Go Back   Computer Forums > General Computing > Cyber Safety and Computer Security
Click Here to Login
Join Computer forums Today


Reply
 
Thread Tools Search this Thread Display Modes
 
Old 01-05-2005, 09:57 AM   #1
Solid State Member
 
Join Date: Jan 2005
Posts: 7
Default I need help with a nasty hijacker

My computer has been infected by an IE hijacker of some type. I can't get rid of Home Search Assistent, Search Extender, and Shopping Wizard. When I open IE, my homepage is always reset to "about :blank" and I always get pop ups from "Only the Best". Also IE frequently generates an error and shuts down. I ran ad-aware, Spybot, and CWShredder (all updated) and they didn't get rid of the problem. I have also updated my Norton antivirus definitions and ran a full system scan and it didn't pick anything up. I've rebooted to safe mode and then deleted contents of all temp folders, and cleaned out the recycle bin. Then I reran Adaware, spybot, CWShredder,and the antivurus scan while still in safe mode. I then rebooted and ran the free on-line scan from bitdefender, and it found several files that infected with Trojan.Clicker.Fet.A, and couldn't disinfect it for some reason. I'm surprised that Norton never picked it up.

Next I tried running the "hijackthis", and my Norton kept detecting a virus and posted this message:
Object Name: E:\HJT\hijackthis.log
Virus name: MHTLMRedir.Exploit
Action Taken: The file was deleted automatically
This would delete the hijackthis.log
I temporarily disabled Norton Auto Protect, then captured this HJT.log:

Logfile of HijackThis v1.99.0
Scan saved at 7:31:36 AM, on 1/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\LEXBCES.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\LEXPPS.EXE
E:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
E:\WINDOWS\System32\svchost.exe
E:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
E:\WINDOWS\system32\apijq.exe
E:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
E:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe
E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
E:\WINDOWS\system32\apihh.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Messenger\msmsgs.exe
E:\WINDOWS\System32\ctfmon.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
E:\Documents and Settings\kyle\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://E:\WINDOWS\osrmh.dll/sp.html#89328
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\osrmh.dll/sp.html#89328
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://E:\WINDOWS\osrmh.dll/sp.html#89328
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://E:\WINDOWS\osrmh.dll/sp.html#89328
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\osrmh.dll/sp.html#89328
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://E:\WINDOWS\osrmh.dll/sp.html#89328
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int
ernet Settings,ProxyServer = http://proxy/:8080
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2CE963D1-FD1B-D1F3-A21C-F800645351B3} - E:\WINDOWS\system32\adddm32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "E:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] E:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [LyraHD2TrayApp] "E:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [apihh.exe] E:\WINDOWS\system32\apihh.exe
O4 - HKLM\..\Run: [iTunesHelper] E:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EnigmaPopupStop] F:\Kyle's Stuff\downloads\popupstopper\EnigmaPopupStop.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/gam...nts/y/pt2_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/gam...nts/y/wt1_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support2.charter.com/sdccomm...oad/tgctlcm.cab
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://Cne.MHT!http://www.t058.com//inst//x.chm::/open.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by1fd.bay1.hotmail.msn.com/r...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1103814038540
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/...ller/dwnldr.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - E:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: SystemSuite Task Manager - V Communications, Inc. - E:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - E:\WINDOWS\system32\apijq.exe

If anyone could help me out with this "Nasty" thats infected my computer and walk me through the steps I would really appreciate it.
__________________

kb-resq is offline   Reply With Quote
Old 01-05-2005, 10:36 AM   #2
In Runtime
 
Satori's Avatar
 
Join Date: Jan 2005
Posts: 268
Send a message via AIM to Satori Send a message via MSN to Satori Send a message via Yahoo to Satori
Default Re: I need help with a nasty hijacker

Have you you tried running Ad-Aware or Spybot S&D? If not, those'll probably help a bit.
__________________

__________________
Awesomeindustries.net
Satori is offline   Reply With Quote
Old 01-05-2005, 10:54 AM   #3
In Runtime
 
SocK_MaN's Avatar
 
Join Date: Dec 2004
Posts: 376
Send a message via MSN to SocK_MaN
Default

http://www.computerforums.org/showthread.php?t=7332
__________________
Windows XP Home Edition
Intel P4 2.4 Ghz
80Gb HDD(7200 rpm)
NVIDIA GeForce4 Ti 4800 SE
1024 DDR Ram
SocK_MaN is offline   Reply With Quote
Old 01-05-2005, 12:46 PM   #4
Solid State Member
 
Join Date: Jan 2005
Posts: 7
Default

Yes, I've run updated versions of ad aware and spybot. They find things and delete them, but they come right back afetr a reboot.

Sock Man, thanks for the link. I'll try some of the things listed on securiteam.com and post my results tonight.

Also, Norton isn't very good at picking up trojans. Any suggestions on how to detect and/or get rid of a trojan? I ran a free online scan and it picked up a handful of them, but couldn't get rid of them.

Thanks for the speedy replies, I really appreciate it!!

Kyle
kb-resq is offline   Reply With Quote
Old 01-05-2005, 01:38 PM   #5
In Runtime
 
SocK_MaN's Avatar
 
Join Date: Dec 2004
Posts: 376
Send a message via MSN to SocK_MaN
Default

what of norton do you have, because the firewall should stop trojans getting on your computer
__________________
Windows XP Home Edition
Intel P4 2.4 Ghz
80Gb HDD(7200 rpm)
NVIDIA GeForce4 Ti 4800 SE
1024 DDR Ram
SocK_MaN is offline   Reply With Quote
Old 01-05-2005, 04:48 PM   #6
Beta Member
 
virus_killer's Avatar
 
Join Date: Jan 2005
Posts: 2
Send a message via AIM to virus_killer
Default I can help

Hey,

A similar thing happened to me with IE a while back. I found that the best things to do is to run Norton Antivirus, Spybot, and Ad Aware over any files you have downloaded from the internet. Also, you should run it on your cookies. If none of this works, you should change your browser to Mozilla. Currently, there are not too many holes in that browser.
virus_killer is offline   Reply With Quote
Old 01-06-2005, 12:42 AM   #7
Solid State Member
 
Join Date: Jan 2005
Posts: 7
Default

Sockman,
I've got Norton System Works 2003, version 6.01
It includes: Norton Antivirus, Utilities, Cleansweep, and Ghost
Everything recently updated, and it didn't pick up the Trojans.

Next I ran an on-line scan using "Bitdefender". It found 9 different .dll files that were infected. All 9 files posted same as this one (except obviously the *.dll filename differs):

E:\WINDOWS\apilf.dll: infected with Trojan.Clicker.Fet.A
E:\WINDOWS\apilf.dll: disinfection failed

It also found a few other Trojans where "disinfection failed":
YSBactivex.dll: infected with Trojan.Downloader.IstBar.GP
msxmidi.exe: infected with Trojan.Downloader.Fet.S

Virus killer,
I have already run Norton, AdAware SE, and Spybot (all with the latest updates).
I did start using firefox as my browser and its working just fine.
I would like to get this darn spyware, adware, parasite, or whatever it is off of my computer.

Thanks for your replies and/or suggestions. I do appreciate it!!
kb-resq is offline   Reply With Quote
Old 01-07-2005, 11:56 PM   #8
The Candyman
 
~mr mixx~'s Avatar
 
Join Date: Jun 2004
Location: USA
Posts: 11,310
Default Re: I need help with a nasty hijacker

well this may be a long shot but you can try to bootup to safemode w/no networking.

once there, empty out the pre-fetch folder/ then click start / run / type" msconfig" without the quotes.

then click the startup tab/ find and un-tic the box of anything that looks odd & should not be there.

once that's done, click start / right click my comp. icon/ properties/ advanced tab/ error reporting/ put a check into the box for diable error reporting.

and put a check into the box that say's (but notify me when a error occurs. all this does is turn off that nasty message that say's your comp. is gunna


send your error to microsoft, so they can fix this.
Don't believe it....it's false & microsoft does'nt respond to these anyways...

now, click start & in the menu just above the start button is the startup menu....un-pin or delete any icon in there that you don't want windows to load up

when booting up windows.....I only have 2 icons in mine & that's all i need at startup.

now, click start / run/type regedit & hit enter.
this is the registry.....

now go to :
HKEY_LOCAL_MACHINE --> SOFTWARE --> MICROSOFT --> WINDOWS --> RUN

this is the RUN folder....anything in there is gunna startup along w/windows at boot.

if you see anything related to the virus in there /right click it & delete it. but before you delete it/ do an export of it 1st by going to the item your going to delete & highlight it / then go to thr top left that says file.

click it & scroll down to export / click that , and now you made an export.

now then, run all spyware programs you have / what ever thay find fix & delete them/ then run them again.

that should take care of most of the problem.

if it boots up fine, then go to microsoft,com & install all of the CRITICAL UPDATES for windows....you'll nned those ....
__________________
" Let the music move you "
~mr mixx~ is offline   Reply With Quote
Old 01-08-2005, 06:46 AM   #9
Fully Optimized
 
technoman's Avatar
 
Join Date: Dec 2004
Posts: 3,382
Default Re: I need help with a nasty hijacker

Download Microsoft Antispyware and it will clear all that for you, see my topic in this forum
__________________
~~~ tEcHnOmAn ~~~
technoman is offline   Reply With Quote
Old 01-08-2005, 05:07 PM   #10
Solid State Member
 
Join Date: Jan 2005
Posts: 7
Talking Thanks to all. Problem Resolved!!!

Technoman,
I owe you (and Microsoft) a debt of gratitude. I followed your suggestion and downloaded that Microsoft Antisypware Beta program and it seems to have fixed everything. Next I ran AdAware SE and Spybot just for giggles, and now I can run Internet Explorer again.
Prior to all of this I started using the Firefox browser as suggested by virus_killer. I like it better that IE, so I thinks I'll keep using that.

Mr.mixx,
Thanks for your suggestions as well, I was wondering how to disable that problem reporting to Microsoft!!

AOL Instant messaging works again as well.

Life is good again!!
__________________

kb-resq is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off



All times are GMT -5. The time now is 11:52 AM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Search Engine Friendly URLs by vBSEO 3.6.0