Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
My PC is being hijacked by something called MISSNGPAGE. All my IE searches are redirected to MISSNGPAGE.COM before sent to other random sites. Any advice on how to detect and repair would be very appreciated.
I have a HJTHIS log.
Run HJT again generate latest log and post it. Also have you ran any antivirus? If so when did you ran full scan last? Post scan log if you have one.
-------------------------------------------------
0 
Thanks. Yes - I ran a full scan this morning of Symantec, and MalwareBytes. Here is a new log. THANKS!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:09 AM, on 6/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\SearchIndexer.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Brian\Desktop\tools.exe
C:\WINDOWS\system32\wbem\wmiprvse.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Mobile User VPN.lnk = C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Downl...
O16 - DPF: {41861299-EAB2-4DCC-986C-802AE12AC499} (RSClientPrint 2005 Class) - http://gsnode1/Reporting/Reserved.R...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://xpedx-ebusiness.webex.com/client/T25L/webex/ieatgpc.cab
O16 - DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} (iolo.ProductDetector) - http://iolo.com/app/ocx/UpgradeVeri...
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueI...
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gstanley.com
O17 - HKLM\Software\..\Telephony: DomainName = gstanley.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gstanley.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gstanley.com
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe--
End of file - 9901 bytes
0 0
It happens in all browsers, but additionally, it's shutting down my PC randomly, and locking up my desktop icons.
When I do a Google search then select a link, I go directly to missngpage.com, then quickly to random advertising sites.
0
Can you please post your AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.1) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.
2) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.
3) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.
begin ExecuteStdScr(3); RebootWindows(true); end.
Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.-------------------------------------------------
0
Try: http://malwarecrawler.com/a-v-z.exe . If you still can't use USB.
-------------------------------------------------
0
Follow these Steps in order numbered. Don't proceed to next step unless you have sucessfully completed previous step:
1) Run this script in AVZ like before, your computer will reboot:
begin ExecuteRepair(14); ExecuteRepair(15); SetAVZPMStatus(True); rebootwindows(true); end.2) After Reboot. Attach a Combofix log, please review and follow these instructions carefully.
Download it here -> http://download.bleepingcomputer.co...
Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.
Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.
Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.
You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.
Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please upload that file to rapidshare.com and paste the link here.
-------------------------------------------------
0
Is your problem solved or still exists and are you connected gstanley.com network?
-------------------------------------------------
0
I had to head out for a while but I'm back
testing. So far looks like you're the STAR. No
highjacking yet. I'm not connected to the
Gstanley network now.So far i'm so grateful for your help!!!!
0
Follow these Steps in order numbered. Don't proceed to next step unless you have sucessfully completed previous step:
1) Please zip up C:\qoobox\quarantine and upload it to a filehost such as http://rapidshare.com/ Then, Private Message me the Download link to the uploaded file.
2) Lastly, uninstall Combofix by: pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) > Start > run > type combofix /u > ok. Or Start > run > type CboFx123 /u > ok.
-------------------------------------------------
0
This site won't allow me to private message you the RapidShare link becasue I'm the original poster of this thread. Other thoughts?
So far my problem is gone. I"m SO grateful for your help.
0
Thanks for the files. Please follow these steps in order numbered and post summary log after each step.
1) If you use Windows System restore, turn it off > reboot. How to turn it off/on: http://support.kaspersky.com/faq/?q... Run a full scan with: http://www.eset.eu/online-scanner
# Check the box next to YES, I accept the Terms of Use. # Click Start # When asked, allow the activex control to be installed. # Click Start # Check below options: * Remove found threats * Scan for potentially unwanted applications (Advance Settings). * Enable Anti-Stealth technology (Advance Settings). # Click Scan # Wait for the scan to finish # When it finishes it will create a log file here: C:\Program Files\EsetOnlineScanner\log.txt # Attach this logfile to your next message.
Note: Turn system restore back on, if you wish; this to remove malware from system volume information files.2) Install, update and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, but Please Don't fix anything yet, until the log is reviewed.
3) House cleaning. Scan with SuperAntispyware : http://www.superantispyware.com/dow... . Fix what it detects and post summary scan log.
-------------------------------------------------
0
Tried several times on ESET Online Scanner. I get to allow the Active X, then it won't proceed.
Should I skip and proceed with other steps?
0
Here is full scan of MalwareBytes.
Malwarebytes' Anti-Malware 1.37
Database version: 2223
Windows 5.1.2600 Service Pack 36/3/2009 11:13:02 AM
mbam-log-2009-06-03 (11-13-02).txtScan type: Full Scan (C:\|)
Objects scanned: 175628
Time elapsed: 41 minute(s), 50 second(s)Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0Memory Processes Infected:
(No malicious items detected)Memory Modules Infected:
(No malicious items detected)Registry Keys Infected:
(No malicious items detected)Registry Values Infected:
(No malicious items detected)Registry Data Items Infected:
(No malicious items detected)Folders Infected:
(No malicious items detected)Files Infected:
(No malicious items detected)
0
Ran Super AS Scan. Couldn't find log, but report said 64 Adware Tracking Cookies found. I deleted them.
I went back to ESET and was able to run scan. Below is log.
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=7.00.6000.16827 (vista_gdr.090226-1506)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=6f73a60ddf5d324cbc06ce3c042814b3
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-03 06:04:24
# local_time=2009-06-03 01:04:24 (-0600, Central Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=769 63 100 100 121599821653
# compatibility_mode=3586 63 40 16 1016144249678814
# compatibility_mode=7425 63 25 0 0
# scanned=37408
# found=0
# cleaned=0
# scan_time=1394
0
Your malware free you can uninstall AVP tool and AVZ (delete folder). Rest of them is up too you to decide. If you still have your original problem let me know.
-------------------------------------------------
0
You've been a tremendous amount of help. I couldn't have gotten half this far without your expertise. Thank you SO much.
0
Clean Search Destroys Infamous Virus
Clean search, http://clean-search.com investigators have successfully exposed and destroyed a catastrophic Malware virus that rendered tens of thousands of PC's unusable.
The redirect point of the illegal operation was MissngPage.com/ which is no longer in the Malware-redirecting business!
Clean-Search has derailed other malicious and menacing websites in the course of client cases, such as:
www.EasyBackgroundCheck.com
www.buttsexcrips.com
www.MissngPage.com/
...
Due to confidentiality policy, no more specific information can be issued.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
