Announcement

Collapse
No announcement yet.

NEED HELP: JavaScript Injection Problem

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • NEED HELP: JavaScript Injection Problem

    Hello all,

    I have a problem on one of my computers. It seems that I have something that is doing JavaScript Injections and changing add banners and opening new windows. I've installed PC Tools Spyware Doctor and have run it a few times but it doesn't seems to clear everything. I've run HiJack This and here is the log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:59:28 AM, on 9/11/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    C:\Program Files\HP\QuickPlay\QPService.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\Program Files\Spyware Doctor\pctsGui.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Spyware Doctor\update.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKLM\..\Run: [BM020fb840] Rundll32.exe "C:\WINDOWS\system32\gjevfift.dll",s
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Search - h**p://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKfox000 (I disabled this link)
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presar io&pf=laptop
    O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/gs.cab
    O20 - AppInit_DLLs: qiphaj.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
    O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    --
    End of file - 8311 bytes


    I've highlighted in red the items that I think are causing this, but I really have no clue, they just look out of place.

    Let me know if I am correct and how to go about fixing this. Thanks in advance!!!

  • #2
    Re: NEED HELP: JavaScript Injection Problem

    O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/gs.cab
    O20 - AppInit_DLLs: qiphaj.dll

    also looks suspicious to me.
    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. -Albert Einstein
    The two most common elements in the universe are Hydrogen and stupidity. -Harlan Ellison

    If all else fails: "rm -rf /"

    Comment


    • #3
      Re: NEED HELP: JavaScript Injection Problem

      Virtualapple allows me to play games from Apple 2 & 2GS <--- Like Oregon Trail!

      Comment


      • #4
        Re: NEED HELP: JavaScript Injection Problem

        Wow, what games can you get for the Apple II?! There were a few I loved to play on that platform. (The first PC we had in our home was my little brother's Apple IIe. The second was my Amiga 1000.)
        Dude, seriously, WHAT handkerchief?

        snooggums' density principal: "The more dense a population, the more dense a population."

        Iliana: "You're a great friend but if we're ever chased by zombies I'm tripping you."

        Comment


        • #5
          Re: NEED HELP: JavaScript Injection Problem

          Go here to find out: http://www.virtualapple.org/

          Comment


          • #6
            Re: NEED HELP: JavaScript Injection Problem

            Awesome! They have one of my favorite games!

            http://www.virtualapple.org/rescueraidersdisk.html
            Dude, seriously, WHAT handkerchief?

            snooggums' density principal: "The more dense a population, the more dense a population."

            Iliana: "You're a great friend but if we're ever chased by zombies I'm tripping you."

            Comment


            • #7
              Re: NEED HELP: JavaScript Injection Problem

              I semi-recently found SuperAntiSpyware, and it finds things that AdAware+Spybot+Trend Micro don't even find, and then some.

              It's currently one of the best anti-spy programs.

              You can also go to the Trend Micro website, and do the HouseCall web-app which is a free online virus scan and removal. Though it takes a little while to complete.
              "But way back where I come from, we never mean to bother. We don't like to make our passions other peoples' concern." -Dar Williams
              Former Captain of the 55th Infantry Division

              Comment


              • #8
                Re: NEED HELP: JavaScript Injection Problem

                Might be installed as a IE addon. In IE7, goto Tools, Manage Addons (or similar) and take a look at the list there.
                former TacticalGamer European Division



                A Tactical Gamer since 2005 (the glorious days of BF2)

                Comment


                • #9
                  Re: NEED HELP: JavaScript Injection Problem

                  Also, did you try to remove the "gjevfift.dll" entry in Run?
                  former TacticalGamer European Division



                  A Tactical Gamer since 2005 (the glorious days of BF2)

                  Comment


                  • #10
                    Re: NEED HELP: JavaScript Injection Problem

                    I don't use IE and no I haven't tried removing anything yet.....just wanted to see people's opinions before I started deleting things.

                    Comment


                    • #11
                      Re: NEED HELP: JavaScript Injection Problem

                      Which browser and version are you using?

                      Have you run Spybot S&D? Have you run your anti-virus scan?
                      |TG-18th| Acreo Aeneas
                      TG World of Tanks Clan Executive Officer
                      Former 9th & 13th

                      Pronounciation: Eh-Cree-Oh Ah-Nay-Ess
                      Still can't say it? Call me Acorn then. -.-





                      SSDs I Own: Kingston HyperX 3K (240 GB), Samsung 840 Pro (256 GB), Samsung 840 EVO (250 GB), Samsung 840 x 2 (120 GB), Plextor M5S (120 GB), OCZ Vertex (30 GB)

                      TG Primer and Rules

                      Comment


                      • #12
                        Re: NEED HELP: JavaScript Injection Problem

                        Originally posted by Acreo Aeneas View Post
                        Which browser and version are you using?

                        Have you run Spybot S&D? Have you run your anti-virus scan?
                        FireFox (Not 3 but the previous version, this happened before 3 came out)

                        No I have not run Spybot S&D <---I'll have to download that
                        Yes I have run my anti-virus and it hasn't gotten it off (Using Avira AntiVirus Personal)

                        Comment

                        Connect

                        Collapse

                        TeamSpeak 3 Server

                        Collapse

                        Advertisement

                        Collapse

                        Twitter Feed

                        Collapse

                        Working...
                        X