PDA

View Full Version : firefox browser hijacked &all files read only cant change tried everything



idkwhatsgoingon
2009-12-04, 12:01
ok here is the deal, everyone thinks of me as an advanced used, i build computer all the time, but this i cannot figure out, it is driving me crazy!
started a cpl days ago, my fiancee downloaded something and it said it needed a codec, she downloaded the codec and from what she said it went into downloading a license which she clicked on and it disappeared. i personally cant find any out of the ordinary files anywhere. i ran spybot s&d and the only thing it found was a windows security problem, which it then fixed. but its still doing it. i ran avast anti virus and it didnt work the first cpl of times, wouldnt even do a full scan no matter what i tried. i also noticed that scince then ALL of my files on my hard drive which i have partitioned into 2 parts are marked read only, which i can no do anything with them, i went to properties and did the fix, didnt work, i used command prompt to fix attribute, didnt work, i went into safe made to fix it, didnt work. i have admin privileges, only user on the comp, but nothing seems to work. the only thing i can think of is that it is a tricky rootkit. i just finished running hijack this and i will post the log file after this. i truly am at a loss, i have never had a problem i cannot fix, and this makes me feel stupid. everytime i do a search on google or anywhere in firefox click on a site that i know is a good site like cnet, and it redirects me 20 times to some off the wall ad or websearch. it took me 20 mins just to get here. well i dont know any help would be appreciated. here is the hijack this log. but i dont see anything out of the ordinary, does anyone else? please help me asap. i just built this computer for my nephew for xmas and need it running good asap, and really dont want to do a fresh install of xp and lose all the data. sorry forgot this im using windows xp media center edition sp2. 2.66 ghz intel pentium processor 760 mb ram 40gb hd 2 partitions.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:40:18 AM, on 12/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\program files\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
D:\program files\ashServ.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTHELPER.EXE
D:\PROGRA~1\ashDisp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
D:\program files\ashMaiSv.exe
D:\program files\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
D:\program files\firefox.exe
D:\program files\ashSimpl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\program files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ashDisp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [BitTorrent] "D:\program files\BitTorrent\bittorrent.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\program files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = D:\program files\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\program files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\program files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\program files\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\program files\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\program files\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\program files\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3347 bytes

==============================
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

idkwhatsgoingon
2009-12-05, 08:19
nevermind i manually found and removed the rootkit, now everything is running fine, no browser hijacking anymore. still can not change files and folders from read only, but i guess i will figure it out by myself, just like the rootkit. seems no one would help me, they would rather tell me "dont post this with your thread and dont post that" so i think i will just figure it out by myself just like the rootkit. i truly think that teatimer itself has something to do with my files not being able to be changed from read only, so i will go down that road and see where it takes me. for a very long time i have been an avid and exclusive spybot s&d user, not wanting to use anything else because i believed in spybot s&d, but after this experience i may just have to rethink that, especially if teatimer is what is causing my read only problem. next time instead of telling someone "dont post this with your thread and dont post that with your thread" maybe, just maybe you should look at what they have and try to help, and not be jealous because they are using a program that isn't from you. some people have programs that they have used for a long time and trust them, and know very well how to use them, so don't let your eg get in the way, and dont say "i wont help you because your using this program instead of that program" when they do the same thing. but thanks anyways for the non helping help.

tashi
2009-12-05, 09:05
Hello idkwhatsgoingon,

While your frustration is understood, we have FAQS in order for members to help us to help them.

The link provided (with a wink) was a courtesy so that you would know why your topic was moved to the correct forum for HJT logs in order for you to receive assistance.

Questions regarding Spybot-S&D support can be asked here: Spybot-S&D Forums (http://forums.spybot.info/forumdisplay.php?f=4) but note that forum's sticky topic: Please do NOT post HJT/CF etc logs in the Spybot forum. Thank you :) (http://forums.spybot.info/showthread.php?t=1266)


i truly think that teatimer itself has something to do with my files not being able to be changed from read only, so i will go down that road and see where it takes me.

Before you post a HJT log (http://forums.spybot.info/showpost.php?p=1150&postcount=2)

When Spybot-S&D is installed.

TeaTimer needs to be disabled so that its protection does not interfere with fixes.

As to "seems no one would help me" your topic was started in the afternoon and many members are patiently waiting.

If you still need help please start a new topic as our volunteer analysts look for topics with a zero response, meaning one post only.

Best regards.