PDA

View Full Version : [HijackThis] Getting rid of adware



Wardog
14-03-2009, 08:02 PM
I have this adware that redirects me to this site after I search some things in the Google.

I downloaded HJT, could someone please look over it and assist with the removal of this shizzle?

It redirects me to:


http://67.29.139.253/


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:48:24 p.m., on 14/03/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\FastStone Capture\FSCapture.exe
C:\Program Files\Marvell\61xx\tray\zRaidTray.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Joshua\Downloads\Programs\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: FastStone Capture.lnk = C:\Program Files\FastStone Capture\FSCapture.exe
O4 - Startup: MarvellTrayStartup.lnk = C:\Program Files\Marvell\61xx\tray\RaidTray.bat
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2FE3611-AC6A-44C1-827E-7A566E73CF09}: NameServer = 85.255.115.2,85.255.112.6
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.2,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.2,85.255.112.6
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Marvell RAID Event Agent (Marvell RAID) - Unknown owner - C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe
O23 - Service: MRU Web Service (MRUWebService) - Apache Software Foundation - C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe

--
End of file - 5978 bytes

wainuitech
14-03-2009, 08:09 PM
These can go:

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)

O17 - HKLM\System\CCS\Services\Tcpip\..\{B2FE3611-AC6A-44C1-827E-7A566E73CF09}: NameServer = 85.255.115.2,85.255.112.6

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.2,85.255.112.6

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.2,85.255.112.6

here is where they are redirecting you to :

85.255.115.2
org-name: UkrTeleGroup Ltd.
address: UkrTeleGroup Ltd.
address: Mechnikova 58/5 65029 Odessa


From My Sig, download , Malwarebytes, spyware Terminator - install, run and remove any infections they find. make sure you select FULL SCAN on both - a quick scan wont catch everything.

Blam
14-03-2009, 08:10 PM
Tick and click Fix checked:

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O17 - HKLM\System\CCS\Services\Tcpip\..\{B2FE3611-AC6A-44C1-827E-7A566E73CF09}: NameServer = 85.255.115.2,85.255.112.6

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.2,85.255.112.6

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.2,85.255.112.6

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)

O13 - Gopher Prefix:


There may also be a few unneeded startup entries that can be removed, the above are the nasty/obvious ones

Blam

Wardog
14-03-2009, 08:19 PM
Wainuitech, MalwareBytes is down. Downloading Spyware Terminator.

Blam
14-03-2009, 08:26 PM
Its not, just tried. Prob just the virus redirecting it. Try this <--DIRECT LINK--> (http://download.cnet.com/3001-8022_4-10804572.html?spi=53b25da60e05822b526c9c43005c387f&part=dl-10804572)

wainuitech
14-03-2009, 08:35 PM
Could be infections - if Blams link doesn't work ( just tried it and it still needs to load a page) try This one it is direct (http://dw.com.com/redir?edId=3&siteId=4&oId=3001-8022_4-10804572&ontId=8022_4&spi=827ab4adf868d8842d6b588abce494b4&lop=txt&tag=idl2&pid=11004434&mfgId=6290020&merId=6290020&pguid=PoHNTQoPjGAAAF0sMuoAAABI&destUrl=http%3a%2f%2fsoftware-files.download.com%2fsd%2fk8NIq3J-vIUFhaHe99oeSKk7tIZLcjtLDUXqewppxPPi87YtneJcIk4-J1UfvXdEw555fR7Mwc67mQ0Gbmdanpn23n5d8k1J%2fsoftwar e%2f11004434%2f10804572%2f3%2fmbam-setup.exe%3flop%3dlink%26ptype%3d1901%26ontid%3d80 22%26siteId%3d4%26edId%3d3%26spi%3d827ab4adf868d88 42d6b588abce494b4%26pid%3d11004434%26psid%3d108045 72)

Wardog
14-03-2009, 09:23 PM
I've downloaded OneCare, Spyware Terminator and MalwareBytes. OneCare has deleted some stuff, but I think there might be more on here.

This is really p'ing me off, I just reformatted a few weeks back, old installation was filled with crap, now this one has been infected with AIDS.

:\

Blam
14-03-2009, 09:30 PM
Do a full scan with all those programs.

Onecare sucks. remove it

Disable System restore first.

Right Click My computer>Properties>system restore tab>Tick "Disbale system restore on all drives"

Wardog
14-03-2009, 09:39 PM
!!!!!!!!!!

Can't even go on live.com or Google now!

FFFFFFFFFFFFFF this is total bs.

Can someone get me a link to Spybot please? NVM, I have it, it won't install, i'm trying to upload a screenshot but no sites will work. :D

wainuitech
14-03-2009, 11:15 PM
Restart the PC in safe Mode, spybot should run like that.

You can also try running Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) - but a WARNING - make sure system restore IS enabled - on the odd occasion combofix will make the PC unbootable if the infections are deep in the system files.Most of the time it works fine. Direct Download (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) - if you run it, let it do its work, dont stop it once it starts, it may look like its not doing anything sometimes but it is.

Wardog
14-03-2009, 11:46 PM
That's what I tried to upload, but NO image sites would load.

http://i43.tinypic.com/6t06s5.png

Sites seem to work now, I just restarted it, but I'll still do some more scanning.

Pancake
15-03-2009, 11:54 AM
If you are having problems gettin to sites because of the DNS Changer malware,download this on another computer and tranfer it to yours using a thumb/flash drive....

Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please download from one of these webpages .

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools.

Double-click on ComboFix.exe & follow the prompts.

If it will not run rename Combofix to xxx.exe and run that.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Recovery Console can be installed from your disc if you have Vista if you wish.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://i254.photobucket.com/albums/hh103/velta911/RcAuto1.gif


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


http://i254.photobucket.com/albums/hh103/velta911/whatnext.png


Click on Yes to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Wardog
02-04-2009, 11:22 PM
This is total fail.

This happened to me again today, I was pressing enter heaps, then onecare popped up, then I entered through it. It came up again and said some trojan or some crap cannot be deleted, then sites stopped working.

IRC and MSN would work, but no webpages in FF and IE.

??????????????

Why?

EDIT: I'll do the ComboFix.

Speedy Gonzales
02-04-2009, 11:36 PM
If its a variant of the DNSchanger trojan, it maybe similar to the prob, this guy was having (http://pressf1.co.nz/showthread.php?t=98168&page=2)

The last post. This variant changes the DNS ips / settings in a router. If youre on broadband / have a router, reset it. Then reconfigure it. See if that fixes it

Blam
02-04-2009, 11:45 PM
Run combofix, and we'll look at this deep infection.

Uninstall OneCare, and install avast....Onecare sucks:p

The infection might rooted in a System Restore point, clear the points to make sure there isn't anything hidden there:

1. Click Start
2. Right click Computer > Properties > Choose Advanced System Settings option in left menu listing.
3. If UAC enabled you will get a UAC prompt at this click Continue
4. Click System Protection tab
5. Then Untick any Drive Listed and in the popup window click Turn Off System Restore
6. Click Apply > OK
7. Tick it back, then> OK

Once you've done that scan with the recommended programs(Mbam, Spyware Terminator, ComboFix)

Update first, and perform a FULL scan

Blam