• Google hijack
    11 replies, posted
So I've had a google hijack which links to adf : network (titties!) and fastsearch/hugosearch and I was wondering how to get rid of it MBAM's full scan hasn't tackled the problem at all Neither has hijackthis or avast
[QUOTE=geogzm;27194938]So I've had a google hijack which links to adf : network (titties!) and fastsearch/hugosearch and I was wondering how to get rid of it MBAM's full scan hasn't tackled the problem at all Neither has hijackthis or avast[/QUOTE] Hijackthis isn't a malware remover. It merely creates logs of running processes, startup entries, etc. Try and post a Hijack this log here for us to analyze.
Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 17:35:21, on 04/01/2011 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v7.00 (7.00.6002.18005) Boot mode: Normal Running processes: C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe C:\Program Files (x86)\a-squared Free\a2service.exe C:\Windows\SysWOW64\svchost.exe C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files (x86)\Bonjour\mDNSResponder.exe C:\Program Files (x86)\PC Tools Security\BDT\BDTUpdateService.exe C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe C:\Windows\SysWOW64\PnkBstrA.exe C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe C:\Program Files (x86)\NCH Swift Sound\Axon\axon.exe C:\Program Files (x86)\NCH Swift Sound\IVM\ivm.exe C:\Program Files (x86)\iZ3D Driver\Win32\S3DCService.exe C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe C:\Program Files (x86)\NCH Swift Sound\VRS\vrs.exe C:\Program Files (x86)\Google\Update\GoogleUpdate.exe C:\Windows\vsnpstd3.exe C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Program Files (x86)\iTunes\iTunesHelper.exe C:\Program Files (x86)\PC Tools Security\BDT\FGuard.exe C:\Program Files (x86)\Opera\Opera.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Macromedia\Flash MX\Flash.exe C:\Program Files (x86)\Common Files\Vbox\Common\vboxm.dll C:\Windows\SysWOW64\RUNDLL32.exe C:\Windows\SysWOW64\RUNDLL32.exe C:\Users\Overwatch\AppData\Local\Opera\Opera\temporary_downloads\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: PC Tools Browser Guard - {472734EA-242A-422b-ADF8-83D1E48CC825} - C:\Program Files (x86)\PC Tools Security\BDT\PCTBrowserDefender.dll F2 - REG:system.ini: UserInit=userinit.exe,c:\program files (x86)\microsoft\watermark.exe, O1 - Hosts: ::1 localhost O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files (x86)\PC Tools Security\BDT\PCTBrowserDefender.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files (x86)\PC Tools Security\BDT\PCTBrowserDefender.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [rap] "C:\Program Files (x86)\ert\3.exe" O4 - HKLM\..\Run: [PCTools FGuard] "C:\Program Files (x86)\PC Tools Security\BDT\FGuard.exe" O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [RGSC] C:\Program Files (x86)\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent O4 - HKCU\..\Run: [Google Update] "C:\Users\Overwatch\AppData\Local\Google\Update\GoogleUpdate.exe" /c O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - .DEFAULT User Startup: ewqely.exe (User 'Default user') O4 - .DEFAULT User Startup: fuakov.exe (User 'Default user') O4 - .DEFAULT User Startup: idica.exe (User 'Default user') O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Users\Overwatch\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm O10 - Unknown file in Winsock LSP: c:\program files (x86)\vmware\vmware workstation\vsocklib.dll O10 - Unknown file in Winsock LSP: c:\program files (x86)\vmware\vmware workstation\vsocklib.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Emsisoft Anti-Malware 5.0 - Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files (x86)\a-squared Free\a2service.exe O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing) O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Axon Virtual PBX (AxonService) - Unknown owner - C:\Program Files (x86)\NCH Swift Sound\Axon\axon.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files (x86)\PC Tools Security\BDT\BDTUpdateService.exe O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing) O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: IVM Answering Attendant (IVMService) - Unknown owner - C:\Program Files (x86)\NCH Swift Sound\IVM\ivm.exe O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files (x86)\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe (file missing) O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2009 64-bit 64-bit (mi-raysat_3dsMax2009_64) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_64server.exe (file missing) O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files (x86)\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing) O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: S3D Service (Win32) - iZ3D Inc. - C:\Program Files (x86)\iZ3D Driver\Win32\S3DCService.exe O23 - Service: S3D Service (Win64) - iZ3D Inc. - C:\Program Files (x86)\iZ3D Driver\Win64\S3DCService.exe O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files (x86)\PC Tools Security\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files (x86)\PC Tools Security\pctsSvc.exe O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing) O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: VRS Recording System (VRSService) - Unknown owner - C:\Program Files (x86)\NCH Swift Sound\VRS\vrs.exe O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) -- End of file - 9464 bytes
[QUOTE=geogzm;27195693] F2 - REG:system.ini: UserInit=userinit.exe,c:\program files (x86)\microsoft\watermark.exe, [/QUOTE] This appears to be the offending file. Removal instructions are here: [url]http://comprolive.com/remove/worm/ramnit/watermark-exe[/url]
<3<3<3 [img]http://gyazo.com/d47b8b79e61bdc92b5410993a9912c30.png[/img] found the sucker
Still I would recommend removing your current antivirus (avast) and running a scan through with Microsoft Security Essentials (they are capable of finding the virus) to be sure it's not left any traces behind.
yeah I've done this
Argh shit it came back Those instructions haven't helped at all. I followed them by deleting those files in safe mode and it's back. Help!
i had this once it's a son of a bitch to remove, took days if all else fails, just back up and reformat ok but it might also be using a local proxy so check that (i don't remember how so sorry)
can't back up/reformat no recovery cd and system restore was useless no in built system recovery either
stop suggesting people to format even though it's a shit to remove it I'm pretty sure Combofix doesn't work on 64bit systems, so it'll only work if you have 32 bit. You could look here for ComboFix instructions: [url]http://forums.malwarebytes.org/lofiversion/index.php?t69915.html[/url] You should delete all system restore points. People say they have removed it by going in safe mode, deleting watermark.exe and some files in c:/windows/temp, by running a couple of different scanners (you could try malware bytes, avira and MSE for example). Then look on HijackThis and remove the entries: F2 - REG:system.ini: UserInit=userinit.exe,c:\program files (x86)\microsoft\watermark.exe and I'm pretty sure this one isn't good either: O4 - HKLM\..\Run: [rap] "C:\Program Files (x86)\ert\3.exe" I'm not sure about these one, they seem to be random strings and I doubt they're much good, so you'll just have to look for yourself. If I was in your position, I would delete them. O4 - .DEFAULT User Startup: ewqely.exe (User 'Default user') O4 - .DEFAULT User Startup: fuakov.exe (User 'Default user') O4 - .DEFAULT User Startup: idica.exe (User 'Default user') [editline]9th January 2011[/editline] oops just noticed "program files (x86)" so you have 64bit, so combofix is no option
Use Malware Bytes. Has never yet failed for me working on peoples computers. [editline]9th January 2011[/editline] Fuck rate me bad reading [editline]9th January 2011[/editline] Try updating MBAM and rescanning? [editline]9th January 2011[/editline] C:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe You need to update teamviewer to the newest version :v:
Sorry, you need to Log In to post a reply to this thread.