Options

Possible Browser Hijack.

Unknown
edited October 2006 in Spyware & Virus Removal
I have an issue where whenever I use a search engine and click on the resulting links, I get redirected to another site. Also, my browser seems to be running slower than usual, occassionally freezing up. I've had problems with Adaware and other such programs locking up on me as well, and Hijackthis closes itself a few seconds after scanning. It would be much appreciated if someone could help me out with this. Here's my logfile:

Logfile of HijackThis v1.99.1
Scan saved at 4:43:57 PM, on 9/30/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\sstray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\aspi299689.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Soulseek\slsk.exe
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\Administrator\My Documents\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3790D8DE-D52B-AA77-11B3-02D498C808C5} - C:\WINNT\System32\qojnyo.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [knwrqnn.dll] C:\WINNT\System32\rundll32.exe C:\WINNT\System32\knwrqnn.dll,djdzxod
O4 - HKLM\..\Run: [dmfjy.exe] C:\WINNT\System32\dmfjy.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BDA58EC-73D2-4C8E-853F-4C78F10F086E}: NameServer = 85.255.114.2,85.255.112.117
O17 - HKLM\System\CCS\Services\Tcpip\..\{99696639-47B2-41B7-9C4B-67E85D501ED9}: NameServer = 85.255.114.2,85.255.112.117
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.2 85.255.112.117
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.2 85.255.112.117
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.2 85.255.112.117
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINNT\System32\aspi299689.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

Comments

  • SpywareShooterSpywareShooter 127.0.0.1
    edited September 2006
    [STEP 1] Fix HijackThis Entries:
    Fix the following entries with HijackThis by placing checkmarks in the boxes next to them and clicking "Fix Checked".

    O2 - BHO: (no name) - {3790D8DE-D52B-AA77-11B3-02D498C808C5} - C:\WINNT\System32\qojnyo.dll
    O4 - HKLM\..\Run: [dmfjy.exe] C:\WINNT\System32\dmfjy.exe
    O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5BDA58EC-73D2-4C8E-853F-4C78F10F086E}: NameServer = 85.255.114.2,85.255.112.117
    O17 - HKLM\System\CCS\Services\Tcpip\..\{99696639-47B2-41B7-9C4B-67E85D501ED9}: NameServer = 85.255.114.2,85.255.112.117
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.2 85.255.112.117
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.2 85.255.112.117
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.2 85.255.112.117
    O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINNT\System32\aspi299689.exe

    [STEP 2] Remove Malicious Files:
    Locate the following files using Windows Explorer (the My Computer icon or shortcut) and delete them from your computer.

    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe
    C:\WINNT\System32\qojnyo.dll
    C:\WINNT\System32\dmfjy.exe
    C:\WINNT\System32\aspi299689.exe

    [STEP 3]Run Additional Tools:
    Your computer is infected with a malicious piece of software known as "WareOut". Removal of this software is much easier with a tool created just for WareOut removal. Please download FixWareout from the link below to your desktop and post the log it gives.:

    http://downloads.subratam.org/Fixwareout.exe

    [STEP 4]Report Back to us:
    Once you have followed all of the steps above please reboot your computer and post a new HijackThis log.
  • Reckless
    edited September 2006
    I cannot complete step 2. When I try to delete the files, it gives me the following error message:

    Cannot Delete " ": Access is Denied
    Make sure that the disk is not full or write protected and that the file is not currently in use.
  • SpywareShooterSpywareShooter 127.0.0.1
    edited October 2006
    Please boot into Safe Mode (Press F8 at the BIOS screen when booting) and follow the instructions above.
Sign In or Register to comment.