1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Ucleaner/Browser Hijack/etc

Discussion in 'Virus & Other Malware Removal' started by TroyCG7, Oct 30, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. TroyCG7

    TroyCG7 Thread Starter

    Joined:
    Oct 30, 2007
    Messages:
    5
    Hello, recently my girlfriends computer has been acting up. By the time I got to it, I used Ad-aware to scan for basic issues. There were various worms, trojans, and a browser hijacker. I appear to have gotten rid of most through research online, with the exception of the hijacker. Here is the important info:

    Windows XP
    I.E. for web surfing

    HiJackThis Log:

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 10:23:25 PM, on 10/30/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AIM6\aim6.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Sean\Desktop\HiJackThis_v2.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\system32\__c006C53D.dat",realset
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [A00F31687.exe] C:\DOCUME~1\Sean\LOCALS~1\Temp\_A00F31687.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: __c00B26D0 - C:\WINDOWS\system32\__c00B26D0.dat
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 6174 bytes


    SUPERantispyware Log:

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 10/30/2007 at 09:58 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3334
    Trace Rules Database Version: 1335

    Scan type : Complete Scan
    Total Scan Time : 00:29:32

    Memory items scanned : 490
    Memory threats detected : 0
    Registry items scanned : 4356
    Registry threats detected : 1
    File items scanned : 28846
    File threats detected : 4

    Browser Hijacker.Internet Explorer Settings Hijack
    HKU\S-1-5-21-682003330-1614895754-839522115-1004\Software\Microsoft\Internet Explorer\Main#Start Page [ http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2 ]

    Trojan.Net-MSV/VPS-H
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{257EEC64-A66A-4F1C-A561-08247F802235}\RP230\A0171260.DLL

    Trojan.Net-MU/Gen
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{257EEC64-A66A-4F1C-A561-08247F802235}\RP230\A0171289.EXE

    Trojan.Net-MSM/NMC
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{257EEC64-A66A-4F1C-A561-08247F802235}\RP230\A0171290.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{257EEC64-A66A-4F1C-A561-08247F802235}\RP230\A0171291.DLL


    SmitfraudFix Log:


    SmitFraudFix v2.242

    Scan done at 22:36:41.04, Tue 10/30/2007
    Run from C:\Documents and Settings\Sean\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    127.0.0.1 localhost

    »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

    S!Ri's WS2Fix: LSP not Found.


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{166FFECE-08BA-494A-8C13-CE80A2CE48A0}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{C273D23F-441E-4D94-9D31-859D516C4045}: DhcpNameServer=66.189.0.29 66.189.0.30 66.189.0.5
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{166FFECE-08BA-494A-8C13-CE80A2CE48A0}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{C273D23F-441E-4D94-9D31-859D516C4045}: DhcpNameServer=66.189.0.29 66.189.0.30 66.189.0.5
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{166FFECE-08BA-494A-8C13-CE80A2CE48A0}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{C273D23F-441E-4D94-9D31-859D516C4045}: DhcpNameServer=66.189.0.29 66.189.0.30 66.189.0.5
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
    HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End





    Any help would be appreciated. Thank you.
     
  2. TroyCG7

    TroyCG7 Thread Starter

    Joined:
    Oct 30, 2007
    Messages:
    5
    Wow stuff moves down quick...bump! ;)
     
  3. TroyCG7

    TroyCG7 Thread Starter

    Joined:
    Oct 30, 2007
    Messages:
    5
    bump.
     
  4. TroyCG7

    TroyCG7 Thread Starter

    Joined:
    Oct 30, 2007
    Messages:
    5
    Bump...any help would be appreciated
     
  5. TroyCG7

    TroyCG7 Thread Starter

    Joined:
    Oct 30, 2007
    Messages:
    5
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Ucleaner Browser Hijack
  1. bj nick
    Replies:
    0
    Views:
    676
  2. Brigham
    Replies:
    1
    Views:
    590
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/645745

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice