Browser hijack?

Raneados

my computer was recently hit with a bunch of viruses/trojans at once, including a google-redirect annoyance, browser hijacking into new windows, popups for stopsign, car dealerships, etc

as well as a desktop hijack complete with flashing gif and registry changes so it locks it

as well as the antivrus XP 2009 thing

fun stuff

I ran Spybot S&D
Adaware
Malwarebytes Anti-malware
SUPERanti-spyware
and deleted registry items for the desktop hijack (had it before)

still a few things lingering around that none of the programs are fixing/detecting

hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:41 PM, on 5/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
\?\globalroot\C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\GABRIE~1\protect.dll,_IWMPEvents@16
O4 - HKUS\S-1-5-18\..\Run: [muiz] C:\PROGRA~1\COMMON~1\muiz\muizm.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000488.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\lpd6e.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\lpd6e.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\3250008656.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\protect.dll,_IWMPEvents@16 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [muiz] C:\PROGRA~1\COMMON~1\muiz\muizm.exe (User 'Default user')
O4 - S-1-5-18 Startup: ChkDisk.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} -
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: karna.dat xkfeaa.dll c:\windows\system32\potibubi.dll,C:\WINDOWS\system32\kahowuhi.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 6381 bytes

Keep in mind I am almost computer retarded so keep things easy

I'd Fuck Chuck Lidell Up

you have an emachines so you should have a separate partition of your hard drive dedicated to formatting your computer. looks like it's time to take advantage of it. save your files and nuke it

JebusUD

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: karna.dat xkfeaa.dll c:\windows\system32\potibubi.dll,C:\WINDOWS\system32\kahowuhi.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)

That whole block looks pretty fishy.

O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\GABRIE~1\protect.dll,_IWMPEvents@16

Don't recognize this, so if you wont know what that is I would remove it.

O4 - HKUS\S-1-5-18\..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\lpd6e.exe (User 'SYSTEM')

Do you know what this is either?

Remember, that if you delete somthing and it messes a program up, you can always just reinstall that.

boot into safe mode and then run the programs. (press and hold f8 when the computer is starting)

Raneados

I'd Fuck Chuck Lidell Up wrote: »

you have an emachines so you should have a separate partition of your hard drive dedicated to formatting your computer. looks like it's time to take advantage of it. save your files and nuke it

never heard of this

I'd Fuck Chuck Lidell Up

Raneados wrote: »

I'd Fuck Chuck Lidell Up wrote: »

you have an emachines so you should have a separate partition of your hard drive dedicated to formatting your computer. looks like it's time to take advantage of it. save your files and nuke it

never heard of this

i used to work for emachines. it's pretty much on all of them

Raneados

oh yeah, also sometimes when I click links, it tries to open them in a new window, and then tries to redirect them to air conditioning places, car sales, adverts for popup stoppers

seemingly random websites

Raneados

I'd Fuck Chuck Lidell Up wrote: »

Raneados wrote: »

I'd Fuck Chuck Lidell Up wrote: »

you have an emachines so you should have a separate partition of your hard drive dedicated to formatting your computer. looks like it's time to take advantage of it. save your files and nuke it

never heard of this

i used to work for emachines. it's pretty much on all of them

I mean "how do I get my computer to do this, commie"

JebusUD

Wait... there is a legit program called "super anti spyware" wtf? that sounds like a totally fake name for one of those fake spyware programs.

Captain Vash

Raneados wrote: »

I'd Fuck Chuck Lidell Up wrote: »

Raneados wrote: »

I'd Fuck Chuck Lidell Up wrote: »

you have an emachines so you should have a separate partition of your hard drive dedicated to formatting your computer. looks like it's time to take advantage of it. save your files and nuke it

never heard of this

i used to work for emachines. it's pretty much on all of them

I mean "how do I get my computer to do this, commie"

Stick your windows disk in the optical drive.

when it says "press any key to boot to cd rom" press a key

format the windows partition (probably c: )

reinstall windows.

theclam

You did run all those scans in safe mode with updated versions, right?

It looks like you've got some stuff hiding in your temp folders, so I'd run CCleaner to flush all that out.

Combofix is worth running at this point.

Raneados

I'll give them another run through on safemode sans networking later today

another thing that's started to come up: right before I click on my profile to launch windows, I get a window coming up that's mostly blank with a few chinese/japanese characters and square boxes etc in them

closing the window does nothing and there's only the "OK" option

saint2e

One of the first things I usually do is check my hosts file for stupid stuff:

c:\Windows\system32\drivers\etc\hosts

that's usually the first stop for these types of things.

rfalias

Nuke the sonuva bitch.
Not worth the hassle.

I'd Fuck Chuck Lidell Up

Raneados wrote: »

I'd Fuck Chuck Lidell Up wrote: »

Raneados wrote: »

I'd Fuck Chuck Lidell Up wrote: »

you have an emachines so you should have a separate partition of your hard drive dedicated to formatting your computer. looks like it's time to take advantage of it. save your files and nuke it

never heard of this

i used to work for emachines. it's pretty much on all of them

I mean "how do I get my computer to do this, commie"

ooh well then...


i can't remember...

it was either F11 or F12 at startup for your machine.

some of them you just used F8 depending on how it was set up. should take you to options for your backup partition. you'll have the option for a full system restore with backup. choose that one.

Raneados

I don't have windows disks

this computer is about 7 years old
and has never been reformatted

yes I know I need to

no I don't want to spend the 100+ dollars it will take to get new disks

Raneados

saint2e wrote: »

One of the first things I usually do is check my hosts file for stupid stuff:

c:\Windows\system32\drivers\etc\hosts

that's usually the first stop for these types of things.

there's a lot of bad looking stuff in here all starting with the same IP address

which is the same as my localhost

says they were inserted by Spybot Search and Destroy

RBach

Just reformat already. Even if you remove everything Spybot et al find there's no guarantee you don't also have something they haven't/can't detect anyway. Look up your system's model number on Emachine's site and see if they have any instructions for performing a system recovery.

John Matrix

No need to reformat. The exact same thing happened to me a few months back.

Check out beepingcomputer help forums. They were amazingly helpful and the response time was very quick. It's probably some virtumonde trojan. I got mine via a dodgy java update.

So yeah, check out beepingcomputer, create an account and be sure to post first in the "am I infected" forum. They'll hold your hand and walk you through the whole process.

Good luck, I'm sure those guys can help you.

capnrico

I had good luck with a similar infection using the Avira Antivirus Boot Disk, and then MalwareBytes AntiMalware in safe mode.

I'd Fuck Chuck Lidell Up

Raneados wrote: »

I don't have windows disks

this computer is about 7 years old
and has never been reformatted

yes I know I need to

no I don't want to spend the 100+ dollars it will take to get new disks

1. did you try me method? because everything you need to format is on your hard drive, and the partition is HEAVILLY write protected, so i doubt anything would get infected on it.

2. as long as you computer was manufactured after 2004 emachines still has your cds, drivers and all for $20. so if the boot with F12 doesn't work out just pay the 20 dollars. it's got the OS, and drivers, and utilities (most of which you won't want but eh)

matt has a problem

Raneados wrote: »

saint2e wrote: »

One of the first things I usually do is check my hosts file for stupid stuff:

c:\Windows\system32\drivers\etc\hosts

that's usually the first stop for these types of things.

there's a lot of bad looking stuff in here all starting with the same IP address

which is the same as my localhost

says they were inserted by Spybot Search and Destroy

That's actually fine, Spybot redirects stuff that is actually bad to the localhost so you can't browse to it.

Try Trend Micro's Housecall too. It actually is free (as opposed to all the rest of the 'free online scan' scams) and has caught things that AVG/Spybot/Malwarebytes have missed in the past for me.

Selner

I had a very similar issue, I somehow managed to get a bunch of trojans and other viruses.

It took me a bit to find a antivirus thing that actually worked, it found a whole slew of crap I'd managed to get on my machine.

The program I used:
Avast! http://www.avast.com/

It has a scanner that runs while the computer is booting, which is what found the viruses the other scanners couldn't find.

shadydentist

Bite the bullet, and reformat.

If there are files you want to save, burn a Ubuntu LiveCD which allows you to run the computer in Linux without actually installing anything, and save all of the files that are important to you to an external hard drive or flash disk. Then reformat.

Actually, if your machine is 7 years old, its certainly out of warranty anyways and you might just want to give linux a try.

Raneados

I'm not interested in learning linux thanks

I barely know windows