brican
asked on
I have a virus that has hijacked my browser. Can anyone help?
I am still able to surf but it will not allow me in to some parts of the site I'm on. HijackThis.exe
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:19 PM, on 9/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
I will look over similar problems on EE
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\AVG\AVG9\avgchsvx.ex e
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.ex e
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\Google Update.exe
C:\Program Files\AVG\AVG9\avgwdsvc.ex e
C:\Program Files\Common Files\LightScribe\LSSrvc.e xe
C:\WINDOWS\system32\lxdnco ms.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\PROGRA~1\AVG\AVG9\avgtr ay.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.e xe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\uTorrent\uTorrent.ex e
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.e xe
C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe
C:\Program Files\PCPitstop\PCPitstopS cheduleSer vice.exe
C:\Program Files\Bell\Internet Service Advisor\ServicepointServic e.exe
C:\WINDOWS\System32\snmp.e xe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\AVG\AVG9\avgcsrvx.ex e
C:\Program Files\Uniblue\DiskRescue\U BDiskRescu eSrv.exe
C:\Program Files\Canon\CAL\CALMAIN.ex e
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchos t.exe
C:\Documents and Settings\Administrator.COM PUTER_1\Ap plication Data\Microsoft\Internet Explorer\Quick Launch\FOX Password Safe.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-F A578C2EBDC 3} - C:\Program Files\Common Files\Adobe\Acrobat\Active X\AcroIEHe lperShim.d ll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4 C09146192C A} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\Brows erRecordPl ugin\IE\rp browserrec ordplugin. dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4 E65E497C8C 0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-0 0400523e39 a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9 C25C1C588A 9} - C:\Program Files\Java\jre6\bin\jp2ssv .dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-0 0400523e39 a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: (no name) - {1017A80C-6F09-4548-A84D-E DD6AC9525F 0} - (no file)
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtr ay.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.ex e"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.e xe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe " /background
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\ GPhotos.sc r/200
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleTo olbarDynam ic_mui_en_ 89D8574934 B26AC4.dll /cmsidewik i.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\WINDOWS\system32\shdocv w.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\WINDOWS\system32\shdocv w.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-B E107C0EC16 6} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-A C9BF37916A 7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-9 09C6EB18CC 7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\T cpip\..\{6 F908BEA-45 90-4BDD-B7 90-D7EB717 04EF4}: NameServer = 156.154.70.22,156.154.71.2 2
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-F BDDE494F8D 1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrss tx.dll
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.ex e
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.ex e
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingServ ice.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.e xe
O23 - Service: lxdnCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\ DRIVERS\W3 2X86\3\\lx dnserv.exe
O23 - Service: lxdn_device - - C:\WINDOWS\system32\lxdnco ms.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.e xe
O23 - Service: McciCMService - Unknown owner - C:\Program Files\Common Files\Motive\McciCMService .exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Unknown owner - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe (file missing)
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Nero\Lib\NMIndexingS ervice.exe (file missing)
O23 - Service: NTI BackupNowEZSvr - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe
O23 - Service: PCPitstop Scheduling - PC Pitstop LLC - C:\Program Files\PCPitstop\PCPitstopS cheduleSer vice.exe
O23 - Service: PLFlash DeviceIoControl Service - Unknown owner - C:\WINDOWS\system32\IoctlS vc.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe (file missing)
O23 - Service: ServicepointService - Radialpoint Inc. - C:\Program Files\Bell\Internet Service Advisor\ServicepointServic e.exe
O23 - Service: Uniblue DiskRescue - Uniblue - C:\Program Files\Uniblue\DiskRescue\U BDiskRescu eSrv.exe
--
End of file - 8588 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:19 PM, on 9/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
I will look over similar problems on EE
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\AVG\AVG9\avgchsvx.ex
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.ex
C:\WINDOWS\system32\spools
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\Google
C:\Program Files\AVG\AVG9\avgwdsvc.ex
C:\Program Files\Common Files\LightScribe\LSSrvc.e
C:\WINDOWS\system32\lxdnco
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\PROGRA~1\AVG\AVG9\avgtr
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.e
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\uTorrent\uTorrent.ex
C:\WINDOWS\system32\ctfmon
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.e
C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe
C:\Program Files\PCPitstop\PCPitstopS
C:\Program Files\Bell\Internet Service Advisor\ServicepointServic
C:\WINDOWS\System32\snmp.e
C:\WINDOWS\system32\svchos
C:\Program Files\AVG\AVG9\avgcsrvx.ex
C:\Program Files\Uniblue\DiskRescue\U
C:\Program Files\Canon\CAL\CALMAIN.ex
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchos
C:\Documents and Settings\Administrator.COM
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-F
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-0
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-0
O3 - Toolbar: (no name) - {1017A80C-6F09-4548-A84D-E
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtr
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.ex
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.e
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleTo
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {5ED80217-570B-4DA9-BF44-B
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {E2883E8F-472F-4FB0-9522-A
O16 - DPF: {FFB3A759-98B1-446F-BDA9-9
O17 - HKLM\System\CCS\Services\T
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-F
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrss
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.ex
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.ex
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingServ
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.e
O23 - Service: lxdnCATSCustConnectService
O23 - Service: lxdn_device - - C:\WINDOWS\system32\lxdnco
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.e
O23 - Service: McciCMService - Unknown owner - C:\Program Files\Common Files\Motive\McciCMService
O23 - Service: Nero BackItUp Scheduler 3 - Unknown owner - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe (file missing)
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Nero\Lib\NMIndexingS
O23 - Service: NTI BackupNowEZSvr - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe
O23 - Service: PCPitstop Scheduling - PC Pitstop LLC - C:\Program Files\PCPitstop\PCPitstopS
O23 - Service: PLFlash DeviceIoControl Service - Unknown owner - C:\WINDOWS\system32\IoctlS
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe (file missing)
O23 - Service: ServicepointService - Radialpoint Inc. - C:\Program Files\Bell\Internet Service Advisor\ServicepointServic
O23 - Service: Uniblue DiskRescue - Uniblue - C:\Program Files\Uniblue\DiskRescue\U
--
End of file - 8588 bytes
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Use panda antivirus, which is cure to many of such issues....
Download Combofix by sUBs.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Before running Combofix, temporary disable any firewall(s) shield(s) ect...to prevent any conflicts with Combofix. After Combofix is done scanning, it will create a log, for further instructions, save and paste the results by Attach File, or by Code Snippet so other experts can take a look at it. Once after the log looks clean, you may enable your firewall(s) shield(s) ect. Combofix will disconnect your machine from the Internet. Your Internet connection will be automatically restored just before Combofix completes its scan. If Combofix runs into problems, your Internet connection can be manually restored by restarting your machine.
You'll might need to rename the file before saving to your desktop so it will not be blocked.
Please note: Don't run Combofix in Safe Mode.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Before running Combofix, temporary disable any firewall(s) shield(s) ect...to prevent any conflicts with Combofix. After Combofix is done scanning, it will create a log, for further instructions, save and paste the results by Attach File, or by Code Snippet so other experts can take a look at it. Once after the log looks clean, you may enable your firewall(s) shield(s) ect. Combofix will disconnect your machine from the Internet. Your Internet connection will be automatically restored just before Combofix completes its scan. If Combofix runs into problems, your Internet connection can be manually restored by restarting your machine.
You'll might need to rename the file before saving to your desktop so it will not be blocked.
Please note: Don't run Combofix in Safe Mode.
2 things. Make sure in ie8 that proxy has not be set by the virus. Click tools, internet options, connections, lan settings. Nothing should be in any of those boxes though some people will check automatically detect settings. Failing that...
Run combo fix http://www.bleepingcomputer.com/combofix/how-to-use-combofix The link is 2/3 down the page blue highlighted bleepingcomputer link. This is a must have program for xp. Follow the wizard as it runs in widows in a dos emulator. If you can't disable your antivirus no sweat.
Then run winsockfix http://winsockfix.en.softonic.com/
This should get you there.
Good luck,
Ken
Run combo fix http://www.bleepingcomputer.com/combofix/how-to-use-combofix The link is 2/3 down the page blue highlighted bleepingcomputer link. This is a must have program for xp. Follow the wizard as it runs in widows in a dos emulator. If you can't disable your antivirus no sweat.
Then run winsockfix http://winsockfix.en.softonic.com/
This should get you there.
Good luck,
Ken
ASKER
I just ran tddskiller and it found a rootkit problem and quarantined it. I am going to try to surf again and will get back to you
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you had a root kit then you had a problem. Now get it all out with a combo fix &/or Malwarebytes cocktail.
Ken
Ken
ASKER
All looks well, I am surfing properly again. I would like to use the computer a little more before I accept the solution. Is that possible?
ASKER
I will switch to Panda antivirus Bawer I have it in my downloads. Appreciate suggestion.
Sorry Rockiroads for duplicating suggestions :(
My bad!
My bad!
ASKER
Thank you all my PC is running like a champ!