Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox (Only) Browser Hijack


  • This topic is locked This topic is locked
13 replies to this topic

#1 FrankIII

FrankIII

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 22 May 2009 - 02:26 PM

Hello Bleeping Computer Community.

I believe I may have a malware and am having trouble located and removing it.

I am running Vista x64.

It is a browser hijack/redirect.

It only affects firefox. IE and Safari are not currently affected.

I have run many various anti-virus, spyware, and malware remove software, to no luck finding or removing it.

I have completely reinstalled the OS, but that did not remove it either.

The symptoms are:
1. On one or few sites, selecting a link, will redirect to a site other than intended.
2. The history shows all of the following after:
a. link1.php
b. out.cgi
c. in.php
d. process.fcgi
e. (redirected website, varies)

Below is my Hijack This Log. Any help would be appreciated. Thanks in advance.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:38 PM, on 5/22/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16830)
Boot mode: Normal

Running processes:
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\HsMgr.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O13 - Gopher Prefix:
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: ArtecMedia Driver Monitor (DrvToolsService) - Ultima - C:\Program Files (x86)\Ultima\Drivers\iExtDrvTools.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 4029 bytes

BC AdBot (Login to Remove)

 


#2 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:10:53 PM

Posted 23 May 2009 - 05:35 PM

Hi FrankIII,
I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

#3 FrankIII

FrankIII
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 23 May 2009 - 05:48 PM

Thanks for your help. :thumbup2:

Thanks for your help. :)

#4 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:10:53 PM

Posted 23 May 2009 - 05:56 PM

Hi FrankIII,

Please download GooredFix and save it to your Desktop.
Double-click Gooredfix.exe to run it. Select 1.
Find Goored (no fix)
by typing 1 and pressing Enter.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: Do not run Option #2 yet.

#5 FrankIII

FrankIII
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 23 May 2009 - 10:45 PM

I will get to it tomorrow. Thanks for the help.

#6 FrankIII

FrankIII
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 24 May 2009 - 04:24 AM

Jundicandus,

Below is the log from Gooredfix.exe

GooredFix v1.92 by jpshortstuff
Log created at 02:22 on 24/05/2009 running Option #1 (Master Bedroom)
Firefox version 3.0.10 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files (x86)\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files (x86)\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

#7 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:10:53 PM

Posted 04 June 2009 - 02:14 AM

Hi FrankIII,

Sorry for the delay, I hope you're still following the thread :thumbup2:

Are you using an anti-virus? From your log I haven't seen any.

This is somewhat suicidal in today's digital world.

You need to install an antivirus program as soon as you can and run a complete scan of the computer.

I recommend you download the free

Avast or
AntiVir or
AVG antivirus

Products from all three vendors received the Virus Bulletin's VB100% award and certification for virus detection from ICSA Labs.

Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!

AVAST Home Edition User Guide
http://www.avast.com/eng/download-avast-home.html

Alvira AntiVir User Manual
http://www.free-av.com/en/documentation/index.html

AVG antivirus User Manual
http://free.avg.com/ww.download?prd=afe#tba3

*******************************************

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

Close ALL OTHER PROGRAMS.
Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).

In the Drivers section click on Non-Microsoft.
Under Additional Scans click the checkboxes in front of the following items to select them:
Reg - BotCheck
File - Additional Folder Scans


Do not change any other settings.
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here.
I will review it when it comes in.
Make sure that the first line is code with brackets around it [] and that the last line is /code with brackets around it [].

If, after posting, the last line is not <End of Report> then the log is too big to fit into a single post and you will need to split it into multiple posts or attach it as a file.

#8 FrankIII

FrankIII
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 04 June 2009 - 10:39 AM

Judicandus,

Thanks for the reply.

I was using AVG at the time the problem occurred.

Since then, I have reinstalled the operating system twice. After the first reinstall, I tried many various anti-virus, anit-spyware and anti-malware programs I found suggested throughout this and other forums, including ATF Cleaner. Nothing seemed to work. That is why I decided to post. I was at a loss on how to remove something, that returned after a fresh OS installation. I only installed the bare minimum software (OS, all OS updates, device drivers from a clean download, and a firefox) after the second OS installed. This is why you do not see any anti-virus in the log.

I will try the OTScanIT program and post the log.

Thanks again for your assistance.

#9 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:10:53 PM

Posted 05 June 2009 - 11:25 AM

Hi FrankIII,

Do you use a router? If so, did you try reseting it?

#10 FrankIII

FrankIII
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 05 June 2009 - 02:47 PM

Judicandus,

I do have a router. (Apple Time Machine)

I have not reset it. Do you think the redirect might be in the router?

#11 FrankIII

FrankIII
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 05 June 2009 - 08:59 PM

Judicandus,

I checked another computer on the network, while running firefox. I got the same redirect. It did not effect IE, but it did effect Safari. I will reset my router and let you know the results.

#12 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:10:53 PM

Posted 07 June 2009 - 11:37 AM

Hi FrankIII,

Sorry for the delay. Sometimes a router reset can work.
It's weird the redirect doesn't affect IE though. Let me know if the reset solved the problem.

#13 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:10:53 PM

Posted 10 June 2009 - 12:18 AM

Hi FrankIII,

Did the router reset work?

#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:53 PM

Posted 15 June 2009 - 07:27 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users