Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Browser Hijacker ?


  • This topic is locked This topic is locked
2 replies to this topic

#1 greentable

greentable

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 18 June 2009 - 09:48 AM

When I start IE - I get a new screen saying 'Insecure Internet Activity. Threat of virus attack'. It then goes on to direct you to get protection software or an alternative button allows you to proceed to your website (which you do get to ok). Following this - at approx 5 minute intervals - you get a dialog box appearing - saying - ''Security Center Alert''. With message under - '' To help protect your computer Windows Firewall has blocked some features on this program'' You are then asked - 'Do you want to block this suspicious software' - Name Win32.Brontok.' There are 3 buttons under only one of which is not greyed out - this button takes you to the buy protection screen as mentioned earlier.

I have run PC Tools spyware and antivirus on these (which were switched off to be honest) but they failed to dig this malware out. Help !
Log is -


DDS (Ver_09-05-14.01) - NTFSx86
Run by Windows at 15:19:46.43 on 18/06/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.848 [GMT 1:00]

AV: PC Tools AntiVirus 6.0.0.19 *On-access scanning enabled* (Updated) {832E7172-E406-4bb2-8B19-6D29F2C93A98}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\Vtune\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\Windows\Application Data\Google\qgipz2469937.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Uniblue\ProcessQuickLink 2\ProcessQuickLink2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Windows\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
mWindow Title = Tiscali 10.0
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: Ask Search Assistant BHO: {0579b4b1-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Ask Toolbar BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Sonic RecordNow!]
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Uniblue ProcessQuickLink 2] "c:\program files\uniblue\processquicklink 2\ProcessQuickLink2.exe" /autostart
mRun: [Samsung Common SM] "c:\windows\samsung\comsmmgr\ssmmgr.exe" /autorun
mRun: [Gainward] "c:\program files\vtune\TBPanel.exe" /A
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /install
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [hpqSRMon] "c:\program files\hewlett-packard\digital imaging\bin\hpqSRMon.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [realteks] "c:\documents and settings\windows\application data\google\qgipz2469937.exe" 2
mRun: [PCTAVApp] "c:\program files\pc tools antivirus\PCTAV.exe" /MONITORSCAN
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238486084281
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229803921062
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F81002C0-2547-44F6-31B5-C2C500010001} - hxxp://updateserver.myvr-software.com/gallery/activex/myvrax.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-6-18 130936]
R2 AVFilter;AVFilter;c:\windows\system32\drivers\AVFilter.sys [2009-6-18 21904]
R2 PCTAVSvc;PC Tools AntiVirus Engine;c:\program files\pc tools antivirus\PCTAVSvc.exe [2009-6-18 826600]
R3 AVHook;AVHook;c:\windows\system32\drivers\AVHook.sys [2009-6-18 28560]
R3 STAC97NA;SigmaTel 3D Environmental Audio;c:\windows\system32\drivers\stac97na.sys [1980-1-1 296179]
R3 STAC97NH;STAC97NH;c:\windows\system32\drivers\stac97nh.sys [1980-1-1 231983]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-3-22 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-3-22 1095560]

=============== Created Last 30 ================

2009-06-18 14:40 <DIR> --d----- c:\program files\Trend Micro
2009-06-18 12:50 <DIR> --d----- c:\program files\AskSBar
2009-06-18 12:50 <DIR> --d----- c:\program files\MSSOAP
2009-06-18 12:49 <DIR> --d----- c:\program files\Webroot
2009-06-18 12:49 164 a------- c:\windows\install.dat
2009-06-18 11:32 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-06-18 11:32 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-06-18 11:32 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-06-18 11:32 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-06-18 11:32 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-06-18 11:32 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-06-18 11:32 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-06-18 11:32 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-06-18 11:32 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-06-18 11:32 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-06-18 11:24 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-06-18 11:24 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-06-18 11:24 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-06-18 11:17 268,648 a------- c:\windows\system32\mucltui.dll
2009-06-18 11:17 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-06-18 11:09 28,560 a------- c:\windows\system32\drivers\AVHook.sys
2009-06-18 11:09 21,904 a------- c:\windows\system32\drivers\AVRec.sys
2009-06-18 11:09 21,904 a------- c:\windows\system32\drivers\AVFilter.sys
2009-06-18 11:09 <DIR> --d----- c:\program files\PC Tools AntiVirus
2009-06-18 10:40 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-06-18 10:40 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-06-18 10:40 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-18 10:40 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-06-18 10:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-05-26 14:12 <DIR> --d----- C:\Maps
2009-05-26 14:11 <DIR> --d----- c:\program files\Memory-Map

==================== Find3M ====================

2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 16:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-29 05:46 3,068,928 -------- c:\windows\system32\dllcache\mshtml.dll
2009-04-29 05:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-29 05:46 666,624 -------- c:\windows\system32\dllcache\wininet.dll
2009-04-29 05:46 620,032 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-29 05:46 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-04-29 05:46 81,920 -------- c:\windows\system32\ieencode.dll
2009-04-29 05:46 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2009-04-27 21:24 499,712 a------- c:\windows\system32\msvcp71.dll
2009-04-27 21:24 348,160 a------- c:\windows\system32\msvcr71.dll
2009-03-31 09:50 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-21 15:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-02-05 18:13 39,456 a------- c:\docume~1\windows\applic~1\GDIPFONTCACHEV1.DAT
2005-11-26 16:17 774,144 a------- c:\program files\RngInterstitial.dll

============= FINISH: 15:20:53.96 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 greentable

greentable
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 20 June 2009 - 02:51 AM

Saturday morning - after 16 hours over 2 days I am now happy to report that I seem to have cleared this worm. It ended with me loading antispyware and antivirus from a pen stick in safe mode and then going into the registry after to hunt any bits left. A steep learning curve indeed. There is lots of advice on this worm and it's variants out there and I would like to say thank you here to all those brothers who took the time to make that advice available to us all.

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:30 AM

Posted 23 June 2009 - 10:46 PM

Since your problem appears to be resolved, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users