Viruses, Spyware and other Nasties RSS Viruses, Spyware and other Nasties RSS

Browser Hijack- Random infrequent browser redirection &/or popups.

Reply

Join Date: Oct 2007
Posts: 2
Reputation: RickSavoy is an unknown quantity at this point 
Solved Threads: 0
RickSavoy RickSavoy is offline Offline
Newbie Poster

Browser Hijack- Random infrequent browser redirection &/or popups.

 
0
  #1
Oct 2nd, 2007
I am hoping some one can help. I picked up some kind of hijacker and none of the software I tried seems to be able to find it. Here is my HijackThis log. Please let me know if you see anything malicious. Thanks for your help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:28:55 PM, on 10/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\basfipm.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WDSC\iseries\InfoCenter\infoexec.exe
C:\Program Files\RPGAlive\RPGAlive.exe
C:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE
\Tpcgsrv2\kdrive\Users\Information Technology\Shared\Shared Programs\Sql Phone Deploy\PhonePrompt.exe
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\NT Service\winupdater\winupdater.exs
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tpgov/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://tpgov
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by TPCG Information Technology
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = tpcgsrv1:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [BGINFO] "C:\BGINFO\BGINFO.CMD"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [Client Access PC5250 Sound] "C:\Program Files\IBM\Client Access\Emulator\pcssnd.exe"
O4 - HKLM\..\Run: [ICHelp] C:\WDSC\iseries\InfoCenter\infoexec.exe C:\WDSC\iseries\InfoCenter\infoexec.cfg
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Startup: .lnk = C:\WINDOWS\SYSTEM32\msmapibx32.exe
O4 - Startup: Microsoft Outlook.lnk = ?
O4 - Startup: PhonePrompt.LNK = Users\Information Technology\Shared\Shared Programs\Sql Phone Deploy\PhonePrompt.exe
O4 - Global Startup: RPG Alive.lnk = C:\Program Files\RPGAlive\RPGAlive.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://tpgov
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1124294865506
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://i-series.webex.com/client/v_...nt/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tpcg.msft
O17 - HKLM\Software\..\Telephony: DomainName = tpcg.msft
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tpcg.msft
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tpcg.msft
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: lmab_device - Lexmark International, Inc. - C:\WINDOWS\System32\LMabcoms.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Windows Updater - Unknown owner - C:\NT.exe (file missing)

--
End of file - 6413 bytes
Reply With Quote Quick reply to this message  
Join Date: Jun 2007
Posts: 17
Reputation: strix is an unknown quantity at this point 
Solved Threads: 1
strix's Avatar
strix strix is offline Offline
Newbie Poster

Re: Browser Hijack- Random infrequent browser redirection &/or popups.

 
0
  #2
Oct 2nd, 2007
Hi,
Please download the OTMoveIt by OldTimer.Save it to your desktop.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. 
O4 - Startup: .lnk = C:\WINDOWS\SYSTEM32\msmapibx32.exe
O4 - Startup: Microsoft Outlook.lnk = ?
O23 - Service: Windows Updater - Unknown owner - C:\NT.exe (file missing)
Now close all windows and browsers, other than HiJackThis, then click Fix Checked.
Close Hijackthis.

Please double-click OTMoveIt.exe to run it.
Copy the file path below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\msmapibx32.exe
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please update your Java runtime environment to the latest release. Older versions have security vulnerabilities.
Last edited by strix; Oct 2nd, 2007 at 10:06 pm.
Reply With Quote Quick reply to this message  
Join Date: Oct 2007
Posts: 2
Reputation: RickSavoy is an unknown quantity at this point 
Solved Threads: 0
RickSavoy RickSavoy is offline Offline
Newbie Poster

Re: Browser Hijack- Random infrequent browser redirection &/or popups.

 
0
  #3
Oct 3rd, 2007
Thanks so much strix, it worked great! :-))
Reply With Quote Quick reply to this message  
Reply

Quick Reply to Thread
This thread is more than three months old.
Perhaps start a new thread instead?
Message:



Similar Threads
Other Threads in the Viruses, Spyware and other Nasties Forum
Thread Tools Search this Thread



adware anti-malware anti-virussitesaccessissue antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit facebook fake fancheckvirus gtaiv gumblar halloween herss.exe hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware symantec system teen translate trojan unabletoaccessanti-virussites unwanted update virus viruses vista war warning windows worm yahoo zeroday
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC