: IE7 & FF Browsers on XP SP2 hacked on Shaw

2008-06-26, 08:05 PM
I cannot access any search sites. They are all unavailable.
I do not know where to start. I've run virus checks with no help.

Please help me!!

2008-06-26, 08:09 PM
Sounds like your browser may have been hijacked. You can download HiJackThis and go through the items it lists.


2008-06-26, 08:14 PM
I can't go to download.com. Browser will not let me.

2008-06-26, 08:26 PM
Try going straight to Trend Micro's website to download: http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

If you have another PC you can try downloading it there and putting on a flashdrive for install.

2008-06-26, 08:28 PM
I can use safari.
So after I get my list, then what? How do I know whats not right?

2008-06-26, 08:53 PM
Try rebooting into safe mode. You may be able to download, install and run the apps then if you don't want to use Safari.

2008-06-26, 09:26 PM
I am a firm believer that once you have been infected by malware, you will never be certain that you have removed it from available methods. I suggest formatting your drive and re-installing.

2008-06-27, 07:11 AM
Once you get your list from HiJackThis look for programs and BHO's that appear "out of place" or you can post the log here.

2008-06-27, 11:22 AM
Dr Cureit might help you too.

Just by curiousity, can you type any address in the windows explorer address bar? If so, then you can access the links others have mentionned.

Hijackthis is the best tool to use. Good luck!

2008-06-27, 07:03 PM
Off topic- Talk about service!! :)

5 moderators to your rescue. If we can't solve this problem, we'll send in the big guns.....57!!!! :o

Back on topic, any info from what you have on your machine will help us help you better.

Wait a minute, if he can't log on, how can he read this thread?

2008-06-29, 09:10 PM
haha, thanks guys, I've been away for the weekend and will be able to post my hijackthis results tomorrow.
OS is XP SP2, Firefox and IE are affected, but I can still use Safari. It's only searching on searc sites, like google and yahoo. I'm with Shaw and am using Shaw Secure for net protection.

2008-06-30, 08:19 AM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:09:45 AM, on 6/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\Program Files\Webdisk Client UC\wdservice.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsus.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\Program Files\Shaw Secure\FSGUI\ispnews.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.beckett.com/beckettforum
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.shaw.ca/start/enca/addons/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.*********/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs

user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins %5CSBWeb_01.src");
user_pref("browser.startup.homepage_override.mstone", "rv:1.7.2");
user_pref("dom.disable_open_during_load", true);
user_pref("editor.history_title_0", "The DVD List, brought to you by thefatguy");
user_pref("editor.history_title_1", "thefatguy's Home Theater");
user_pref("editor.history_title_2", "TFG...Simple, Easy, Cuter than a Puppy");
user_pref("editor.history_title_3", "I'm Going Home....thefatguy!!");
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7D3C7FA8-2270-4E6E-8758-87F33B8B3721} - C:\WINDOWS\system32\jkkIBQgD.dll (file missing)
O2 - BHO: (no name) - {B83F9733-ACA8-429C-A101-70AD7B238B8C} - C:\WINDOWS\system32\mlJCRkkK.dll (file missing)
O2 - BHO: {40873610-ce33-5209-7224-b6ed5e3eebbb} - {bbbee3e5-de6b-4227-9025-33ec01637804} - C:\WINDOWS\system32\wdubdk.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Upsfctl] C:\DOCUME~1\THEJUI~1\LOCALS~1\Temp\gpginst.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Shaw Secure\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Post-itŪ Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://thefatguyjj.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200635354716
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{574E2886-5695-472A-BDDB-DDC5021FDAAA}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC8D3BDD-F58E-4AB8-91CE-A7E9BCE8AB53}: NameServer =,
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer =
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer =

End of file - 25272 bytes

After going through things that didn't look correct, google is working again on firefox 3. If there are any more suspicious looking entries, let me know.
Thanks for all the help.

2008-06-30, 09:54 AM
I would say you have a trojan installed. Much harder to remove than simple brower hijacks since it re-inserts itself, hide registry keys and generally a pain to clean. You can see some possible older occurances of problems with those mising xSsdSSs.dll entries. You're not running a clean system.

Try the Trend Micro link above or I'd recommend Spyware Doctor (http://www.pctools.com/spyware-doctor/). I've had great success using this to help people clean their systems.

2008-06-30, 11:10 AM
Like I said before, reformat and re-install. You can never be sure that you have removed the malware, and in a tenth of the time that you already have spent trying to detect and fix your system, you could have already reinstalled and been using a clean, fast installation.

2008-06-30, 11:43 AM
Have you tried Dr Web Cureit? I had a friends computer that had a nasty virus on it. The only thing that managed to disable it enough for me to do anything was Dr Cureit. Search it in google and you'll see how good a program it is. It has found trojans on my computer that Norton or AVG hadn't even seen before!!!