Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Site infected my PC: cannot change IE search page, reset web settings, etc.


  • This topic is locked This topic is locked
4 replies to this topic

#1 BoosterGC

BoosterGC

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 29 November 2009 - 10:49 AM

Recently I (stupidly) clicked on a web link in an e-mail (supposedly) from my sister. I was immediately redirected, the e-mail was deleted, etc. etc.

I was running SpySweeper w/ Antivirus... didn't even blink.

I am now rebuilding my computer, as I suspect it is compromised.

Combofix detected & deleted jestertb.dll, and other stuff.
I got & installed a new version of SpySweeper, and also installed Norton 360 v2 as well.

Now my IE6 is behaving oddly.
I now have a link "Reset Web settings" under "Tools",
I cannot change my search page (it defaults to "Bing")
and sometimes when I try to access Bleepingcomputer site, it blocks me with a mysterious message.

There were 3 "R1" items in my HijackThis log that I could not remove, nor could I change them in the registry directly.
Now in re-running the HJT log they are gone.

Here is what those lines were:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


My other HJT logs that I previously saved were deleted.


Here is my current HJT log:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:42 AM, on 29/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Ahead\InCD\InCDsrv.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
F:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\igfxsrvc.exe
F:\WINDOWS\system32\hkcmd.exe
F:\WINDOWS\system32\igfxpers.exe
F:\WINDOWS\RTHDCPL.EXE
F:\WINDOWS\system32\umonit.exe
F:\Program Files\Ahead\InCD\InCD.exe
F:\Program Files\Microsoft IntelliType Pro\itype.exe
F:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
F:\Program Files\WinZip E-Mail Companion\loadwzco.exe
F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
F:\WINDOWS\system32\hphmon04.exe
f:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
F:\WINDOWS\system32\NOTEPAD.EXE
F:\WINDOWS\system32\notepad.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - F:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - F:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - F:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [IgfxTray] "F:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "F:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [Persistence] "F:\WINDOWS\system32\igfxpers.exe"
O4 - HKLM\..\Run: [RTHDCPL] "F:\WINDOWS\RTHDCPL.EXE"
O4 - HKLM\..\Run: [SkyTel] "F:\WINDOWS\SkyTel.EXE"
O4 - HKLM\..\Run: [UMonit] "F:\WINDOWS\system32\umonit.exe"
O4 - HKLM\..\Run: [InCD] "F:\Program Files\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "F:\WINDOWS\system32\NeroCheck.exe"
O4 - HKLM\..\Run: [itype] "f:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "F:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "F:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "F:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [WinZip E-Mail Companion OEAPI] "F:\Program Files\WinZip E-Mail Companion\loadwzco.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] "F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe"
O4 - HKLM\..\Run: [HPHmon04] "F:\WINDOWS\system32\hphmon04.exe"
O4 - HKLM\..\Run: [HPHUPD04] "F:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "F:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [SpySweeper] "F:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKUS\S-1-5-21-776561741-682003330-725345543-500\..\Run: [CTFMON.EXE] "F:\WINDOWS\system32\CTFMON.EXE" (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1257211283956
O16 - DPF: {9B785917-E16B-4A9F-8E73-9D3346E4F0BC} (DivingPlugInX Control) - http://www.suuntosports.com/mysuunto/plugin/DivePlugIn.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C39A1A3-4853-4BA4-B442-BA94C68EF38E}: NameServer = 206.132.180.5 206.132.190.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{5C39A1A3-4853-4BA4-B442-BA94C68EF38E}: NameServer = 206.132.180.5 206.132.190.5
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - F:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - F:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Pml Driver HPH11 - HP - F:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Symantec Core LC - Unknown owner - F:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - F:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - F:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 8946 bytes

BC AdBot (Login to Remove)

 


#2 BoosterGC

BoosterGC
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 30 November 2009 - 09:26 AM

Gets even weirder... and more depressing.

During 1 sweep (finally), Spysweeper detected HackTool App/ForceLib-A and a bunch of spy tracking cookies.
The HJT log kept changing... some stuff appeared, then disappeared.
My localhost info was changed, and blocked.
ComboFix disappeared from my desktop.

If I boot into Safe Mode, will malware/viruses continue to run rampant?

Edited by Orange Blossom, 21 October 2010 - 09:02 PM.
Removed no longer relevant content. ~ OB


#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:10 PM

Posted 10 December 2009 - 11:00 AM

Hi,

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.


We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
Then please post back here with the following logs:
  • OTListIt.txt
  • Extra.txt
Thanks

unite.jpg


#4 BoosterGC

BoosterGC
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 10 December 2009 - 11:17 AM

Sorry... please close this.
I have since had to completely rebuild my computer system from the ground up.

I ditched Spysweeper, as it appears to be an inferior product (things get through firewall and AV, and I/F is easily spoofed)... not to mention their customer support is non-existent now.


Thank you anyway.

Edited by BoosterGC, 10 December 2009 - 11:18 AM.


#5 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:10 PM

Posted 10 December 2009 - 11:21 AM

Thanks for letting us know :(

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users