Medking Posted January 5, 2008 Share Posted January 5, 2008 Hey everyone, Like two days ago my homepage was hijacked, or what i think was a hijack, and it now appears as some chinese thing. Its definitiely a virus or something, because it happens with several sites, at random, within Firefox. If i can get Internet connection in IE, then I cant get it in Firefox, and my suspicion is that it is because of this new "thing" I have posted a screenshot to show you the Chinese lettered page...whether it tells you much I dont know. I ran CCleaner...nothing. I dont have an Antivirus right now cus im renewing my id or whatever with eset, Spybot didnt remove or detect it. Thanks Medking Link to comment Share on other sites More sharing options...
shakey_snake Posted January 5, 2008 Share Posted January 5, 2008 So, IE is or isn't working correctly? Link to comment Share on other sites More sharing options...
Salgoth Posted January 5, 2008 Share Posted January 5, 2008 Start > All Programs > Firefox > Mozilla Firefox (Safe Mode) ... then see if you still have the same issues. Link to comment Share on other sites More sharing options...
Vettetech Posted January 5, 2008 Share Posted January 5, 2008 Well cCleaner isnt a virus scan nor a spyware scan. Spy Bot is ineffective now a days. Use SuperAntiSpyware and Spyware Terminator. Surfing without a virus scan even when using Firefox is dumb. You can always uninstall Firefox and reinstall it. Make sure you delelted all files and registry entries. Use Mozbackup to back up all your settings. http://www.tweakguides.com/Firefox_1.html Uninstall instuctions Link to comment Share on other sites More sharing options...
nonick Posted January 5, 2008 Share Posted January 5, 2008 you can also check Hijack this, one of the top programs to delete such crap from your computer. good luck Link to comment Share on other sites More sharing options...
Bryan R. Posted January 5, 2008 Share Posted January 5, 2008 Why do you have to wai to renew? Just go to one of the many free online scans: TrendMicro: http://housecall.trendmicro.com/ Microsoft: http://onecare.live.com/site/en-us/default.htm Or simply download some free anti-virus and anti-spyware programs. No need to pay stupid yearly subscriptions. And as mentioned, CCleaner does nothing with viruses, it knows nothing about them. Link to comment Share on other sites More sharing options...
Vettetech Posted January 5, 2008 Share Posted January 5, 2008 Why do you have to wai to renew? Just go to one of the many free online scans:TrendMicro: http://housecall.trendmicro.com/ Microsoft: http://onecare.live.com/site/en-us/default.htm Or simply download some free anti-virus and anti-spyware programs. No need to pay stupid yearly subscriptions. And as mentioned, CCleaner does nothing with viruses, it knows nothing about them. True....................................Avast is free but I went with NOD32. Its the best out there and worth the $40. Link to comment Share on other sites More sharing options...
Bryan R. Posted January 5, 2008 Share Posted January 5, 2008 True....................................Avast is free but I went with NOD32. Its the best out there and worth the $40. Yes, Avast is very good. No doubt, though, that programs that cost some cash are sometimes better than those that do not. I just don't like paying for stuff. Link to comment Share on other sites More sharing options...
Knife Party Posted January 5, 2008 Share Posted January 5, 2008 ok heres my advice: 1. download kaspersky 7.0 AV trial from here : http://www.filehippo.com/download_kaspersky_antivir/ 2. do an update 3. get both superantispyware and spyware terminator : http://www.filehippo.com/software/antispyware/ 4. do full updates for both 5. restart and boot into safe mode 6. do a full system scan with all 3 Kaspersky AV, Spyware terminator and Superantispyware 7. by the looks of it...something should turn up 8. remove and delete all malware 9. remove KAV, superantispyware + spyware terminator if you dont want them anymore 10. run Ccleaner...do a full registry + program settings clean up 11. restart pc Link to comment Share on other sites More sharing options...
Intelligen Posted January 5, 2008 Share Posted January 5, 2008 Or run hijack this and post the log file that it finds. We will be able to help you point out anything that is "abnormal" Link to comment Share on other sites More sharing options...
Medking Posted January 5, 2008 Author Share Posted January 5, 2008 ok guys thanks a lot for the advice! Here is my hijackthis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:57:28 AM, on 1/5/2008 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16575) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Zune\ZuneLauncher.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Internet Download Manager\IDMan.exe C:\Program Files\Stardock\ObjectDock\ObjectDock.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe C:\Program Files\Internet Download Manager\IEMonitor.exe C:\Program Files\Internet Explorer\ieuser.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Users\Alex\Documents\Downloads\Programs\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file) O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\VistaCodecPack\QT\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NodLogin] C:\Program Files\ESET\ESET Smart Security\nodlogin.exe O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [iDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O13 - Gopher Prefix: O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Desktop Manager 5.7.712.18632 (GoogleDesktopManager-121807-210419) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing) O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- End of file - 9075 bytes Currently installing free version of Kapersky following up on what Kaboose posted. In Safe Mode it DOES Appear! Thanks, Medking Link to comment Share on other sites More sharing options...
Liquidfox Posted January 5, 2008 Share Posted January 5, 2008 That image looks suspiciously like the filter page that my school used to use, but in Chinese, it has the same layout and stuff... Can't remember which program it was through though, where you getting your internet connection from? I'm not too experienced with HijackThis logs, but i don't see anything standing out there, just a few o4's that you probably don't need, just start-up entries... Still, that image gave me nasty memories of my school's white-list filter :/ Link to comment Share on other sites More sharing options...
Vettetech Posted January 5, 2008 Share Posted January 5, 2008 Just uninstall Firefox completely and reinstall. Use Revo Uninstaller and after there are several other files to clean up. Firefox was getting some odd pop up for me with no spyware found. I just uninstalled and reinstalled and all was fine. Take only about 10 min. Link to comment Share on other sites More sharing options...
Medking Posted January 5, 2008 Author Share Posted January 5, 2008 hmm, im getting my internet from here..panama. a few days ago i used hideip to access some nbc videos hehe...and one of the ips it gave me was chinese...but i switched it straight away..soo.. maybe ill uninstall and then reinstall.. medking im also doing the onecare scan but its taking agesss! so ill just leave it running hehe sorry, another edit...if i remove firefox will it remove all my saved bookmarks etc Link to comment Share on other sites More sharing options...
The_Decryptor Veteran Posted January 5, 2008 Veteran Share Posted January 5, 2008 You might be running through a proxy, go to Tools > Options > Advanced > Network and click the settings button in the Connection section. What does that say? Edit: your bookmarks are saved in your profile, if you remove the profile without backing them up (either export them through Firefox or copy the bookmarks.html file somewhere), then yes, they'll be deleted. Link to comment Share on other sites More sharing options...
Medking Posted January 5, 2008 Author Share Posted January 5, 2008 wow! good on ya! thats it, i was running through some chinese proxy! no wonder the other day when i changed my ip it still said it was coming from china. thanks a lot...firefox is back to its normal speed and functionality hehe... Thanks to everyone whos put in their efforts here...really appreciate it! Medking Link to comment Share on other sites More sharing options...
Vettetech Posted January 5, 2008 Share Posted January 5, 2008 hmm, im getting my internet from here..panama. a few days ago i used hideip to access some nbc videos hehe...and one of the ips it gave me was chinese...but i switched it straight away..soo..maybe ill uninstall and then reinstall.. medking im also doing the onecare scan but its taking agesss! so ill just leave it running hehe sorry, another edit...if i remove firefox will it remove all my saved bookmarks etc I told you to use Mozbackup....its free. Link to comment Share on other sites More sharing options...
randy_tho Posted January 5, 2008 Share Posted January 5, 2008 So that is what the "great firewall of china" looks like. :) Link to comment Share on other sites More sharing options...
Medking Posted January 6, 2008 Author Share Posted January 6, 2008 I told you to use Mozbackup....its free. issue solved already...but i am currently downloading :) Link to comment Share on other sites More sharing options...
goretsky Supervisor Posted January 7, 2008 Supervisor Share Posted January 7, 2008 Hello, I took a quick glance through your Hijack This log and did notice one thing which should not be there: O4 - HKLM\..\Run: [NodLogin] C:\Program Files\ESET\ESET Smart Security\nodlogin.exe The program is malicious and should be removed. While you're waiting to renew your NOD32 license, you can run a copy of the ESET Online Scanner on yur system for free from http://www.esetonlinescanner.com/. Regards, Aryeh Goretsky Link to comment Share on other sites More sharing options...
Recommended Posts