Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A-1.biz 1010 Browser Hijacker + Trojans


  • Please log in to reply
1 reply to this topic

#1 student1492

student1492

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 31 August 2007 - 12:46 AM

I received this laptop from my sister. After I ran a few scans on it there was a lot of spyware and trojans. I removed what I could, but when I scanned with avast, I was not permitted to remove some files. I then launched the command shell to delete these trojans from my system, but the access was still denied. The Internet Explorer browser was constantly being redirected to a-1.biz 1010 so I found a tutorial. The infectious file is located in system32 directory ending in .inf I could send this file in the recycle bin, but I don't think that this would permanently solve the problem. Unfortunately, I cannot find the link to this tutorial, and have searched multiple times (both on this site and google) The Internet Explorer browser isn't being hijacked anymore, but when I run service.msc, plug and play svc service still appears in the services. Ideally, I would like to do transactions on this computer without worrying, but I am far from safe. Any help is greatly appreciated. Thank you for your time, and here is the log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:52 PM, on 8/30/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Avast4\aswUpdSv.exe
C:\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\svchost.exe
C:\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Spybot - Search & Destroy\TeaTimer.exe
C:\Avast4\ashWebSv.exe
C:\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Java\jre1.6.0\bin\jucheck.exe
C:\CCleaner\ccleaner.exe
C:\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Lauren\Desktop\HiJackThis.exe
C:\WINDOWS\system32\mmc.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0BAFF5A0-E9EF-6318-1D17-55A8588023CD} - http://209.8.161.54/1/gdnUS897.exe
O16 - DPF: {51722E5A-EE7F-691A-F44B-32015941C089} - http://209.8.161.54/1/gdnUS897.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Avast4\ashWebSv.exe

--
End of file - 2930 bytes

Edited by student1492, 31 August 2007 - 12:50 AM.


BC AdBot (Login to Remove)

 


#2 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:11:26 AM

Posted 12 September 2007 - 11:21 AM

Hello student1492

Welcome to Bleeping Computer!

Sorry about the delay. We're all volunteers here, and it's been very busy. If you still need help, please post a new HijackThis log to make sure nothing has changed.

Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log <--link

And I'll be happy to take a look at it for you.

I also need to see a different type of log from Hijackthis:
  • Run Hijackthis.
  • Click on "Open the Misc Tools section".
  • Next click on "Open uninstall manager".
  • Press the button 'save list'. It will open a Notepad file.
  • Place the content of that file here in your next reply.
Thanks, for your patience.




Stelios




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users