Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Browser Hijacked


  • Please log in to reply
6 replies to this topic

#1 ladyjensen1971

ladyjensen1971

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Utah
  • Local time:05:37 AM

Posted 26 May 2009 - 06:35 PM

I am running Windows XP.
I cannot copy and paste - it's been disabled. I have lost my toolbar. I cannot change anything in my internet settings - when I try, the box pops up for a millisecond and then disappears. Same goes for when I attempt to download anti-virus or anti-spyware. I did a restore back to 4 days ago, but it didn't help. I am leary of going far beyond that point because my 12 year old daughter is currently making a video with a trial versions of sony vegas, and I don't want to lose that program and not get it back.
I ran hijackthis and it gave me a report, but i cannot for the life of me copy and paste it, and it is extensive to copy by hand. Something I found peculiar was located in MS Office, I don't have the info right now, but it seemed to be some kind redirector. I have ran spybot, malware bytes, avast and uninstalled avg yesterday (to reinstall) and found that I could not reinstall. Same problem, when I click on the "download" link, I get a rapid pop up window that disappears as fast as it came.
I'm fairly good with my computer and have previously gotten rid of some nasty viruses that my anti-viruses and anti-spyware could not locate, but this one is throwing me for a loop, as it is blocking my access to many of my computers controls.

An example of a few things found by hijack this:

HKCS\Software\Microsoft\Windows\Current Version\Internet Settings, Proxy Override = *.local

RichVideao.exe - unknown owner

Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} C:\WINDOWS\Network ... Diagnostic\XPnetdiag.exe
Extra Tools Menuitem:
@xpsp3res.dll

Extra button: Messenger
C:\Program files\Messenger\msmsgs.exe
Extra 'tools' menuitem: Windows Messenger

MANY Thanks for any and all help!!!!!
Kathy

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:37 AM

Posted 26 May 2009 - 07:10 PM

let's try a few things, then we can retry your copy and paste

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 ladyjensen1971

ladyjensen1971
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Utah
  • Local time:05:37 AM

Posted 26 May 2009 - 07:32 PM

Thank you - I will try it. I only wish I could copy and paste your solution...BUT I CAN'T!!! AAAARGH!!!!!
So I will write it down by hand and attempt it. I will let you know how it goes ASAP.

#4 ladyjensen1971

ladyjensen1971
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Utah
  • Local time:05:37 AM

Posted 26 May 2009 - 10:00 PM

Cannot find SDFix...help!!!

#5 ladyjensen1971

ladyjensen1971
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Utah
  • Local time:05:37 AM

Posted 26 May 2009 - 11:48 PM

I think I resolved the problem. I had a suspicion it was attached and buried somewhere in Microsoft Office. And, since I couldn't find SDFix, I figured I might as well try other things in the meantime.
So I went to Microsoft Security Updates and found that there were some new patches for a vulnerability found in Microsoft Office. I had my computer set to "automatic updates", so I just assumed this step was not neccessary.
After uploading several updates (too quite some time), I restarted and was able to access internt options, as well as restore my "favorites", "tools" (etc) and my old familiar yahoo toolbar. I can also copy and paste!!! YAY!!!
So - I think (and hope) that that did it!
Please, I am still interested in finding SDFix, so if you can answer that for me, I'd appreciate it.

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:37 AM

Posted 27 May 2009 - 07:07 AM

I responded to you messages. Let me know if you need help :thumbsup:

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:37 AM

Posted 27 May 2009 - 06:23 PM

Hi ladyjensen :thumbsup:

Please keep all replies here... it just makes things easier to track.

SDFix: Version 1.240
Run by Kathy Jensen on Wed 05/27/2009 at 10:21 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
TDSSserv.sys

Path :
\systemroot\system32\drivers\TDSSxxoe.sys

TDSSserv.sys - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\drivers\TDSSxxoe.sys - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-27 10:35:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Adobe\\Acrobat.com\\Acrobat.com.exe"="C:\\Program Files\\Adobe\\Acrobat.com\\Acrobat.com.exe:*:Enabled:Acrobat.com"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe:*:Enabled:hpiscnapp.exe"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Disabled:Bonjour"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Disabled:EasyShare"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Disabled:Kodak Software Updater"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Warcraft II BNE\\Warcraft II BNE.exe"="C:\\Warcraft II BNE\\Warcraft II BNE.exe:*:Disabled:Warcraft II Battle.net Edition"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Disabled:Yahoo! Messenger"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\is-RP2CF.tmp"
Sat 24 Jan 2009 22,030 ...H. --- "C:\Documents and Settings\Kathy Jensen\My Documents\~WRL0002.tmp"
Fri 28 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!


You have the TDSS rootkit. Given that, I need to post a warning...

IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojan are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Let me know how you wish to proceed.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users