Jump to content

Google Still hijacked, "safe" files have been deleted!

Recommended Posts

First, I want to say how much I love Malwarebytes! Secondly HELP!! :) I was infected with the Windows Security Virus almost 2 months ago. It wouldn't let me do ANYTHING on my computer, even in safe mode. Well, due the computer being shut off for so long the virus experienced a problem and "had to close". I finally was able to run malwarebytes in safemode and clean some of the virus last week. Then I ran it in regular mode and "thought" I had cleaned the rest. I have XP on my computer and everything ran so slow after removing the virus. Plus Symantec was malfunctioning the entire time despite updating it. So I removed Symantec and my computer sped up. However, I wasn't able to download any windows updates or install Microsoft security essentials, and google is still hijacked. I ran rootkill (is that what it's called? I can't remember because I was told to change the name) and it found a few more threats that it "cured". Then I ran malwarebytes again last night and it found 75 more infected files! (All of which it removed). Just for "fun" I ran it again and it found 15 more files which it removed. However I think some of those exe files were safe AND necessary, and now they are gone. So, long story short - 1. how can I get my computer to update windows again and actually run security essentials? (I can't even get it to run off their website) and 2. How I retrieve the files that I think are safe but were removed? (For example - Notepad? I tried running the DDS and it said it completed and a file would pop up but nothing happened? Perhaps because notepad has disappeared?) What a mess! Thanks in advance!


I was able to restore notepad so here's my dds file:

How can I return google to normal, and what do I need to do to be able to update windows again and install Security Essentials?


DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Administrator at 7:34:11 on 2011-10-28

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.638.371 [GMT -4:00]



============== Running Processes ===============


C:\WINDOWS\system32\svchost -k DcomLaunch


C:\WINDOWS\System32\svchost.exe -k netsvcs






C:\WINDOWS\system32\svchost.exe -k imgsvc




============== Pseudo HJT Report ===============


uStart Page = hxxp://mail.yahoo.com/

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com

uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn3\yt.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn3\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn3\yt.dll

TB: {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - No File

TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

dRun: [volmgr] %APPDATA%\volmgr.exe

dPolicies-system: DisableTaskMgr = 1 (0x1)

IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm

IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

DPF: Web-Based Email Tools - hxxps://email.secureserver.net/Download.CAB

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab

DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://www.alternatiff.com/install-ie/alttiff.cab

DPF: {26522409-8BBF-4C5B-A4D3-CF4B1D6F255B} - hxxp://www.umediaserver.net/bin/UMediaControl5.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140662612708

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1319051597813

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {BC165EA0-F79E-4F12-8493-80679EB5BEC2} - hxxp://

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab

TCP: DhcpNameServer =

TCP: Interfaces\{1D0375F2-5D02-4164-8E51-5827C66E7CC1} : DhcpNameServer =

TCP: Interfaces\{D519CFA9-41C1-49BA-BB93-5BFB9C172954} : DhcpNameServer =

Filter: text/html - {07069702-d151-43c0-a731-61e0efef8dd4} -

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

mASetup: {582610B8-E496-4813-993C-4B027173FE38} - c:\program files\pixiepack codec pack\InstallerHelper.exe

Hosts: www.google.com

Hosts: www.bing.com


============= SERVICES / DRIVERS ===============


R1 SASDIFSV;SASDIFSV;c:\docume~1\admini~1\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\docume~1\admini~1\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2010-5-10 67656]

S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\drivers\ntcdrdrv.sys --> c:\windows\system32\drivers\ntcdrdrv.sys [?]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-11 176128]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

S3 MusCDriverV32;MusCDriverV32;c:\windows\system32\drivers\MusCDriverV32.sys [2008-3-17 506496]

S3 MusCVideo32;MusCVideo32;c:\windows\system32\drivers\MusCVideo32.sys [2008-3-17 3768]

S3 NUVision;NUVision II Video Service;c:\windows\system32\drivers\nuvvid2.sys [2006-4-8 153760]

S3 PCX500;Cisco Wireless LAN Adapters Driver;c:\windows\system32\drivers\pcx500.sys [2006-2-20 82432]


=============== Created Last 30 ================


2011-10-27 15:42:10 -------- d-sh--w- c:\documents and settings\administrator\IECompatCache

2011-10-27 11:57:43 -------- d-----w- C:\e0d5cf43ced7f5db89

2011-10-27 02:26:20 486107 ----a-w- c:\documents and settings\administrator\local settings\application data\dfl20z32.dll

2011-10-27 02:25:44 173582 ----a-w- c:\documents and settings\administrator\local settings\application data\wsr20zt32.dll

2011-10-26 15:46:30 128000 ----a-w- c:\windows\system32\0.3566469531925528.exe

2011-10-19 18:18:34 -------- d-----w- c:\documents and settings\administrator\application data\mF4bU8y30us4hKJ

2011-10-19 18:18:33 -------- d-----w- c:\documents and settings\administrator\application data\MicroST

2011-10-19 18:18:27 -------- d-----w- C:\mF4bU8y30us4hKJ

2011-10-04 02:44:57 127488 ----a-w- c:\windows\system32\0.3339700152110773.exe


==================== Find3M ====================


2011-10-28 09:11:45 216576 ----a-w- c:\windows\notepad.exe

2011-10-28 06:39:13 183296 ----a-w- c:\windows\system32\rcimlby.exe

2011-10-28 06:32:31 179712 ----a-w- c:\windows\system32\wupdmgr.exe

2011-10-28 06:30:34 237568 ----a-w- c:\windows\unvise32.exe

2011-10-28 06:26:42 686080 ----a-w- c:\windows\system32\spider.exe

2011-10-28 06:26:42 204288 ----a-w- c:\windows\system32\sol.exe

2011-10-28 06:26:41 267264 ----a-w- c:\windows\system32\winmine.exe

2011-10-28 06:26:40 274432 ----a-w- c:\windows\system32\mshearts.exe

2011-10-28 06:26:40 202752 ----a-w- c:\windows\system32\freecell.exe

2011-10-28 06:24:45 180224 ----a-w- c:\windows\system32\odbcad32.exe

2011-10-28 06:24:22 227840 ----a-w- c:\windows\system32\charmap.exe

2011-10-28 06:24:22 211456 ----a-w- c:\windows\system32\cleanmgr.exe

2011-10-28 06:24:21 1348096 ----a-w- c:\windows\system32\ntbackup.exe

2011-10-28 06:24:20 581120 ----a-w- c:\windows\system32\wiaacmgr.exe

2011-10-28 06:24:19 825344 ----a-w- c:\windows\system32\mstsc.exe

2011-10-28 06:24:19 490496 ----a-w- c:\windows\system32\mspaint.exe

2011-10-28 06:24:08 286208 ----a-w- c:\windows\system32\sndvol32.exe

2011-10-28 06:24:08 279040 ----a-w- c:\windows\system32\sndrec32.exe

2011-10-28 06:23:57 262144 ----a-w- c:\windows\system32\calc.exe

2011-10-28 06:23:47 331776 ----a-w- c:\windows\system32\accwiz.exe

2011-10-28 00:31:01 151552 ----a-w- c:\windows\system32\actmovie.exe

2011-10-27 02:40:45 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys

2011-10-27 02:40:45 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-10-27 02:25:23 536576 ----a-w- c:\windows\system32\cmd.exe

2011-10-27 02:25:22 363008 ----a-w- c:\windows\system32\osk.exe

2011-10-27 02:25:22 220160 ----a-w- c:\windows\system32\magnify.exe

2011-08-14 16:08:27 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-10 14:22:18 10846208 ----a-w- c:\documents and settings\administrator\ntuser.tmp


============= FINISH: 7:38:16.43 ===============

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:


  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Link to post
Share on other sites

Unfortunately I followed the directions I was given here since the infection was getting worse and I hadn't heard from anyone for help yet.


This just made the problem worse. I ran the avg software 4 times, it found nothing after the 1st time. So I udpated and ran MBAM and it deleted over 5000 files on my computer!! So now my computer is all sorts of screwed up. Every microsoft program with the exception of IE wont open. I tried to go back to an earlier restore point. Didn't work. I'm ready to just throw the damn thing away! I would just reformat my harddrive but the CD drive is toast. Guess it's just time to get a new computer. :(

Any idea if I should restore notepad again so I can post the logs? Or just get rid of the darn computer?

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.