NEED Help! something has Hijacked my firefox :(

Anomic144 · 24 May 2011 at 6:16PM

Hi guys (and girls, not wanting to sound sexist lol) about 2hrs ago i downloaded a password recovery tool (my gf has forgotten her password to her old hardrive and didnt really want to reformat, so i stuuupidly thought i'd have a go with virtually no knowledge in this area lol).

Anyways, i got duped

i've since deleted the program (wouldnt let me so i renamed it from .exe to .jpeg and that seemed to work) since then, whatEVER i put into the top left form field of Fire fox takes me to a ?fake? google home page (it obviously wants me to put my search in the main window, sending back info/passwords i use?) but the URL of this window is NOT google! its ......

file: ///C:/Documents%20and20Settings/MYACCOUNTNAME/Application%20Data/ToolbarInstaller/ToolbarInstaller/1.0.0.0/google. html

?? What on earth is that? I've scanned with avast, i even scanned the .exe before i opened it but didnt find it unsafe, that was wrong obvioulsy

Any help would be greatly appreciated! I usually like to try work things out by myself, but i haven't the SLIGhtest grasp on what this could be? and i've been at it for 2 hrs now. Ive unistalled/reinstalled fire fox, old and new versions, deleted Everything in the %APPDATA% mozilla folder, but nothing helps, its got its hooks while burried, oh and system restore points have gone. IE works fine at the moment though, but im very worried about passwords etc. now.

Sorry for the waffle, just trying to give as Much info as possible.

My hijack this log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:55:36 PM, on 5/24/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 SP3 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:\\C:\Program Files\Internet Explorer\MyGoogle.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http: //go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http: //go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http: //go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 6522 bytes

Thanks in advance for any help

Anomic144

dogmaryxx · 24 May 2011 at 6:30PM

Download MALWAREBYTES (Make sure you click 'DOWNLOAD LATEST VERSION')

http://www.filehippo.com/download_ma..._anti_malware/

Open malwarebytes and goto UPDATE and click 'check for updates'. After its updated go to SCANNER and click PERFORM QUICK SCAN then click SCAN

Remove everything thats found (needs to be ticked)

Post the COMPLETE log here AFTER youve deleted everything it finds

If anything was found then do the exact same but run a FULL scan

Anomic144 · 24 May 2011 at 6:39PM

Wow thankyou! that was a quick reply.

I shall do that now!

Am i understanding right that, if it HAS found stuff, still move onto a FULL scan after? And Complete log of Malware bytes or Hijack this?

Thanks again, really appreciate it

dogmaryxx · 24 May 2011 at 6:49PM

Anomic144 wrote: »

Am i understanding right that, if it HAS found stuff, still move onto a FULL scan after? And Complete log of Malware bytes or Hijack this?

Yes. Post all logs for Malwarerbytes.

closed · 24 May 2011 at 6:52PM

doing a full scan instead will save time, fix anything found before closing

delete C:/Documents and Settings/MYACCOUNTNAME/ApplicationData/ToolbarInstaller

if it's just firefox and not ie, backup your bookmarks, uninstall firefox, delete any firefox profiles, and reinstall it, or install the portable version

Anomic144 · 24 May 2011 at 7:18PM

Right, i ran Malwarebytes and it found 4 items, but the sodding pc radomly shut down as i was deleting objects. When it restarted i ran the scan again and it found no threats so it must have deleted them before? The log i obtained is unfortunately AFTER the objects were deleted.

I found the objects in the qurantine but deleted them Before i realised they werent contained in the log

I remember one was called Hijack.control.panel
and three were called PUM.something, i cant remember to well.

here's the log:
Malwarebytes' Anti-Malware 1.50.1.1100
Database version: 6664
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
5/24/2011 7:00:48 PM
mbam-log-2011-05-24 (19-00-48).txt
Scan type: Quick scan
Objects scanned: 143068
Time elapsed: 4 minute(s), 2 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

Also yeah i had thought about finding that folder and deleting it, but when i go to MYUSERNAME/ there is no App folder? i have found this before, dont suppose you know why that might be? Only way i can get to it is: Run/%APPDATA%, and there is no installtoolbar folder

if you no of a way i could reach that folder that would be great!

Anyways i'll do a full scan now and then see if i can install firefox safely.

Cheers for the help guys!:)

Anomic144 · 25 May 2011 at 10:26AM

EXCELLENT! it's sorted

Did the scans, and located the offending ToolbarInstaller folder and deleted it. was all back to normal after a reboot

Thanks guys, your help was awsome.

Cheers

NEED Help! something has Hijacked my firefox :(

Comments

Confirm your email address to Create Threads and Reply

🚀 Getting Started

Categories

Is this how you want to be seen?

Get our FREE Weekly email full of deals & guides - and it’s spam-free