Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Rdirect w/windowsclick


  • Please log in to reply
9 replies to this topic

#1 Jeff_KY

Jeff_KY

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisville KY
  • Local time:08:56 PM

Posted 19 February 2009 - 03:07 PM

I have an XPPro sp3 user says has been redirecting browsers MSIe7 & FireFox 3.0.6 for last few days. SpyBotS&D 1.6.2 starts and shows in taskmgr but never appears onscreen. MalwareBytes does not start at all, even trying not using mouse and renaming the executable. I do have HJT & DDS logs available. I'm a bit unsure of the next step. Thanks, J$

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:56 PM

Posted 19 February 2009 - 03:52 PM

Let's see if we can make progress with SDFix...

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 Jeff_KY

Jeff_KY
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisville KY
  • Local time:08:56 PM

Posted 19 February 2009 - 04:46 PM

Should mention that SDFix would not execute to unpack. I got around that by running on another PC and copying c:\sdfix to the target PC
After at least 20 minutes , it went into SafeMode and SDFix ran as described... Final phase ran for over 45 min.

SDFix: Version 1.240
Run by Administrator on Thu 02/19/2009 at 05:07 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
No Trojan Files Found
Removing Temp Files
ADS Check :
Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-19 18:01:55
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...
disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\administrator.LGPDKY\ntuser.dat, 0
scanning hidden files ...
disk error: C:\WINDOWS\
please note that you need administrator rights to perform deep scan
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\SkillGround\\Games\\UTG\\Main.exe"="C:\\Program Files\\SkillGround\\Games\\UTG\\Main.exe:*:Enabled:UTG"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\SkillGround\\Games\\UTG\\Main.exe"="C:\\Program Files\\SkillGround\\Games\\UTG\\Main.exe:*:Enabled:UTG"

Remaining Files :
Files with Hidden Attributes :
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Wed 26 Jul 2006 56 ..SHR --- "C:\WINDOWS\system32\1CCD6CFCF7.sys"
Wed 26 Jul 2006 3,350 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Thu 19 Apr 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 31 Oct 2007 8 A..H. --- "C:\Documents and Settings\fconway\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Thu 1 Nov 2007 8 A..H. --- "C:\Documents and Settings\fconway\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Thu 1 Nov 2007 8 A..H. --- "C:\Documents and Settings\fconway\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Wed 7 Nov 2007 8 A..H. --- "C:\Documents and Settings\fconway\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Thu 3 Jul 2008 8 A..H. --- "C:\Documents and Settings\tkelton\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Finished!

Edited by Jeff_KY, 19 February 2009 - 06:02 PM.


#4 Jeff_KY

Jeff_KY
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisville KY
  • Local time:08:56 PM

Posted 19 February 2009 - 07:09 PM

A bit of progress here.. MBAM now runs and did find a number of problems in quick scan. Removed those, much improved system, not out the woods yet, but out of time for tonight. Was able to save a number of logs in steps taken. not ready to close this as yet, but thanks for the help - J$

#5 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:56 PM

Posted 19 February 2009 - 09:11 PM

Good! Please post a log so we can see what we are dealing with.

First however, please backup your registry. It is showing signs of damage.
Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Please download ATF Cleaner by Atribune & save it to your desktop.
alternate download link DO NOT use yet.

Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the
    definitions before scanning by selecting "Check for Updates". (If you encounter
    any problems while downloading the updates, manually download them from
    here and
    unzip into the program's folder.
    )
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under
    Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner
    Options
    , make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose:
    Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp"

ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#6 Jeff_KY

Jeff_KY
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisville KY
  • Local time:08:56 PM

Posted 19 February 2009 - 10:12 PM

Will be late tomorrow afternoon before I can access the ailing machine again. Will perform the Erunt Registry back-up, then ATF & SAS in Safe Mode, post my results. Thanks

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

2/19/2009 6:55:09 PM
mbam-log-2009-02-19 (18-54-55).txt

Scan type: Quick Scan
Objects scanned: 84235
Time elapsed: 5 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\gamevance.linker (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\gamevance.linker.1 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7370f91f-6994-4595-9949-601fa2261c8d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eed248e100e475533db417733ef1a978 (Rogue.A360Antivirus) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\fconway\Start Menu\A360 (Rogue.A360Antivirus) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\UACbowxnrwa.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACruwnomyq.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACvbnrplxy.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACqmqsilal.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\fconway\Local Settings\Temp\UAC3e86.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\fconway\Start Menu\A360\A360.lnk (Rogue.A360Antivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\fconway\Start Menu\A360\Help.lnk (Rogue.A360Antivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\fconway\Start Menu\A360\Registration.lnk (Rogue.A360Antivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\fconway\Application Data\Microsoft\Internet Explorer\Quick Launch\A360.lnk (Rogue.Antivirus360) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winconfig.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACpbavwibd.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACvscxeqee.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACxeqdlyfm.log (Trojan.Agent) -> Quarantined and deleted successfully.

#7 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:56 PM

Posted 19 February 2009 - 10:44 PM

I need to warn you about this infection: Trojan.TDSS

IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojan are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful.

Let me know how you wish to proceed. If you want to attempt a clean, we need to move you to the HJT forum. That will be the best avenue for a complete clean.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#8 Jeff_KY

Jeff_KY
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisville KY
  • Local time:08:56 PM

Posted 20 February 2009 - 05:11 PM

Oy Vey !!! I don't want to post here, where or what role this PC is in, but this is not good news. Unfortunately, this PC is such that it has control over a number of applications for which it stores configuration data, user name & passwords for a number of programs and computer applications.

I am on my way back to the location/PC now.

Edited by Jeff_KY, 20 February 2009 - 05:11 PM.


#9 Jeff_KY

Jeff_KY
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisville KY
  • Local time:08:56 PM

Posted 20 February 2009 - 05:37 PM

Considering the role of this single user PC on a LAN with a DC, I should probably do a cleaning and change some passwords in the domain. ? about which order. And should I hold on the last instructions you advised ? or just have you relo this thread to HJT ?

#10 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:56 PM

Posted 20 February 2009 - 08:41 PM

Here is what I would do...

Please follow this guide from step (6). Post a HJT log to the HJT forum and a Team member will be along to help you as soon as possible. Post a link back to this topic to see what was discussed thus far.

If you need any help with the guide, please let me know.

One word... The HJT team is very busy. Please be patient with them. The wait is worth the help received. :thumbsup:

Best wishes - you are in good hands...
rigel

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users