Hello, so i have a nasty problem with my searching, whether its on google or yahoo or anything else. i use firefox to browse the internet and i pretty much google search anything so it really bothers me when theres something wrong with my browser! whatever i have in my computer keeps redirecting my google searches. by this i mean that i seach something and when i click the link, sometimes i get redirected to some bogus site. i've run a full malwarebyte scan and it picked up nothing. here's my hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:45:00 AM, on 7/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.lib.ucdavis.edu/proxy/pacserve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [LDM] "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 7866 bytes

can anyone help me out here? thanks!

Recommended Answers

All 21 Replies

There is nothing showing in your HJT log.
Could you please do a full scan with Mbam and post it's log.

how do i post a log from malwarebyte? it tries to open it with media player classic, for some reason.

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebyt...are_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Make sure that you restart the computer.

Malwarebytes' Anti-Malware 1.39
Database version: 2515
Windows 5.1.2600 Service Pack 2

7/27/2009 5:01:18 PM
mbam-log-2009-07-27 (17-01-14).txt

Scan type: Full Scan (C:\|)
Objects scanned: 156792
Time elapsed: 21 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\hjgruijvqouoea.dll (Trojan.TDSS) -> No action taken.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\DigiFast (Adware.Agent) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\hjgruijvqouoea.dll (Trojan.TDSS) -> No action taken.

It says "no action taken" next to all the entries, you need to run another scan and have Mbam fix everything.

arrgh it keeps finding globalroot systemroot but i can't get rid of it! it says to remove the files i must restart the computer. so i click ok and the computer restarts. if i run another scan, it simply finds it again! i cant get rid of the darned thing

Post a fresh Mbam log and I will look into removing what's left over.

hey CID,

I had same problem with my pc earlier. You can see the thread I posted here


I have installed microsft onecare trial version. Which cleaned up all the viruses from my pc, even though it made my system slower while it is running.


Try running it. You can also try running some of the online scanners like

ESET Online Scanner
• Kaspersky Online Scanner
• Panda Active Scan
• Trend Micro HouseCall
• F-Secure Online Virus Scanner

DL Ad-Aware. Install and make sure is up to date. DON'T RUN YET.

Re-run MalwareBytes - if it asks to re-boot... don't. Run Ad-Aware. NOW, REBOOT AND BOOT IN SAFE-MODE.

Re-run MalwareBytes (won't load all functions, but that's OK) - again, if it promts to re-boot, DON'T. Re-run Ad-Aware.

NOW you can re-boot. With luck, all should gone once and for all :)

Malwarebytes' Anti-Malware 1.39
Database version: 2515
Windows 5.1.2600 Service Pack 2

7/28/2009 11:39:50 AM
mbam-log-2009-07-28 (11-39-45).txt

Scan type: Full Scan (C:\|)
Objects scanned: 156750
Time elapsed: 20 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\hjgruijvqouoea.dll (Trojan.TDSS) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\hjgruijvqouoea.dll (Trojan.TDSS) -> No action taken.

I can never get rid of what it finds!

Read above advice... sometimes you have to hit from more than one angle to box the bugger out of your system

Please download ComboFix by sUBs from HERE or HERE

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

thank you, everybody for your help. the solution for this problem was scamguru's approach, which seems to have gotten rid of it.

thank you all!

Ok, but I would still recommend running Combofix.

Hey Crunchie... have been meaning to pick you up on this for a while.

Combofix even describes their own tool both as "only to be used advisement" and fixes not to be run without the guidance/supervision of someone trained in its use. The fact that you keep advising those who are clearly novices, without warning to post reports before attempting to use the tool to fix anything it finds, is a little worrying.

If one is NOT a power user or trained in using ComboFix, they should ALWAYS post their findings before doing a damned thing... far to easy to screw things up by blindly acting on what the utility finds

Hey Crunchie... have been meaning to pick you up on this for a while.

Didn't realise I was being stalked.

Combofix even describes their own tool both as "only to be used advisement" and fixes not to be run without the guidance/supervision of someone trained in its use.

Which fix are you talking about?

The fact that you keep advising those who are clearly novices, without warning to post reports before attempting to use the tool to fix anything it finds, is a little worrying.

Which reports are they? OP has posted an hijackthis and a MBA-M log and has an infection that I know Combofix targets.

If one is NOT a power user or trained in using ComboFix, they should ALWAYS post their findings before doing a damned thing... far to easy to screw things up by blindly acting on what the utility finds

I assure you that I have access to private forums where these tools are developed and discussed.

Anything else?

@Crunchie
Not being picky or nasty, I had to pick up. I was in no way suggesting you didn't have the expertise to use ComboFix, but rather the average end-user. Was by referring to this:

  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log.

Yes the OP has posted HJT and MBA logs, and I'm sure ComboFix could take care of the issue. My concern is that it may just as well pick up other "issues" as well... and "repairing" such s'posed errors without first checking with someone who knows what they are doing could end up in disaster.

Posting any report logs generated by ComboFix itself - before running repairs - gives you or others with experience to look over and have the chance to say "allow these fixes, but ignore those" etc.

Would I call myself an expert in ComboFix?? Hell no! Rarely use 3rd party "fix-it" utilities, as I prefer to fix myself. I'll leave handing out advice for such apps to those who make more use of them. For similar reasons I have concern with the average user using a tool like ComboFix to repair their systems with close guidance every step of the way.

The nature of the Internet is such that one cannot sit alongside each person who is directed to run Combofix.
If you knew anything of Combofix you would know that there is no option to just request a scan to review. It will fix whatever it targets on it's first run and produce that log which is then reviewed. One then goes through the log and if anything further is seen, one writes a 'script' for whatever action is necessary.

Yes I realise that you can't exactly look over one's shoulder across the net, and no have not used ComboFix (I did say I rarely make use of 3rd party "fix-it" utilities).

My question is this... if ComboFix "repairs" something which should have been left alone (which reading up on ComboFix, it is possible for this to happen) and system goes haywire, how easy is it for one to undo particular changes made?

Am not asking by the way to be a smartass by the way. Have always been a little wary of any fit-it utility where the end-user doesn't get the final say-so before the utility goes to work. This is the warning, as posted on Bleeping Computer, which is what initially raised my concerns:

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

The first sentence says it all. I classify myself as a helper :).
Files/folders removed by combofix are quarantined and can be restored.
Yes, this tool has borked pc's in the past and could possibly do so again.
One has to weigh up the greater risk at the end of the day. I have yet to have someone let me know personally that it has borked their pc and I have recommended it literally hundreds of times.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.