Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

search engine hijacked


  • This topic is locked This topic is locked
3 replies to this topic

#1 happy geordie

happy geordie

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 14 November 2009 - 05:37 AM

HI, I hope somebody can help with this!

The main PC on my work network (only 3 pcs) started acting up last week- slow internet and email access, random pop-ups, internet explorer opening even when not connected. Unfortnately my receptionist kept this to herself until our internet usage limit was exceeded and we could no longer access the internet! (limit is 5GB/month, but we only use internet for emails and occasional surfing). Looks like something bad had been running in the background as the IE history list was massive!
I ran Avast, Malawarebytes, and S+D- these came up with a few viruses and trojans which were all removed. However, whenever I try to open a google search result, several windows open to different websites. I've run the antivirus and anti-spyware again- they are coming up clean!

Any help would be appreciated!

I will post DDS logs etc shortly!

Ok at work now- here are the logs:


DDS (Ver_09-10-26.01) - NTFSx86
Run by Owner at 12:04:18.62 on 14/11/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.502.202 [GMT 0:00]

AV: avast! antivirus 4.8.1335 [VPS 091112-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
D:\symantec\ghost 14\Agent\VProSvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Iomega\REV System Software\imiconxp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\DELL\Dell Laser MFP 1600n\NetworkScan\DNSCST.exe
D:\symantec\ghost 14\Agent\VProTray.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Iomega\REV System Software\RevUDF.exe
C:\Program Files\Iomega\Automatic Backup Pro\LiveSystem.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\3\3Connect\AutoUpdateSrv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\dllhost.exe
D:\symantec\ghost 14\Shared\Drivers\SymSnapService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\AntiSpyware Tools\BleepingComputerLogs\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://www.codecguide.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Iomega Automatic Backup Pro] "c:\program files\iomega\automatic backup pro\LiveSystem.exe" -s
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Iomega ImIconXP] c:\program files\iomega\rev system software\imiconxp.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [DellNSCST] "c:\program files\dell\dell laser mfp 1600n\networkscan\DNSCST.exe" /HIDEUI
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Norton Ghost 14.0] "d:\symantec\ghost 14\agent\VProTray.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\3\3connect\AutoUpdateSrv.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {203B1434-4019-4708-8989-5586A3E7B420} = 192.168.0.1
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 imdrvfsf;Iomega File System Filter Driver;c:\windows\system32\drivers\imdrvfsf.sys [2004-3-5 15942]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-4-4 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-4 20560]
R2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [2009-7-31 10240]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2008-4-14 5120]
R3 Slnt7554;USB Soft Modem Driver;c:\windows\system32\drivers\slnt7554.sys [2009-4-5 129535]
R3 SymSnapService;SymSnapService;d:\symantec\ghost 14\shared\drivers\SymSnapService.exe [2007-12-20 1553896]

=============== Created Last 30 ================

2009-11-05 11:05:03 2362 --sh--r- c:\documents and settings\owner\weoaje.exe
2009-10-27 16:03:26 0 d-----w- c:\program files\Microsoft

==================== Find3M ====================

2009-11-14 12:04:21 16437280 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-13 18:13:52 196664 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-04-05 17:27:50 848 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 12:06:32.59 ===============

Attached Files


Edited by happy geordie, 14 November 2009 - 07:26 AM.


BC AdBot (Login to Remove)

 


#2 happy geordie

happy geordie
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 14 November 2009 - 07:29 AM

Just in case it helps, I'll post the logs from avast + MBM:

AVAST:
05/11/2009 11:05:03 SYSTEM 1592 Sign of "Win32:VB-NNB [Trj]" has been found in "C:\Documents and Settings\Owner\weoaje.exe" file.
05/11/2009 11:06:10 SYSTEM 1592 Sign of "Win32:Trojan-gen" has been found in "C:\DOCUME~1\Owner\LOCALS~1\Temp\a.exe" file.
05/11/2009 11:06:51 SYSTEM 1592 Sign of "Win32:Trojan-gen" has been found in "C:\DOCUME~1\Owner\LOCALS~1\Temp\a.exe" file.
06/11/2009 14:03:28 SYSTEM 1860 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\V0RISYPU\flash_counter[2].htm (C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\V0RISYPU\flash_counter[2].htm) returning error, 0000A413.
06/11/2009 14:40:55 SYSTEM 1860 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9SLKBX6U\flash_counter[3].htm (C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9SLKBX6U\flash_counter[3].htm) returning error, 0000A413.
09/11/2009 14:16:10 SYSTEM 1636 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
09/11/2009 14:16:10 SYSTEM 1636 An error has occured while attempting to update. Please check the logs.
10/11/2009 12:31:14 SYSTEM 1648 Sign of "Win32:MalOb-V [Cryp]" has been found in "C:\WINDOWS\msa.exe" file.
10/11/2009 13:06:00 SYSTEM 1648 Sign of "Win32:MalOb-V [Cryp]" has been found in "C:\DOCUME~1\Owner\LOCALS~1\Temp\a.exe" file.
11/11/2009 08:21:31 Owner 1892 Sign of "Win32:MalOb-V [Cryp]" has been found in "C:\DOCUME~1\Owner\LOCALS~1\Temp\a.exe" file.
11/11/2009 15:07:44 Owner 3840 Sign of "Win32:MalOb-V [Cryp]" has been found in "C:\Documents and Settings\Owner\Local Settings\Temp\b.exe" file.
11/11/2009 15:48:53 Owner 3840 Sign of "Win32:MalOb-V [Cryp]" has been found in "C:\System Volume Information\_restore{E4AF4EE1-FF4F-4DD5-892B-9B5027EFE7D5}\RP168\A0043532.exe" file.
13/11/2009 15:33:28 SYSTEM 1652 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
13/11/2009 15:33:30 SYSTEM 1652 An error has occured while attempting to update. Please check the logs.


MBM:
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

11/11/2009 17:06:36
mbam-log-2009-11-11 (17-06-36).txt

Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 164735
Time elapsed: 41 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner\jusched.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:49 AM

Posted 20 November 2009 - 11:45 AM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this post a fresh dds log, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:49 AM

Posted 26 November 2009 - 05:59 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users