Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirect to Wrong URL


  • This topic is locked This topic is locked
3 replies to this topic

#1 Point202

Point202

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:25 AM

Posted 29 November 2009 - 10:09 AM

I was infected with the Security Tool malware last night. I was browsing the web using Firefox version 3, which crashed just before the infection began. (It is a rogue antivirus software that brings up false infection alarms. It also hijacked my web browsers and blocked all virus/malware removal applications from running.)

I successfully killed Security Tool as follows:
- Downloaded and ran the Sysinternals Process Explorer (procexp.exe). I needed to rename "procexp.exe" to a random name so Security Tool would not recognize it. Used procexp.exe to kill the Security Tool process.
- Downloaded and ran Malwarebytes' Anti-Malware to remove the Security Tool Files

Now I seem to be having a residual problem whenever I do a internet search using a search engine (have tried both Google and Bing). When I click on any of the search results, I am redirected to a complete unrelated site (which is different every time). What is consistent though is that the page icon always resembles either a blue squiggle or a green globe. I tried searches in both Firefox and IE - the problem occurs in both browsers. I am able to type or copy/paste a URL directly into the browser and get to the correct page.

I have cleaned out all cookies/temporary internet files/etc and I have run both AVG and AdAware to try to clean-up the problem. I also tried to use StopZilla last night to fix the Security Tool program, but I did not want to pay for the software so I have since uninstalled it.

I have downloaded and run HijackThis - the log is below. Please help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:53 AM, on 11/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32WLTRYSVC.EXE
C:WINDOWSSystem32bcmwltry.exe
C:Program FilesLavasoftAd-AwareAAWService.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesAdobeElements Organizer 8.0PhotoshopElementsFileAgent.exe
C:PROGRA~1AVGAVG8avgwdsvc.exe
C:WINDOWSsystem32HPZipm12.exe
C:WINDOWSsystem32svchost.exe
C:PROGRA~1AVGAVG8avgemc.exe
C:PROGRA~1AVGAVG8avgrsx.exe
C:PROGRA~1AVGAVG8avgnsx.exe
C:Program FilesAVGAVG8avgcsrvx.exe
C:WINDOWSExplorer.EXE
C:Program FilesApointApoint.exe
C:WINDOWSsystem32WLTRAY.exe
C:PROGRA~1AVGAVG8avgtray.exe
C:WINDOWSsystem32igfxpers.exe
C:WINDOWSstsystra.exe
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSsystem32igfxsrvc.exe
C:Program FilesApointHidFind.exe
C:Program FilesApointApntex.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesLavasoftAd-AwareAAWTray.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesAVGAVG8avgui.exe
C:Program FilesAVGAVG8avgscanx.exe
C:Program FilesAVGAVG8avgcsrvx.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070301
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = about:blank
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.dell.com
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.dell.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerSearch,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070301
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:Program FilesStopzilla!ToolbarSZSG.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:Program FilesAVGAVG8avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_07binssv.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:Program FilesStopzilla!ToolbarSZSG.dll (file missing)
O4 - HKLM..Run: [Apoint] C:Program FilesApointApoint.exe
O4 - HKLM..Run: [Broadcom Wireless Manager UI] C:WINDOWSsystem32WLTRAY.exe
O4 - HKLM..Run: [AVG8_TRAY] C:PROGRA~1AVGAVG8avgtray.exe
O4 - HKLM..Run: [IgfxTray] C:WINDOWSsystem32igfxtray.exe
O4 - HKLM..Run: [Persistence] C:WINDOWSsystem32igfxpers.exe
O4 - HKLM..Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM..Run: [Malwarebytes Anti-Malware (reboot)] "C:Program FilesMalwarebytes' Anti-Malwarembam.exe" /runcleanupscript
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_07binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_07binssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O16 - DPF: GenealogyBrowser.Cab - http://209.90.101.200/cabs/zinst.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15033/CTPID.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:Program FilesAVGAVG8avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:WINDOWSSYSTEM32avgrsstx.dll
O23 - Service: Adobe Active File Monitor V8 (AdobeActiveFileMonitor8.0) - Adobe Systems Incorporated - C:Program FilesAdobeElements Organizer 8.0PhotoshopElementsFileAgent.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgwdsvc.exe
O23 - Service: DHCP Client Dhcpsrservice (Dhcpsrservice) - Unknown owner - C:WINDOWSsystem321031x.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:Program FilesCommon FilesMacrovision SharedFLEXnet PublisherFNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:Program FilesLavasoftAd-AwareAAWService.exe
O23 - Service: License Management Service ESD - element5 - C:Program FilesCommon Fileselement5 SharedServiceLicence Manager ESD.exe
O23 - Service: Pml Driver HPZ12 - HP - C:WINDOWSsystem32HPZipm12.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:WINDOWSSystem32WLTRYSVC.EXE

--
End of file - 6303 bytes

This is the log from Malwarebytes, which I used to clean-up the Security Tool issue. This might also be useful to help fix my problem....

Malwarebytes' Anti-Malware 1.41
Database version: 3253
Windows 5.1.2600 Service Pack 3

11/28/2009 10:48:51 PM
mbam-log-2009-11-28 (22-48-51).txt

Scan type: Full Scan (C:|)
Objects scanned: 200256
Time elapsed: 1 hour(s), 19 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRList (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:Documents and SettingsAll UsersApplication Data47992940 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:Documents and SettingsAmy SchnarrenbergerLocal SettingsTemp~TM91.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:Documents and SettingsAmy SchnarrenbergerStart MenuProgramsStartupmgjwin32.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:System Volume Information_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}RP468A0069679.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:WINDOWSsystem321031x.exe (Trojan.Dropper) -> Delete on reboot.
C:Documents and SettingsAmy SchnarrenbergerApplication Datawiaservg.log (Malware.Trace) -> Quarantined and deleted successfully.

Merged posts. ~ OB

Edited by Orange Blossom, 29 November 2009 - 05:29 PM.


BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:25 PM

Posted 07 December 2009 - 04:33 PM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this do following, please.


Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop. Post them back to your topic.

Download GMER here by clicking download exe -button and then saving it your desktop:
  • Double-click .exe that you downloaded
  • Click rootkit-tab and then scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post log in your reply.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Point202

Point202
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:25 AM

Posted 07 December 2009 - 04:49 PM

Thank you for your reply, but unfortunately it is too late... Windows crashed on me over the weekend, to the point where I couldn't even access it via Safe Mode. I can only assume that the virus corrupted something. Fortunately I have been able to rescue my documents and files and have reinstalled Windows.

#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:25 PM

Posted 07 December 2009 - 05:00 PM

Sorry to hear that but it's good you could rescue important files. Shall close this topic now.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users