Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Securepccleaner Webpage Hijack?!?!?


  • This topic is locked This topic is locked
8 replies to this topic

#1 soildad

soildad

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:36 PM

Posted 14 March 2008 - 01:47 PM

Posted HJT, VBG and Smithfraud files. Please review and let me know where the bugger is, please. Its a very speratic for the securepccleaner web popup but I have had my Google and Yahoo searches constantly redirected. I have McAfee, Spybot and Adware2007 installed and up todate. I spend more time in defense than on the computer. I know part of the problem is the XP SP1 OS but I dare not upgrade to SP2 if I am infected, please any help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:34:45 PM, on 3/14/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {422F92DD-8DA4-451C-8124-C6A11E704137} - C:\WINDOWS\System32\VBAR33.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - Startup: TrueAssistant.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com (file missing) (HKCU)
O12 - Plugin for .png: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .TIF: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200090290212
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...212/mcfscan.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\aawservice.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 4260 bytes

SmitFraudFix v2.302

Scan done at 14:09:45.05, Fri 03/14/2008
Run from C:\Program Files\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\System32\cmd.exe

hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\default


C:\Documents and Settings\default\Application Data


Start Menu


C:\DOCUME~1\default\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{BB21CC2F-9542-4113-AEE9-6275DA19B018}: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BB21CC2F-9542-4113-AEE9-6275DA19B018}: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CS3\Services\Tcpip\..\{BB21CC2F-9542-4113-AEE9-6275DA19B018}: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.75.194 68.87.64.146


Scanning for wininet.dll infection


End

VBG

[03/11/2008, 12:16:06] - VirtumundoBeGone v1.5 ( "C:\VirtumundoBeGone.exe" )
[03/11/2008, 12:16:10] - Detected System Information:
[03/11/2008, 12:16:10] - Windows Version: 5.1.2600, Service Pack 1
[03/11/2008, 12:16:10] - Current Username: default (Admin)
[03/11/2008, 12:16:10] - Windows is in NORMAL mode.
[03/11/2008, 12:16:10] - Searching for Browser Helper Objects:
[03/11/2008, 12:16:10] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/11/2008, 12:16:10] - BHO 2: {422F92DD-8DA4-451C-8124-C6A11E704137} ()
[03/11/2008, 12:16:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/11/2008, 12:16:10] - Checking for HKLM\...\Winlogon\Notify\VBAR33
[03/11/2008, 12:16:10] - Key not found: HKLM\...\Winlogon\Notify\VBAR33, continuing.
[03/11/2008, 12:16:10] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[03/11/2008, 12:16:10] - BHO 4: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
[03/11/2008, 12:16:10] - Finished Searching Browser Helper Objects
[03/11/2008, 12:16:10] - Finishing up...
[03/11/2008, 12:16:11] - Nothing found! Exiting...

[03/11/2008, 14:30:30] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\default\Desktop\VirtumundoBeGone.exe" )
[03/11/2008, 14:30:31] - Detected System Information:
[03/11/2008, 14:30:31] - Windows Version: 5.1.2600, Service Pack 1
[03/11/2008, 14:30:31] - Current Username: default (Admin)
[03/11/2008, 14:30:31] - Windows is in SAFE mode with Networking.
[03/11/2008, 14:30:31] - Searching for Browser Helper Objects:
[03/11/2008, 14:30:31] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/11/2008, 14:30:31] - BHO 2: {422F92DD-8DA4-451C-8124-C6A11E704137} ()
[03/11/2008, 14:30:31] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/11/2008, 14:30:31] - Checking for HKLM\...\Winlogon\Notify\VBAR33
[03/11/2008, 14:30:31] - Key not found: HKLM\...\Winlogon\Notify\VBAR33, continuing.
[03/11/2008, 14:30:31] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[03/11/2008, 14:30:31] - BHO 4: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
[03/11/2008, 14:30:31] - Finished Searching Browser Helper Objects
[03/11/2008, 14:30:31] - Finishing up...
[03/11/2008, 14:30:31] - Nothing found! Exiting...

[03/14/2008, 14:35:31] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\default\Desktop\VirtumundoBeGone.exe" )
[03/14/2008, 14:35:37] - Detected System Information:
[03/14/2008, 14:35:37] - Windows Version: 5.1.2600, Service Pack 1
[03/14/2008, 14:35:37] - Current Username: default (Admin)
[03/14/2008, 14:35:37] - Windows is in NORMAL mode.
[03/14/2008, 14:35:37] - Searching for Browser Helper Objects:
[03/14/2008, 14:35:37] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/14/2008, 14:35:37] - BHO 2: {422F92DD-8DA4-451C-8124-C6A11E704137} ()
[03/14/2008, 14:35:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/14/2008, 14:35:37] - Checking for HKLM\...\Winlogon\Notify\VBAR33
[03/14/2008, 14:35:37] - Key not found: HKLM\...\Winlogon\Notify\VBAR33, continuing.
[03/14/2008, 14:35:37] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[03/14/2008, 14:35:37] - BHO 4: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
[03/14/2008, 14:35:37] - Finished Searching Browser Helper Objects
[03/14/2008, 14:35:37] - Finishing up...
[03/14/2008, 14:35:37] - Nothing found! Exiting...

Thanks for any help
SOILDAD

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:36 AM

Posted 15 March 2008 - 07:28 AM

Hi,

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

C:\WINDOWS\System32\VBAR33.dll

Select it and click ok.
Then click the Send File button below.

Let me know in your next reply once you've submitted the file. It's most probably the cause of the Hijacked pages - but I need a sample first before we remove it.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:36 AM

Posted 19 March 2008 - 11:53 AM

Hi,

Thanks for the file.

As you said on the upload page:

There is also a vbar332.dll in the folder? Thanks for the help.

The vbar332.dll is a legitimate one, so don't delete that one.. But the VBAR33.dll you uploaded is a bad one.

Check next entry in HijackThis:

O2 - BHO: (no name) - {422F92DD-8DA4-451C-8124-C6A11E704137} - C:\WINDOWS\System32\VBAR33.dll

Make sure your Internet Explorer is closed when you click the Fix checked button below.

Also, check next entries in HijackThis if you are not aware that there are restrictions set for your Internet Explorer options:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Then reboot your Computer.

After reboot, navigate to and delete C:\WINDOWS\System32\VBAR33.dll if still present. It could be possible that it won't be present anymore since HijackThis already tries to delete that file if you hit the "fix checked" button.
Do NOT delete the vbar332.dll.

Let me know in your next reply if that solved your issue.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 soildad

soildad
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:36 PM

Posted 24 March 2008 - 12:54 PM

Attampted to delete the vbar33.dll file but was unable to. Pop up window indicated that the file is in use by another program or is write protected. I am trying to determine what proces the file is attached to. Hopefully this wont take too long.......

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:36 AM

Posted 24 March 2008 - 01:02 PM

Hi,

Did you fix that entry first in HijackThis and REBOOTED?

O2 - BHO: (no name) - {422F92DD-8DA4-451C-8124-C6A11E704137} - C:\WINDOWS\System32\VBAR33.dll

Because that explains why you are not able to delete it.

If you still can't delete it, let me know... because more files may be involved here then..
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:36 AM

Posted 28 March 2008 - 08:41 AM

Problem resolved?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 soildad

soildad
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:36 PM

Posted 31 March 2008 - 10:25 AM

Sorry No. I was away for easter.

Here is what I have completed. I tried to delete the vbar33.dll file, and got the ussual windows pop-up box indicating that the fiel is in use by another program or write protected. So I went into HJT and identified the file to delete the next time I started the computer. I completed this but the file was still in the system32 file folder when I searched.

I can re-run the HJT/Smithfraud and VBG programs if you would like but nothing inthose configurations has changed.

Here is what I ran into today. I ran my spybot (v 1.5.2) last updated last week. the spybot indicated no threats identified and a list of other internal tracks identified. When I went to delete the other non-descript tracks, all were cleaned except for the WORD (9.0) tracks identified in the default/app.data/microsoft/recent folder. I went to the folder and individually removed all the shortcut links identified in the folder. As I was entering the folder, the supercleaner pop-up window materialized. I closed the window and proceeded to delete the shortcuts.

While I was in the default/app.data/microsoft directory I ran into the following application:

ARPPRODUCTICON.exe

Can you provide and info on this EXE file.

Beyond all that, the occurance of the pop-up window has been much more sparadic. I know its in here somewhere, I'm just baffled where....

THanks for the help so far, its been great.

SOILDAD :thumbsup:

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:36 AM

Posted 31 March 2008 - 10:55 AM

The ARPPRODUCTICON.exe appears to be OK - it is a file created by InstallShield Software Corp. and is a part of InstallShield.

Can you also do next please...

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:36 AM

Posted 09 April 2008 - 01:47 PM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users