Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google browser hijack remains after SmitFraud cleanup


  • This topic is locked This topic is locked
2 replies to this topic

#1 Propeller Head

Propeller Head

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 21 October 2009 - 09:41 AM

Greetings,

My son browsed to a website this past weekend (October 17th @ 12:07am) that contained a malicious ad that attempted a driveby install of SmitFraud on our Dell laptop via an old Adobe Reader exploit (now updated to v9.2.0 :(). Even though our A/V blocked most of the installation, some damage was done. I've cleaned up the damage to the point where all of the tools that I run (MBAM, SAS, Spybot, MWMSRT, etc) report a completely clean system.

But the system isn't clean. :) A rootkit or browser hijack remains that usually redirects Google search results to A/V, spyware and search engine sites. Most of these redirects then proceed to attempt to connect to an "r3953724.cn" site (see attached url.txt file for the full address). This attempted connection is never successful.

I've tried everything I can think of to cleanup this problem, and am now admitting defeat. :( Anything you fine folks can do to help me out will be greatly appreciated!

OS: WinXP/SP3 w/all patches
Browser: IE7 w/all patches
A/V: ZoneAlarm Security Suite v8.0.400.020 w/up-to-date signatures

Thanks in advance,
Propeller Head

Edit: For what it's worth, I just tested Yahoo and Bing and they also get redirected like Google does.

************ Contents of the DDS.txt log ************

DDS (Ver_09-10-13.01) - NTFSx86
Run by Owner at 19:02:48.51 on Tue 10/20/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.470 [GMT -5:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [PCTVOICE] pctspk.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ZoneAlarm Client] "c:\program files\zonealarm\zlclient.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mExplorerRun: [NoActiveDesktopChanges] 00000000
mExplorerRun: [NoActiveDesktop] 0 (0x0)
mExplorerRun: [NoSaveSettings] 0 (0x0)
mExplorerRun: [ClassicShell] 0 (0x0)
mPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193947031277
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: {576B191F-974F-4789-BE69-A7F1F182075F} = 142.161.2.155,142.161.130.155
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-2-17 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 74480]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [2008-7-7 2368]
S3 PD91Agent;PD91Agent;c:\program files\perfectdisk\PD91Agent.exe [2008-1-16 664840]
S3 PD91Engine;PD91Engine;c:\program files\perfectdisk\PD91Engine.exe [2008-1-16 894216]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

=============== Created Last 30 ================

2009-10-19 18:59 <DIR> --d----- c:\program files\ComboFix
2009-10-19 18:33 50,176 ac------ c:\windows\system32\dllcache\proquota.exe
2009-10-19 18:33 50,176 a------- c:\windows\system32\proquota.exe
2009-10-19 18:11 236,544 a------- c:\windows\PEV.exe
2009-10-19 18:11 161,792 a------- c:\windows\SWREG.exe
2009-10-19 18:11 98,816 a------- c:\windows\sed.exe
2009-10-18 11:12 73,728 a------- c:\windows\system32\javacpl.cpl
2009-10-18 11:12 411,368 a------- c:\windows\system32\deploytk.dll
2009-10-18 00:09 <DIR> --d----- c:\program files\Sysinternals
2009-10-17 18:45 <DIR> --d----- c:\program files\SmitfraudFix
2009-10-17 18:44 <DIR> --d----- c:\program files\smitRem
2009-10-17 17:56 <DIR> --d----- c:\program files\BlackLight
2009-10-17 15:44 <DIR> --d----- c:\program files\CWShredder
2009-10-17 13:05 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-10-17 13:05 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-17 13:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-17 13:05 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-17 13:05 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-13 19:26 <DIR> --d----- c:\windows\system32\URTTEMP
2009-10-13 18:52 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-10-13 17:35 <DIR> --d----- c:\windows\system32\XPSViewer
2009-10-13 17:34 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-10-13 17:34 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-13 17:34 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-13 17:34 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-13 17:34 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-10-13 17:34 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-10-13 17:34 117,760 -------- c:\windows\system32\prntvpt.dll
2009-09-24 21:36 <DIR> --d----- c:\program files\VirtualDub

==================== Find3M ====================

2009-10-20 19:02 422,507,040 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-10-19 22:23 5,659,136 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-10-13 15:39 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-09-11 09:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-04 16:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-29 02:36 832,512 -------- c:\windows\system32\wininet.dll
2009-08-29 02:36 78,336 a------- c:\windows\system32\ieencode.dll
2009-08-29 02:36 17,408 a------- c:\windows\system32\corpol.dll
2009-08-26 03:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 20:44 2,189,184 -------- c:\windows\system32\ntoskrnl.exe
2009-08-04 19:52 1,193,832 a------- c:\windows\system32\FM20.DLL
2009-08-04 09:20 2,066,048 -------- c:\windows\system32\ntkrnlpa.exe
2008-06-30 21:50 47,360 a------- c:\docume~1\owner\applic~1\pcouffin.sys
2007-11-02 17:44 92,064 a------- c:\documents and settings\owner\mqdmmdm.sys
2007-11-02 17:44 79,328 a------- c:\documents and settings\owner\mqdmserd.sys
2007-11-02 17:44 66,656 a------- c:\documents and settings\owner\mqdmbus.sys
2007-11-02 17:44 25,600 a------- c:\documents and settings\owner\usbsermptxp.sys
2007-11-02 17:44 22,768 a------- c:\documents and settings\owner\usbsermpt.sys
2007-11-02 17:44 9,232 a------- c:\documents and settings\owner\mqdmmdfl.sys
2007-11-02 17:44 6,208 a------- c:\documents and settings\owner\mqdmcmnt.sys
2007-11-02 17:44 5,936 a------- c:\documents and settings\owner\mqdmwhnt.sys
2007-11-02 17:44 4,048 a------- c:\documents and settings\owner\mqdmcr.sys
2008-07-01 00:10 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008070120080702\index.dat

============= FINISH: 19:04:20.32 ===============

Attached Files


Edited by Propeller Head, 22 October 2009 - 08:08 AM.


BC AdBot (Login to Remove)

 


#2 Propeller Head

Propeller Head
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 29 October 2009 - 08:12 AM

Disregard - we're clean. The atapi.sys driver was infected with a rootkit.

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:41 PM

Posted 30 October 2009 - 09:22 PM

Thanks for letting us know :(

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users