Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Browser Appears To Be Hijacked

Started by kekoiula , May 21 2007 11:32 PM

  • This topic is locked This topic is locked
5 replies to this topic

#1 kekoiula

kekoiula

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 21 May 2007 - 11:32 PM

my brower is popping up with all types of redirected sites. I have attached my log file. thanks for any help, I am losing my mind.

Logfile of HijackThis v1.99.1
Scan saved at 12:23:10 PM, on 5/22/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://websec.hawai...m/REsearch/HIS/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\System32\kqhucims.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1179137493967
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E0209C1-BAC5-4E7B-A8EA-8ED705F6FD12}: NameServer = 66.75.164.89,66.75.164.90
O17 - HKLM\System\CCS\Services\Tcpip\..\{8457999C-ECF5-4ECE-A006-414A2AA6E5CF}: NameServer = 66.75.164.90
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E0209C1-BAC5-4E7B-A8EA-8ED705F6FD12}: NameServer = 66.75.164.89,66.75.164.90
O17 - HKLM\System\CS2\Services\Tcpip\..\{0E0209C1-BAC5-4E7B-A8EA-8ED705F6FD12}: NameServer = 66.75.164.89,66.75.164.90
O20 - AppInit_DLLs:
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Manger Service 32 (SMSC) - Unknown owner - C:\WINDOWS\system\smsc.exe (file missing)

    Advertisements

Register to Remove

#2 dan12

dan12

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 998 posts
  • Interests:Horse riding, computer's

Posted 22 May 2007 - 12:29 AM

Hi, kekoiulaand welcome to Tom Coyote forums

I am currently looking over your log. It shouldn't be too long. I will post back shortly.

Thanks for your patience!
dan

#3 dan12

dan12

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 998 posts
  • Interests:Horse riding, computer's

Posted 22 May 2007 - 01:14 AM

Hi kekoiula

Before I start to clean you up I need to check a couple of things out, otherwise it will not be possible to secure your system to any degree as it will just keep getting reinfected.

Accordingly, please do the following:
  • Download a diagnostic tool (MGADiag.exe) from >here< and save this to your Desktop.
  • Double-click on MGADiag.exe.
  • When the program has finished, click on the Validation tab and then click on Copy to Clipboard
  • Please post the results in your next reply.
Thanks dan

Edited by dan12, 22 May 2007 - 01:15 AM.

#4 kekoiula

kekoiula

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 22 May 2007 - 05:07 AM

Diagnostic Report (1.7.0012.0): ----------------------------------------- WGA Data--> Validation Status: Blocked VLK Detailed Status: N/A Windows Product Key: *****-*****-YXRKT-8TG6W-2B7Q8 Windows Product Key Hash: RVvFciZMdQfJLyDpZteolhaqicQ= Windows Product ID: 55274-640-0000356-23467 Windows Product ID Type: 1 Windows License Type: Volume Windows OS version: 5.1.2600.2.00010100.0.0.pro ID: 132bf194-51e6-435b-b5fd-86b80c32dc66 Is Admin: Yes AutoDial: No Registry: 0x0 WGA Version: Registered, 1.7.36.0 Signed By: Microsoft Product Name: N/A Architecture: N/A Build lab: N/A TTS Error: N/A Validation Diagnostic: Resolution Status: N/A Notifications Data--> Cached Result: N/A File Exists: No Version: N/A WgaTray.exe Signed By: N/A, hr = 0x80070002 WgaLogon.dll Signed By: N/A, hr = 0x80070002 OGA Data--> Office Status: 101 Not Activated OGA Version: Failed to retrieve file version. - 0x80070002 Signed By: N/A, hr = 0x80070002 Office Diagnostics: FCEE394C-3178-80070002_3E121E02-385-80004005_3E121E02-452-80004005_3E121E02-312-80004005 Browser Data--> Proxy settings: N/A User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Default Browser: C:\Program Files\Internet Explorer\iexplore.exe Download signed ActiveX controls: Prompt Download unsigned ActiveX controls: Disabled Run ActiveX controls and plug-ins: Allowed Initialize and script ActiveX controls not marked as safe: Disabled Allow scripting of Internet Explorer Webbrowser control: Active scripting: Script ActiveX controls marked as safe for scripting: File Scan Data--> Other data--> Office Details: <GenuineResults><MachineData><UGUID>132bf194-51e6-435b-b5fd-86b80c32dc66</UGUID><Version>1.7.0012.0</Version><OS>5.1.2600.2.00010100.0.0.pro</OS><PKey>*****-*****-*****-*****-2B7Q8</PKey><PID>55274-640-0000356-23467</PID><PIDType>1</PIDType><SID>S-1-5-21-1547161642-823518204-725345543</SID><SYSTEM><Manufacturer>Dell Computer Corporation</Manufacturer><Model>Dimension 8200 </Model></SYSTEM><BIOS><Manufacturer>Dell Computer Corporation</Manufacturer><Version>A07</Version><SMBIOSVersion major="2" minor="3"/><Date>20020718******.******+***</Date></BIOS><HWID>F25F3F8F0184C052</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Hawaiian Standard Time(GMT-10:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/></MachineData> <Software><Office><Result>101</Result><Products><Product GUID="{91130409-6000-11D3-8CFE-0050048383C9}"><LegitResult>101</LegitResult><Name>Microsoft Office XP Small Business</Name><Ver>10</Ver><Val>9EC5741EE2618BC</Val><Hash>ugZnxnYLogw41GLCF+851IAsDAE=</Hash><Pid>54188-OEM-1792394-95230</Pid><PidType>4</PidType></Product></Products></Office></Software></GenuineResults>

#5 dan12

dan12

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 998 posts
  • Interests:Horse riding, computer's

Posted 22 May 2007 - 02:18 PM

Will be back shortly having notification problems myself with the forum. sorry for any delay. dan

#6 dan12

dan12

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 998 posts
  • Interests:Horse riding, computer's

Posted 22 May 2007 - 03:55 PM

Hi,kekoiula, It seems from your returned report that your copy of windows xp is not legitimate. For that reason I'm not able at this point to assist you with the clean up of your computer. I'm bound by forum policy on this matter. If you purchased this copy of XP from a reseller or retailer, you are a victim and should report this to Microsoft. Have you had problems in the past with this? Your machine is heavily Infected, not running with a service pack has been your main cause of Infection as you wouldn't of been able to download any service pack or windows updates. Thanks dan

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·