1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Browser hijack help needed!!!

Discussion in 'Windows - Virus and spyware problems' started by J-dizzle, Mar 11, 2013.

  1. J-dizzle

    J-dizzle Member

    Joined:
    Mar 11, 2013
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    11
    HELP!! I have been trying to battle this dirty MFer all day long!--> called fantastigames #462 - it is redirecting my chrome browser. Im new and cannot post links yet unfortunately.

    I am pretty damn tech savvy and cannot get this jackass off this PC! I regularly troll the afterdawn forums for help and damnit, Im posting because I am flat out stumped on this one. I am always careful where I go on the internet and must have picked this up from a email I think. At any rate, I have tried and used SuperAntiVirus, Spybot S&D, Malwarebytes, Ad-Aware, Windows Defender and CCleaner already, all up to date and full scanned completed. Each has found little crumbs here and there, but cannot remove this browser hijacker. Finally decided to snag HJT and post the log below. Any help would truly be appreciated! Thanks!
     
  2. J-dizzle

    J-dizzle Member

    Joined:
    Mar 11, 2013
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    11
    Forum would not let me post HJT log "as-is", as there were web links in the IE section. I deleted them out just so could post but all pointed to a healthy web addy.


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 1:37:14 PM, on 3/11/2013
    Platform: Windows 7 SP1 (WinNT 6.00.3505)
    MSIE: Internet Explorer v9.00 (9.00.8112.16464)
    Boot mode: Normal

    Running processes:
    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    C:\Users\jluna\AppData\Roaming\Dropbox\bin\Dropbox.exe
    C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files (x86)\lg_fwupdate\fwupdate.exe
    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
    C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
    C:\PROGRA~2\AD-AWA~1\AdAware.exe
    C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe
    C:\Windows\sysWow64\SearchProtocolHost.exe
    C:\Users\jluna\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\jluna\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\jluna\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\jluna\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\jluna\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\jluna\Downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
    O2 - BHO: DataMngr - {F2D6C718-7E52-428E-8852-365C4B1A6E36} - C:\PROGRA~2\SETTIN~1\Datamngr\BROWSE~1.DLL
    O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    O4 - HKLM\..\Run: [IMSS] "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe"
    O4 - HKLM\..\Run: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
    O4 - HKLM\..\Run: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
    O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files (x86)\lg_fwupdate\lgfw.exe" blrun
    O4 - HKLM\..\Run: [DivXMediaServer] C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    O4 - HKLM\..\Run: [DATAMNGR] C:\PROGRA~2\SETTIN~1\Datamngr\DATAMN~1.EXE
    O4 - HKLM\..\Run: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"
    O4 - HKLM\..\Run: [Ad-Aware Antivirus] "C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareLauncher" --windows-run
    O4 - HKCU\..\Run: [Google Update] "C:\Users\jluna\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O4 - Startup: Dropbox.lnk = C:\Users\jluna\AppData\Roaming\Dropbox\bin\Dropbox.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000
    O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~4\Office12\REFIEBAR.DLL
    O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
    O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = joefoss.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = joefoss.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = joefoss.local
    O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    O20 - AppInit_DLLs: C:\PROGRA~3\Wincert\WIN32C~1.DLL C:\PROGRA~2\SETTIN~1\Datamngr\datamngr.dll C:\PROGRA~2\SETTIN~1\Datamngr\IEBHO.dll
    O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
    O23 - Service: Ad-Aware Service - Lavasoft Limited - C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe
    O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
    O23 - Service: Intel(R) PROSet Monitoring Service - Unknown owner - C:\Windows\system32\IProsetMonitor.exe (file missing)
    O23 - Service: Intel(R) Identity Protection Technology Host Interface Service (jhi_service) - Intel Corporation - C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\Windows\SysWOW64\NLSSRV32.EXE
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Ad-Aware (SBAMSvc) - GFI Software - C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe
    O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Secure Storage Manager\SecureStorageService.exe
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
    O23 - Service: NTRU TSS v1.2.1.36 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files (x86)\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
    O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: Intel(R) Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
    O23 - Service: Wave Authentication Manager Service - Wave Systems Corp. - C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

    --
    End of file - 12082 bytes
     
    Last edited: Mar 11, 2013
  3. JST1946

    JST1946 Regular member

    Joined:
    Jul 15, 2011
    Messages:
    901
    Likes Received:
    2
    Trophy Points:
    26
  4. J-dizzle

    J-dizzle Member

    Joined:
    Mar 11, 2013
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    11
    I saw this program in another thread, but have not tried it until someone responded something to my question. I will try it tomorrow morning as a different PC (work) is the infected one. Thanks.
     
  5. J-dizzle

    J-dizzle Member

    Joined:
    Mar 11, 2013
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    11
    Well... I tried rogue killer as suggested, it did find about 5 or 6 files, deleted out. Rebooted and opened chrome, hijacker is still there. Booted in safe mode with no networking and re-ran all full scans (except ad-aware - wouldnt "validate activation") and all scans showed nothing, even rogue killer came up empty a second time. Any other suggestions?
     
  6. JST1946

    JST1946 Regular member

    Joined:
    Jul 15, 2011
    Messages:
    901
    Likes Received:
    2
    Trophy Points:
    26
    Try this one and see if it does any good.This is the Pro version that is good for 30 days.If it doesn't help you can always uninstall it.

    http://www.revouninstaller.com/
     
  7. J-dizzle

    J-dizzle Member

    Joined:
    Mar 11, 2013
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    11
    Tried it and no help at all.

    *EDIT*
    GOT IT!!! There was an additional option in chrome settings to force chrome to open a set page upon start up that was bringing up the recurring redirect. After deleting that option and removing the additional options for the redirect for home button and search engine, I finally can close the browser and re-open without the redirect happening.

    Thanks much for the previous help and suggestions.
     
    Last edited: Mar 12, 2013
  8. JST1946

    JST1946 Regular member

    Joined:
    Jul 15, 2011
    Messages:
    901
    Likes Received:
    2
    Trophy Points:
    26
    Your welcome.Glad to hear you finally solved your problems.
     
  9. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,690
    Likes Received:
    35
    Trophy Points:
    78
    Sorry I didn't see this thread sooner. The problem is Datamngr and IEBHO.dll it's a backdoor Trojan and shows up in this line in HJT:

    O20 - AppInit_DLLs: C:\PROGRA~3\Wincert\WIN32C~1.DLL C:\PROGRA~2\SETTIN~1\Datamngr\datamngr.dll C:\PROGRA~2\SETTIN~1\Datamngr\IEBHO.dll

    Hope you were able to delete the IEBHO.dll file - it can come back to haunt you and it will steal info from your computer..

    2oG
     

Share This Page