal' started by jpjqm2, Jan 10, 2011.

Thread Status:
Not open for further replies.
  1. jpjqm2

    jpjqm2 Thread Starter

    Joined:
    Jan 10, 2011
    Messages:
    1
    Hell people of Tech Support Guy (which I'm sure is also full of Gals)!!!

    I am so happy to be here :D which is probably sad because I need help with my infected laptop, but so excited to get some help from here. Here's the skinny (I'm so lame).:p

    When I type a search into google in either IE or Firefox my search is redirected to some other page. Always a different page though.

    I have the HighJackthis and other logs right here.

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 3:33:10 PM, on 1/10/2011
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18999)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
    O4 - HKUS\S-1-5-18\..\RunOnce: [] OSK.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [] OSK.exe (User 'Default user')
    O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
    O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
    O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O15 - Trusted Zone: http://www.convergysworkathome.com
    O15 - Trusted Zone: *.west.com
    O15 - Trusted Zone: *.westathome.com
    O15 - Trusted Zone: *.westathome.net
    O15 - Trusted Zone: *.workathomeagent.net
    O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{247BBBAB-A3F2-4982-9249-845B8FB898C2}: NameServer = 134.124.2.2 134.124.2.1
    O17 - HKLM\System\CS1\Services\Tcpip\..\{247BBBAB-A3F2-4982-9249-845B8FB898C2}: NameServer = 134.124.2.2 134.124.2.1
    O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
    O23 - Service: dlbc_device - - C:\Windows\system32\dlbccoms.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McciCMService - Unknown owner - C:\Program Files\Common Files\Motive\McciCMService.exe (file missing)
    O23 - Service: @C:\Program Files\Nero\Update\NASvc.exe,-200 (NAUpdate) - Nero AG - C:\Program Files\Nero\Update\NASvc.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

    --
    End of file - 6529 bytes



    DDS (Ver_10-12-12.02) - NTFSx86
    Run by January at 15:36:07.28 on Mon 01/10/2011
    Internet Explorer: 8.0.6001.18999 BrowserJavaVersion: 1.6.0_22
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1917.862 [GMT -6:00]

    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\System32\svchost.exe -k Akamai
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Windows\system32\dlbccoms.exe
    C:\Windows\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\Program Files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe
    c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
    C:\Program Files\Microsoft SQL Server\MSAS10.MSSQLSERVER\OLAP\bin\msmdsrv.exe
    C:\Program Files\Nero\Update\NASvc.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\svchost.exe -k WindowsMobile
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Windows\system32\rundll32.exe
    C:\Windows\system32\mmc.exe
    C:\Windows\system32\Taskmgr.exe
    C:\Windows\explorer.exe
    C:\Program Files\VS Revo Group\Revo Uninstaller\Revouninstaller.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    c:\Program Files\Microsoft Security Client\msseces.exe
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\msiexec.exe
    C:\Windows\System32\svchost.exe -k swprv
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\January\Downloads\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://google.com/
    uSearch Bar = Preserve
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    dRunOnce: [<NO NAME>] OSK.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
    IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C}
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    Trusted Zone: adecco.com\www.xpert
    Trusted Zone: convergysworkathome.com\www
    Trusted Zone: umich.edu\www.icpsr
    Trusted Zone: west.com
    Trusted Zone: westathome.com
    Trusted Zone: westathome.net
    Trusted Zone: workathomeagent.net
    DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: {247BBBAB-A3F2-4982-9249-845B8FB898C2} = 134.124.2.2 134.124.2.1
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\january\appdata\roaming\mozilla\firefox\profiles\wi2cqfbw.default\
    FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft\office live\npOLW.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\real\realplayer\browserrecordplugin\firefox\Ext
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Firebug: [email protected] - %profile%\extensions\[email protected]
    FF - Ext: Sothink SWF Catcher: {618D522B-652C-4e19-9194-048700B12ED6} - %profile%\extensions\{618D522B-652C-4e19-9194-048700B12ED6}

    ============= SERVICES / DRIVERS ===============

    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
    R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/07/30 19:49:56];c:\program files\cyberlink\powerdvd9\000.fcl [2009-5-7 87536]
    R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-12-22 21504]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    R2 dlbc_device;dlbc_device;c:\windows\system32\dlbccoms.exe -service --> c:\windows\system32\dlbccoms.exe -service [?]
    R2 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\microsoft sql server\100\dts\binn\MsDtsSrvr.exe [2008-7-10 218136]
    R2 NAUpdate;Nero Update;c:\program files\nero\update\NASvc.exe [2010-5-4 503080]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
    S3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\drivers\lgandbus.sys [2010-12-20 14336]
    S3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\drivers\lganddiag.sys [2010-12-20 20864]
    S3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\drivers\lgandgps.sys [2010-12-20 19968]
    S3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\drivers\lgandmodem.sys [2010-12-20 24960]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-12-22 21504]
    S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-11-5 39272]
    S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-22 1493352]
    S3 MSSQLFDLauncher;SQL Full-text Filter Daemon Launcher (MSSQLSERVER);c:\program files\microsoft sql server\mssql10.mssqlserver\mssql\binn\fdlauncher.exe [2008-7-10 31256]
    S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
    S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
    S3 Ph3xIB32;Philips 713x Inbox PCI TV Card;c:\windows\system32\drivers\Ph3xIB32.sys [2006-11-2 1083520]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
    S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
    S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-8-15 369688]

    =============== Created Last 30 ================

    2011-01-10 21:30:48 388096 ----a-r- c:\users\january\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-01-10 21:30:46 -------- d-----w- c:\program files\Trend Micro
    2011-01-10 20:07:26 -------- d-----w- c:\users\january\appdata\roaming\VSRevoGroup
    2011-01-10 19:11:11 -------- d-----w- c:\program files\PTDD Group
    2011-01-10 18:34:57 6273872 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{5aba6986-a6d2-4908-ab2e-d384961d3b4d}\mpengine.dll
    2011-01-10 18:32:34 328704 ----a-w- c:\windows\system32\sshnas21.dll
    2011-01-10 10:31:14 -------- d-----w- c:\program files\Convar
    2011-01-10 09:14:04 -------- d-----w- c:\users\january\appdata\roaming\Kernel for Windows Data Recovery
    2011-01-10 08:16:45 -------- d-----w- c:\program files\Ontrack
    2011-01-10 07:25:56 -------- d-----w- c:\program files\EASEUS
    2011-01-10 07:11:32 -------- d-----w- c:\program files\ZAR
    2011-01-10 01:43:44 -------- d-----w- c:\program files\BinaryBiz
    2011-01-10 00:15:29 -------- d-----w- c:\program files\SalvageData
    2011-01-09 23:34:35 -------- d-----w- c:\program files\Kernel for Windows Data Recovery
    2011-01-09 23:00:00 6273872 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
    2011-01-09 21:15:20 439632 ------w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{073065fa-2f5e-426a-bfa9-cdb750a100ec}\gapaengine.dll
    2011-01-09 21:06:53 -------- d-----w- c:\program files\Microsoft Security Client
    2011-01-09 21:06:12 221568 ----a-w- c:\windows\system32\drivers\netio.sys
    2011-01-09 20:49:22 -------- d-----w- c:\program files\LSoft Technologies
    2011-01-09 19:52:52 -------- d-----w- c:\program files\Runtime Software
    2011-01-09 19:28:08 -------- d-----w- c:\program files\NTFS Undelete
    2011-01-09 18:25:43 -------- d-----w- c:\program files\BitTorrent
    2011-01-09 18:25:04 -------- d-----w- c:\users\january\appdata\roaming\BitTorrent
    2011-01-08 17:08:53 -------- d-----w- c:\program files\Nero
    2011-01-08 17:08:32 -------- d-----w- c:\progra~2\Nero
    2011-01-08 16:57:59 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
    2011-01-08 16:57:28 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
    2011-01-07 07:02:25 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{547020b8-6267-4573-ab36-1db9c6e1c72d}\mpengine.dll
    2010-12-20 22:36:11 -------- d-----w- C:\LGP509MZ
    2010-12-20 22:24:38 32768 ----a-w- c:\program files\common files\installshield\professional\runtime\Objectps.dll
    2010-12-20 22:24:37 733184 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iKernel.dll
    2010-12-20 22:24:37 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\ctor.dll
    2010-12-20 22:24:37 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\DotNetInstaller.exe
    2010-12-20 22:24:37 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iscript.dll
    2010-12-20 22:24:37 180356 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iGdi.dll
    2010-12-20 22:24:37 172032 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iuser.dll
    2010-12-20 22:24:36 303236 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\setup.dll
    2010-12-20 22:22:26 24960 ----a-w- c:\windows\system32\drivers\lgandmodem.sys
    2010-12-20 22:22:26 20864 ----a-w- c:\windows\system32\drivers\lganddiag.sys
    2010-12-20 22:22:26 19968 ----a-w- c:\windows\system32\drivers\lgandgps.sys
    2010-12-20 22:22:26 14336 ----a-w- c:\windows\system32\drivers\lgandbus.sys
    2010-12-20 22:22:24 -------- d-----w- c:\program files\LG Electronics
    2010-12-20 22:20:57 -------- d-----w- C:\LGP509BK
    2010-12-20 22:18:16 53248 ----a-w- c:\windows\system32\CommonDL.dll
    2010-12-20 22:18:05 -------- d-----w- c:\progra~2\LGMOBILEAX
    2010-12-18 05:34:36 -------- d-----w- c:\program files\iPod
    2010-12-17 21:35:49 -------- d-----w- c:\program files\common files\SourceTec
    2010-12-17 21:35:45 -------- d-----w- c:\program files\SourceTec
    2010-12-15 00:05:26 515584 ----a-w- c:\program files\windows mail\wab.exe
    2010-12-15 00:05:25 66048 ----a-w- c:\program files\windows mail\wabmig.exe
    2010-12-15 00:05:25 33280 ----a-w- c:\program files\windows mail\wabfind.dll
    2010-12-15 00:05:20 2038272 ----a-w- c:\windows\system32\win32k.sys
    2010-12-15 00:05:09 601600 ----a-w- c:\windows\system32\schedsvc.dll
    2010-12-15 00:05:09 352768 ----a-w- c:\windows\system32\taskschd.dll
    2010-12-15 00:05:07 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
    2010-12-15 00:05:07 270336 ----a-w- c:\windows\system32\taskcomp.dll
    2010-12-15 00:05:07 171520 ----a-w- c:\windows\system32\taskeng.exe
    2010-12-15 00:03:01 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat

    ==================== Find3M ====================

    2010-11-29 23:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 23:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-11-02 06:01:54 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-02 05:57:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-02 05:57:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-11-02 05:57:11 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-11-02 05:57:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-11-02 05:01:31 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 04:26:10 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-11-02 04:24:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2010-10-28 15:44:56 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-10-28 13:27:47 292352 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-28 13:20:12 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-10-18 13:37:35 81920 ----a-w- c:\windows\system32\consent.exe

    ============= FINISH: 15:43:04.33 ===============


    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-01-10 18:58:22
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HM320JI rev.2SS00_01
    Running: 9noo4np5.exe; Driver: C:\Users\January\AppData\Local\Temp\uftdrfog.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8B80B000, 0x205494, 0xE8000020]
    .text C:\Program Files\CyberLink\PowerDVD9\000.fcl section is writeable [0xA3D2B000, 0x2892, 0xE8000020]
    .vmp2 C:\Program Files\CyberLink\PowerDVD9\000.fcl entry point in ".vmp2" section [0xA3D4E050]
    ? C:\Users\January\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2360] USER32.dll!TrackPopupMenu 766A14F3 5 Bytes JMP 641805FE C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] ntdll.dll!LdrLoadDll 77969390 5 Bytes JMP 00C013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] WS2_32.dll!WahRemoveHandleContext + 91 765F3435 7 Bytes JMP 04F43A40 C:\Windows\system32\sshnas21.dll (Windows Setup API/Avira GmbH)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] WS2_32.dll!FreeAddrInfoW + 3D 765F3C45 7 Bytes JMP 04F43210 C:\Windows\system32\sshnas21.dll (Windows Setup API/Avira GmbH)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] WS2_32.dll!WSAIoctl + 98 765F3CE2 7 Bytes JMP 04F42FA0 C:\Windows\system32\sshnas21.dll (Windows Setup API/Avira GmbH)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] WS2_32.dll!getaddrinfo + 307 765F4491 7 Bytes JMP 04F43EB0 C:\Windows\system32\sshnas21.dll (Windows Setup API/Avira GmbH)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] WS2_32.dll!bind + 67 765F6596 7 Bytes JMP 04F43450 C:\Windows\system32\sshnas21.dll (Windows Setup API/Avira GmbH)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] WS2_32.dll!WSCEnumProtocols + 114 765F83FB 7 Bytes JMP 04F44340 C:\Windows\system32\sshnas21.dll (Windows Setup API/Avira GmbH)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----

    Can't wait to get some real help from the Tech Guy...Thanks so much in advance.
     

    Attached Files:

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Browser Hijacked
  1. Brigham
    Replies:
    1
    Views:
    439
  2. JimHebert
    Replies:
    9
    Views:
    807
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/973899

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice