Member Avatar for Hasekbowstome

Ugh, can't believe I did this, and can't fix it myself. I ended up getting a browser hijack program on my girlfriend's computer, I guess. It's constantly shutting down browser windows at random intervals, and giving popups or redirects to sites like ww w.winantivirus.com and such, trying to force its supposed anti virus programs onto this computer. Here's my HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:09:22 PM, on 11/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Shannon\Desktop\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150253398291
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150253391916
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

I've used a couple of HJT analyzers already and removed a couple things, but it still hasn't fixed the problem, now I'm at a loss for what to do next. Any help would be much appreciated, thanks!

Joe

  • 2 Contributors
  • 12 Replies
  • 164 Views
  • 4 Days Discussion Span
  • Latest Post Latest Post by DMR

Recommended Answers

All 12 Replies

Member Avatar for Hasekbowstome

Hmm, it appears that I put this in the wrong forum, I probably should've put it in the Virus etc. forum. Sorry about that! I can't delete the post myself, it seems, so it looks like the post is stuck here.

Member Avatar for DMR

Moved to the Virus Zoo.... :D

Member Avatar for DMR

Although WinAntiVirus is a well-known "nasty", your HJT log shows no evidence of it whatsoever. As a matter of fact, the log looks very light on content in general; did you do your scan while booted in Safe Mode?

Member Avatar for Hasekbowstome

Although WinAntiVirus is a well-known "nasty", your HJT log shows no evidence of it whatsoever. As a matter of fact, the log looks very light on content in general; did you do your scan while booted in Safe Mode?

ARGH!!!! Twice now, it has closed my reply window on me, and then opened a window to some exitexchange.com redirect to various adds for jeans and stuff. :mad:

Anyways, no, that logfile is not in Safe Mode. Like I said, I fixed a handful of processes already by using HJT and some HJT analyzers. Also, this computer is fairly new, and I've made sure that good care has been taken of it, thats why I can't believe that I'm the one who got an infection on here, and not only that, but I can't get it off! I feel like a mechanic who broke his own car, and can't fix it. Sort of embarassing, when I do it to my girlfriend's computer, and I'm the one who knows computers.

I'm at the end of my rope here. Like you said, there isn't a whole lot left to fix in HJT. As far as I know, every process left on there is safe, so unless the infection is VERY well hidden, or overwrote a file to trick the HJT analyzers into thinking its safe, I really don't have any clue how to proceed here. It's not even just affecting Internet Explorer or something, it also affect Firefox, and its also going after Windows Explorer. As I move through files and folders in Windows Explorer, it will randomly close a window on me, or sometimes even several, usually as I'm changing between windows.

Thanks for the move by the way, sorry about that, and thank you for any help anyone can offer!

Joe

Member Avatar for DMR

OK- let's get a "second opinion" on the state of your system:

You will need to close/quit all web browser programs and disconnect from the Internet for some of the following, so you should print out the following instructions or save them into a text file with Notepad.

1. Download ATF-Cleaner and save it to convenient location.


2. Download the free version of AVG Anti-Spyware (formerly ewido). Save the installer file to your desktop or any convenient folder.

* Run the installer, accepting the default options. Run the program once installed, click on the Update icon at the top of the main AVG window, and allow the program to download the most current components.

* Close AVG once the updates have been downloaded.


3. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).

* Double-click ATF-Cleaner.exe to run the program.
- Click the Main menu option.
- Check the Select All box. (Uncheck cookies if you do not want them removed).
- Click the Empty Selected button.

If you use Firefox browser:

- Click the Firefox menu option.
- Check the Select All box. (Uncheck cookies if you do not want them removed).
- Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, click No at the prompt.
- Click Exit on the Main menu to close the program.


* Run AVG Anti-Spyware.

- Click on the "Scanner" icon just to the right of the Update icon. In the Scanner window, click on the "Settings" tab.
- Under "How to act?", click on "Recommended actions" and choose "Delete" from the resulting menu.
- All boxes under "How to scan" and "Possibly unwanted..." should be checked.
- Under "Reports", check "Automatically generate report after every scan".
- Under "What to scan", select "Scan every file".
- Click on the "Scan" tab, and then click on "Complete System Scan" to start scanning. It usually takes at least 40 minutes to complete a full scan.

Once the scan is complete, a window listing all infected objects (if any are found) will be displayed. Below the list of infected objects, make sure the Set all elements to: option is set to Delete and then click the Apply all actions button.

After the malicious items are deleted, you will be given the option to save the scan report; do that. The report is saved as a text file in the C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports folder. (The actual filename is a combination of the date and time of the scan.) Open the report in Notepad and Cut-N-Paste the entire contents of the report in your next post.

Member Avatar for Hasekbowstome

OK, I ran the ATF Cleaner and then the AVG Anti-Spyware, as per your directions... Here's the report.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 4:09:46 PM 11/25/2006
+ Scan result:

C:\System Volume Information\_restore{472B818B-A9BB-4BE2-87AA-401852FB16B9}\RP97\A0011508.dll -> Adware.Agent : Cleaned.
HKU\S-1-5-21-329068152-1659004503-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} -> Adware.Generic : Cleaned.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006 -> Adware.IntCodec : Cleaned.
C:\System Volume Information\_restore{472B818B-A9BB-4BE2-87AA-401852FB16B9}\RP97\A0011512.dll -> Adware.PurityScan : Cleaned.
C:\WINDOWS\system32\qrm.dll -> Adware.PurityScan : Cleaned.
C:\WINDOWS\system32\buxqcqqs.dll -> Trojan.BHO.g : Cleaned.

::Report end

That didn't fix the problem though, I'm still getting these browser redirects, random windows being closed, and such.

Member Avatar for DMR

WinAntiVirus is a member of the "Vundo" family of parasites, so let's try this:

Please download VundoFix.exe to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt even if Vundofix found no infected files.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Member Avatar for Hasekbowstome

I ran Vundo, here's the scan:

VundoFix V6.2.11
Checking Java version...
Java version is 1.5.0.3
Java version is 1.5.0.6
Java version is 1.5.0.9
Scan started at 1:56:18 AM 11/26/2006
Listing files found while scanning....
C:\WINDOWS\system32\mlnmp.ini
C:\WINDOWS\system32\mlnmp.bak1
C:\WINDOWS\system32\mlnmp.bak2
Beginning removal...
Attempting to delete C:\WINDOWS\system32\pmnlm.dll
C:\WINDOWS\system32\pmnlm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\mlnmp.ini
C:\WINDOWS\system32\mlnmp.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\mlnmp.bak1
C:\WINDOWS\system32\mlnmp.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\mlnmp.bak2
C:\WINDOWS\system32\mlnmp.bak2 Has been deleted!
Performing Repairs to the registry.
Done!


I ran it again after the reboot, to make sure everything was gone, and it confirmed that there were in fact no more infected files. I'm not sure if the problem is fixed now or not, lemme dink around a bit and make sure.

Edit: Hmmmm... this appears to have taken care of the actual infection. I no longer appear to be getting any popups or redirects of any sort. However, I am having trouble with Windows Explorer. As I mentioned before, I was having trouble with windows randomly closing in both Windows Explorer and IE. Now if I open IE and start navigating through, say, My Documents, it ends up randomly closing up my My Documents window, and then will tell me that Windows Explorer had to be shut down or something.

Edit #2: AHHH! I just got a Data Execution Prevention thingie, but basically, I tried to go into "My Computer" and as the window started to open, all of a sudden I got a thing saying that this program (Windows Explorer) was being prevented from doing something potentially dangerous, and would be closed down. The window closed, then I got the whole "Windows Explorer has encountered a problem and needs to be shut down" thing, with the options to send an error report to Microsoft or not.

This only appears to be a problem when I have both IE and Windows Explorer open. If I don't have my browser open, I can go back and forth between My Music, My Documents, My Computer, and so on without a problem. If I have IE open, if I try and open My Computer, it instantly goes to "Windows Explorer has encountered a problem and needs to be shut down". If I open My Computer first, and then go to IE, as soon as I try to actually do anything in the My Computer window, it will get shut down. However, if I use Firefox, I can play around in My Computer all I want, and don't get any problems.

Member Avatar for Hasekbowstome

I did a round of Windows Updates, as well as updating Java, the night that I ended up getting the infection, I wonder if those could maybe have anything to do with this?

Member Avatar for DMR

The updates, the infections, or both could have something to do with it. Try this:

Open the Event Viewer utility in your Administrative Tools control panel and look through your System and Application logs for entries flagged with "Error" or "Warning", especially those whose time-stamps coincide with the occurence of the problem(s). Double-clicking on such an entry will open a properties window with more detailed information on the error; post the details from a representative sample of some of the different error messages (please don't post duplicates of a given entry, or flood us with the entire contents of the logs).

To post the details:
In the Properties window of a given entry, click on the button with the graphic of two pieces of paper on it; the button is at the right of the window just below the up arrow/down arrow buttons. You won't see anything happen when you click the button, but it will copy all of the details to the Windows clipboard. You can then paste the details into your next post here.

Member Avatar for Hasekbowstome

Sorry about disappearing the last couple of days from the thread, I haven't been able to get over here to work with the girlfriend's computer. I just recreated the problem a couple more times, to generate some logs, so I'll go ahead and post those. There's just no way at all to use both Windows Explorer and Internet Explorer.

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 11/28/2006
Time: 8:11:20 PM
User: N/A
Computer: SHANNONSCOMP
Description:
Faulting application explorer.exe, version 6.0.2900.2180, faulting module shellexecutehook.dll, version 7.5.0.47, fault address 0x00001890.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 65 78 70 ure exp
0018: 6c 6f 72 65 72 2e 65 78 lorer.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180
0030: 69 6e 20 73 68 65 6c 6c in shell
0038: 65 78 65 63 75 74 65 68 executeh
0040: 6f 6f 6b 2e 64 6c 6c 20 ook.dll
0048: 37 2e 35 2e 30 2e 34 37 7.5.0.47
0050: 20 61 74 20 6f 66 66 73 at offs
0058: 65 74 20 30 30 30 30 31 et 00001
0060: 38 39 30 0d 0a 890..

The errors I just generated a few minutes ago all read the same as that. I'm gonna go see if I can't make it screw up differently, or if its consistently the same error each time.

Edit: Yeah, they're all the same as that error log. If I have to wipe this computer and reinstall Windows XP and such, thats not an incredibly huge deal to me, as I have everything that needs to be installed on this computer and can easily replace any needed files on it, it's just a time consuming process to go through. I've also tried System Restore on it, trying to go back a week or two on it, and that is not working at all, the System Restore is just unsuccessful.

Member Avatar for DMR

faulting module shellexecutehook.dll, version 7.5.0.47

shellexecutehook.dll is a component of the AVG Anti-Spyware program; it either got corrupted, or there's something it conflicts with on that particular computer. Uninstall the AVG program and see what happens.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.