Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox & IE Hijacking, Among Others


  • This topic is locked This topic is locked
2 replies to this topic

#1 JimmyLon

JimmyLon

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 24 December 2008 - 03:21 PM

Now that I'm home for Christmas, I've been asked to fix up my dad's computer - he picked up a bunch of malware a few days ago. At this point, I've done what I can, but need some further expert advice.

Symptoms are currently limited to some serious browser hijacking (when I click a Google result, it gets redirected to delv.com or something like it) in Firefox (normal and Portable Apps edition) and IE, an inability to run some AV programs, and a non-working safe mode.

I've done the following at this point:
  • Run HJT several times, and removed the obvious malware hits
  • Installed and ran A-Squared AV and completed a deep scan
  • Installed Spybot S&D
  • Installed MBAM
There are the following complications:
  • I can't reboot into safe mode: when I reboot and select it via F8, it gets to the point where I have a working mouse cursor and the label at the top telling me I'm in safe mode, but no icons show up, no taskbar/explorer shows up, and CTRL-ALT DEL doesn't have any impact.
  • While Spybot S&D installed properly and the resident protection runs fine, updating it fails and running the actual S&D application (either from the system tray icon or the start menu) has no impact, and nothing runs
  • Similar to Spybot S&D, MBAM installed properly, but when I try and run it from either the start menu or the desktop, nothing happens
Any help would be appreciated!

Here's the DDS log:

DDS (Version 1.1.0) - NTFSx86
Run by David at 20:06:56.57 on 24/12/2008
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.1012 [GMT 0:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4serv.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe
C:\Program Files\McAfee\Common Framework\McScript_InUse.exe
E:\aaaaaada.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/webhp?hl=en&tab=nw
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.lenovo.com/us/en/
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [TrackPointSrv] tp4serv.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [LPManager] c:\progra~1\thinkv~2\prdctr\LPMGR.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [cssauth] "c:\program files\ibm thinkvantage\client security solution\cssauth.exe" silent
mRun: [PDService.exe] "c:\program files\ibm thinkvantage\safeguard privatedisk\pdservice.exe"
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Samsung Common SM] "c:\windows\samsung\comsmmgr\ssmmgr.exe" /autorun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\david\startm~1\programs\startup\scansn~1.lnk - c:\program files\pfu\scansnap\driver\PfuSsMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scansn~1.lnk - c:\program files\pfu\scansnap\driver\PfuSsMon.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: ACNotify - ACNotify.dll
Notify: AwayNotify - c:\program files\lenovo\awaytask\AwayNotify.dll
Notify: igfxcui - igfxdev.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\pmnmnMCv
LSA: Notification Packages = scecli csspwntfy ACGina c:\windows\system32\lunegogu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\david\applic~1\mozilla\firefox\profiles\ayg58rr1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/webhp?hl=en&tab=nw

============= SERVICES / DRIVERS ===============

R0 Shockprf;Shockprf;c:\windows\system32\drivers\Shockprf.sys [2006-8-24 85760]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2006-8-24 11520]
R1 IBMTPCHK;IBMTPCHK;\??\c:\windows\system32\drivers\IBMBLDID.sys [2006-8-24 6016]
R1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-5-12 31816]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2006-8-24 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\Tppwrif.sys [2006-8-24 4442]
R2 a2free;a-squared Free Service;"c:\program files\a-squared free\a2service.exe" [2008-12-24 419448]
R2 CBA8;LANDesk® Management Agent;"c:\program files\landesk\shared files\residentagent.exe" [2007-1-9 122880]
R2 ibmfilter;ibmfilter;\??\c:\windows\system32\drivers\ibmfilter.sys [2005-12-22 12544]
R2 McAfeeFramework;McAfee Framework Service;"c:\program files\mcafee\common framework\FrameworkService.exe" /ServiceStart [2008-3-14 103744]
R2 McShield;McAfee McShield;"c:\program files\mcafee\virusscan enterprise\Mcshield.exe" [2008-5-12 144704]
R2 McTaskManager;McAfee Task Manager;"c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe" [2008-5-12 54608]
R2 PrivateDisk;PrivateDisk;\??\c:\program files\ibm thinkvantage\safeguard privatedisk\PrivateDiskM.sys [2005-11-15 46142]
R2 smi2;smi2;\??\c:\program files\smi2\smi2.sys [2005-12-21 3968]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-1-2 72936]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-1-2 33960]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-1-2 174952]
R3 SWNC8U01;Sierra Wireless MUX NDIS Driver (UMTS01);c:\windows\system32\drivers\SWNC8U01.sys [2006-4-3 81408]
R3 SWUMX01;Sierra Wireless USB MUX Driver (UMTS01);c:\windows\system32\drivers\swumx01.sys [2006-4-3 61312]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1980-1-1 13840]
S3 se44bus;Sony Ericsson Device 068 driver (WDM);c:\windows\system32\drivers\se44bus.sys [2006-7-25 61536]
S3 se44mdfl;Sony Ericsson Device 068 USB WMC Modem Filter;c:\windows\system32\drivers\se44mdfl.sys [2006-7-25 9360]
S3 se44mdm;Sony Ericsson Device 068 USB WMC Modem Driver;c:\windows\system32\drivers\se44mdm.sys [2006-7-25 97088]
S3 se44mgmt;Sony Ericsson Device 068 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\se44mgmt.sys [2007-4-28 88624]
S3 se44nd5;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (NDIS);c:\windows\system32\drivers\se44nd5.sys [2007-4-28 18704]
S3 se44obex;Sony Ericsson Device 068 USB WMC OBEX Interface;c:\windows\system32\drivers\se44obex.sys [2007-4-28 86432]
S3 se44unic;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (WDM);c:\windows\system32\drivers\se44unic.sys [2007-4-28 90800]
S3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2007-1-29 54432]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" []

=============== Created Last 30 ================

2008-12-24 19:48 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-24 19:48 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-24 19:48 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-24 19:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-24 19:01 <DIR> --d----- c:\windows\pss
2008-12-24 16:18 1,582,201 ---sh--- c:\windows\system32\unahuzob.ini
2008-12-24 14:46 <DIR> --d----- c:\program files\a-squared Free
2008-12-24 13:45 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-24 13:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-24 04:17 2,098 ---sh--- c:\windows\system32\segipusa.exe
2008-12-23 23:49 <DIR> --d----- c:\program files\Trend Micro
2008-12-23 23:48 1,639,241 a--sh--- c:\windows\system32\rrwyhqtx.ini
2008-12-23 23:45 130,048 a------- c:\windows\system32\ekcjeg.dll
2008-12-22 18:26 1,639,250 a--sh--- c:\windows\system32\dcpaiplt.ini
2008-12-22 18:22 767,582 a--sh--- c:\windows\system32\vCMnmnmp.ini2
2008-12-22 18:22 767,582 a--sh--- c:\windows\system32\vCMnmnmp.ini
2008-12-22 18:18 <DIR> --d----- c:\docume~1\david\applic~1\gadcom
2008-12-22 18:17 58,880 a------- c:\windows\system32\iifgEtSK.dll
2008-12-22 18:17 70,656 a------- c:\windows\system32\prunnet.exe
2008-12-11 03:27 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2008-11-25 12:56 <DIR> --d----- C:\Picture Frame to be repaired

==================== Find3M ====================

2008-12-24 16:18 84,726 a--sh--- c:\windows\system32\bozuhanu.dll
2008-12-12 17:01 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-10-24 11:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 01:00 666,112 a------- c:\windows\system32\wininet.dll
2008-10-16 01:00 666,112 -------- c:\windows\system32\dllcache\wininet.dll
2008-10-16 01:00 619,520 -------- c:\windows\system32\dllcache\urlmon.dll
2008-10-16 01:00 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2008-10-15 16:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-03 10:02 247,326 -------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll

============= FINISH: 20:07:41.12 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 JimmyLon

JimmyLon
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 30 December 2008 - 12:09 PM

Problem fixed (used ASquared, followed by executing Spybot via a scr file, followed by renaming MBAM to get it to run).

Feel free to delete this topic, and thanks for your help.

#3 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 05 January 2009 - 09:24 AM

Thank you for notify us.. I will now close this topic.. Please pm any Moderator or HijackThis Team should you need to re-open this topic..


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users