IE7 & FF Browsers on XP SP2 hacked on Shaw - Canadian TV, Computing and Home Theatre Forums
 
LinkBack Thread Tools Search this Thread Display Modes

post #1 of 15 (permalink) Old 2008-06-26, 08:05 PM Thread Starter
Veteran
 
Join Date: Apr 2004
Location: Calgary, Shaw Digital HD Plus, 3416 & Expander
Posts: 6,315
IE7 & FF Browsers on XP SP2 hacked on Shaw

I cannot access any search sites. They are all unavailable.
I do not know where to start. I've run virus checks with no help.

Please help me!!
JesseJ is offline  
Sponsored Links
Advertisement
 
post #2 of 15 (permalink) Old 2008-06-26, 08:09 PM
Moderator
 
Join Date: Feb 2005
Location: Nova Scotia
Posts: 3,208
Sounds like your browser may have been hijacked. You can download HiJackThis and go through the items it lists.

http://www.download.com/Trend-Micro-...-10227353.html
QuickSilver is online now  
post #3 of 15 (permalink) Old 2008-06-26, 08:14 PM Thread Starter
Veteran
 
Join Date: Apr 2004
Location: Calgary, Shaw Digital HD Plus, 3416 & Expander
Posts: 6,315
I can't go to download.com. Browser will not let me.
JesseJ is offline  
post #4 of 15 (permalink) Old 2008-06-26, 08:26 PM
Moderator
 
Join Date: Feb 2004
Location: Vancouver, BC
Posts: 4,665
Try going straight to Trend Micro's website to download: http://www.trendsecure.com/portal/en...ols/hijackthis

If you have another PC you can try downloading it there and putting on a flashdrive for install.
JohnnyCanuck is offline  
post #5 of 15 (permalink) Old 2008-06-26, 08:28 PM Thread Starter
Veteran
 
Join Date: Apr 2004
Location: Calgary, Shaw Digital HD Plus, 3416 & Expander
Posts: 6,315
I can use safari.
So after I get my list, then what? How do I know whats not right?
JesseJ is offline  
post #6 of 15 (permalink) Old 2008-06-26, 08:53 PM
Moderator
 
Join Date: Apr 2003
Location: Gatineau and Ottawa
Posts: 11,017
Try rebooting into safe mode. You may be able to download, install and run the apps then if you don't want to use Safari.
Jake is offline  
post #7 of 15 (permalink) Old 2008-06-26, 09:26 PM
Veteran
 
Join Date: May 2006
Location: Calgary
Posts: 1,682
I am a firm believer that once you have been infected by malware, you will never be certain that you have removed it from available methods. I suggest formatting your drive and re-installing.
rsambuca is offline  
post #8 of 15 (permalink) Old 2008-06-27, 07:11 AM
Moderator
 
Join Date: Feb 2005
Location: Nova Scotia
Posts: 3,208
Once you get your list from HiJackThis look for programs and BHO's that appear "out of place" or you can post the log here.
QuickSilver is online now  
post #9 of 15 (permalink) Old 2008-06-27, 11:22 AM
Moderator
 
Join Date: Jan 2004
Location: Lincoln.NB Pop 492,823
Posts: 6,048
Dr Cureit might help you too.

Just by curiousity, can you type any address in the windows explorer address bar? If so, then you can access the links others have mentionned.

Hijackthis is the best tool to use. Good luck!

Home Theatre: Yamaha HTR-6190, Klipsch Speakers, SANYO PLV-Z4, TOSHIBA HDDVD, LG BD555C, Cerwin Vega HTS12 Sub, VIP2300, XBox 360, HTPC.
Danster is offline  
post #10 of 15 (permalink) Old 2008-06-27, 07:03 PM
Moderator
 
Join Date: Jan 2004
Location: Lincoln.NB Pop 492,823
Posts: 6,048
Off topic- Talk about service!!

5 moderators to your rescue. If we can't solve this problem, we'll send in the big guns.....57!!!!

Back on topic, any info from what you have on your machine will help us help you better.

Wait a minute, if he can't log on, how can he read this thread?

Home Theatre: Yamaha HTR-6190, Klipsch Speakers, SANYO PLV-Z4, TOSHIBA HDDVD, LG BD555C, Cerwin Vega HTS12 Sub, VIP2300, XBox 360, HTPC.
Danster is offline  
post #11 of 15 (permalink) Old 2008-06-29, 09:10 PM Thread Starter
Veteran
 
Join Date: Apr 2004
Location: Calgary, Shaw Digital HD Plus, 3416 & Expander
Posts: 6,315
haha, thanks guys, I've been away for the weekend and will be able to post my hijackthis results tomorrow.
OS is XP SP2, Firefox and IE are affected, but I can still use Safari. It's only searching on searc sites, like google and yahoo. I'm with Shaw and am using Shaw Secure for net protection.
JesseJ is offline  
post #12 of 15 (permalink) Old 2008-06-30, 08:19 AM Thread Starter
Veteran
 
Join Date: Apr 2004
Location: Calgary, Shaw Digital HD Plus, 3416 & Expander
Posts: 6,315
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:09:45 AM, on 6/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\Program Files\Webdisk Client UC\wdservice.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsus.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\Program Files\Shaw Secure\FSGUI\ispnews.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.beckett.com/beckettforum
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.shaw.ca/start/enca/addons/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.*********/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins %5CSBWeb_01.src");
user_pref("browser.startup.homepage_override.mstone", "rv:1.7.2");
user_pref("dom.disable_open_during_load", true);
user_pref("editor.history_title_0", "The DVD List, brought to you by thefatguy");
user_pref("editor.history_title_1", "thefatguy's Home Theater");
user_pref("editor.history_title_2", "TFG...Simple, Easy, Cuter than a Puppy");
user_pref("editor.history_title_3", "I'm Going Home....thefatguy!!");
user_pr
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7D3C7FA8-2270-4E6E-8758-87F33B8B3721} - C:\WINDOWS\system32\jkkIBQgD.dll (file missing)
O2 - BHO: (no name) - {B83F9733-ACA8-429C-A101-70AD7B238B8C} - C:\WINDOWS\system32\mlJCRkkK.dll (file missing)
O2 - BHO: {40873610-ce33-5209-7224-b6ed5e3eebbb} - {bbbee3e5-de6b-4227-9025-33ec01637804} - C:\WINDOWS\system32\wdubdk.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Upsfctl] C:\DOCUME~1\THEJUI~1\LOCALS~1\Temp\gpginst.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Shaw Secure\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://thefatguyjj.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200635354716
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{574E2886-5695-472A-BDDB-DDC5021FDAAA}: NameServer = 85.255.116.55,85.255.112.154
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC8D3BDD-F58E-4AB8-91CE-A7E9BCE8AB53}: NameServer = 85.255.116.55,85.255.112.154
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.55 85.255.112.154
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.55 85.255.112.154


--
End of file - 25272 bytes

After going through things that didn't look correct, google is working again on firefox 3. If there are any more suspicious looking entries, let me know.
Thanks for all the help.
JesseJ is offline  
post #13 of 15 (permalink) Old 2008-06-30, 09:54 AM
 
Join Date: May 2005
Location: Ottawa
Posts: 346
I would say you have a trojan installed. Much harder to remove than simple brower hijacks since it re-inserts itself, hide registry keys and generally a pain to clean. You can see some possible older occurances of problems with those mising xSsdSSs.dll entries. You're not running a clean system.

Try the Trend Micro link above or I'd recommend Spyware Doctor. I've had great success using this to help people clean their systems.
heybirder is offline  
post #14 of 15 (permalink) Old 2008-06-30, 11:10 AM
Veteran
 
Join Date: May 2006
Location: Calgary
Posts: 1,682
Like I said before, reformat and re-install. You can never be sure that you have removed the malware, and in a tenth of the time that you already have spent trying to detect and fix your system, you could have already reinstalled and been using a clean, fast installation.
rsambuca is offline  
post #15 of 15 (permalink) Old 2008-06-30, 11:43 AM
Moderator
 
Join Date: Jan 2004
Location: Lincoln.NB Pop 492,823
Posts: 6,048
Have you tried Dr Web Cureit? I had a friends computer that had a nasty virus on it. The only thing that managed to disable it enough for me to do anything was Dr Cureit. Search it in google and you'll see how good a program it is. It has found trojans on my computer that Norton or AVG hadn't even seen before!!!

Home Theatre: Yamaha HTR-6190, Klipsch Speakers, SANYO PLV-Z4, TOSHIBA HDDVD, LG BD555C, Cerwin Vega HTS12 Sub, VIP2300, XBox 360, HTPC.
Danster is offline  
Reply

Quick Reply
Message:
Options

Register Now



In order to be able to post messages on the Canadian TV, Computing and Home Theatre Forums forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.

User Name:
Password
Please enter a password for your user account. Note that passwords are case-sensitive.

Password:


Confirm Password:
Email Address
Please enter a valid email address for yourself.

Email Address:
OR

Log-in









Human Verification

In order to verify that you are a human and not a spam bot, please enter the answer into the following box below based on the instructions contained in the graphic.



Thread Tools Search this Thread
Show Printable Version Show Printable Version
Email this Page Email this Page
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode



Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

 
For the best viewing experience please update your browser to Google Chrome