Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

b.exe and c.exe, then search results hijacked.


  • Please log in to reply
7 replies to this topic

#1 stephanpark

stephanpark

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:07:16 AM

Posted 11 December 2009 - 12:50 AM

Hello, I'm very glad to have found such a vibrant community. I'm at a loss for a dumb mistake I've haven't committed in the 15 or so years I've worked on the internet. In any case, an executable I scanned with what I thought was the best Anti-Virus cleared a supposed ZIP EXE file (so I thought) being a free tutorial for SolidWorks 9.0.

When executed, instead of opening a WinZip session, it did nothing...or so I thought. The file was deleted and forgotten about. Later on though, ZoneAlarm detected a file trying to get access called b.exe then c.exe. Both were denied but then I realized what I had done, DOH!, must have slapped myself hard enough to have passout because when I came to, all search results were going to http://newserversearch.com/ mostly ending up at TheClickCheck.com. Since all search results were hijacked, I figured that hard linking would still work and have been using that method to try to find a solution and here I am!

Using several recommended spyware removers in other forums such as Anti-Malware, CWShredder, RootkitBuster, and RUBotted, (some I haven't tried yet due to paranoia) I thought things were fine, but the hijacking remained. Attempts by files to access the web have stopped though.

Most were removed as soon as their work was done so I regret to having good reports to show. What I do know was that at least two files were deleted, b.exe and c.exe.
SUPERAntiSpyware found Adware.URLBlaze but the referring file was not found, I'm going to hold off on the other Anti-Spyware until you guys chime in...as it looks like most of the invasive files have been deleted.

Looking forward to hearing from you guys!

BC AdBot (Login to Remove)

 


#2 azfreetech

azfreetech

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:08:16 AM

Posted 11 December 2009 - 03:19 AM

Itís possible that you have a rootkit infection so we will want to check this with Root Repeal.

Download Root Repeal and save it to your desktop. Here are some direct download links:

LINK 1
LINK 2
LINK 3
LINK 4

Once you have Root Repeal saved to your desktop, double click to open it. Click on the Report tab and then click scan. Check all seven boxes and click OK. Check the box for your main drive (c: in most cases) and then click OK. Let the Root Repeal scan run and once itís complete (this may take some time) click on Save Report. Save the log to your desktop and then please post it in your response.
DJ Digital Gem

I gave up on computers and now I just DJ!

#3 azfreetech

azfreetech

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:08:16 AM

Posted 11 December 2009 - 02:05 PM

Please download Gooredfix and save it to your desktop. Double click to run it and once it is done you will see a log called Goored.txt. Please post that in your next response as well.
DJ Digital Gem

I gave up on computers and now I just DJ!

#4 stephanpark

stephanpark
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:07:16 AM

Posted 12 December 2009 - 07:42 PM

Hey azfreetech, good to hear from you.
I did as you outlined and am posting results one at a time.
First, here is the results from RootRepeal. I see no unusual activity but would not be posting if I knew for sure. :thumbsup:
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/12 16:11
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA712C000 Size: 897024 File Visible: No Signed: -
Status: -

Name: rootrepeal-135.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal-135.sys
Address: 0xA1B13000 Size: 49152 File Visible: No Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xB9B9D000 Size: 81920 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa9204fc0

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa9201c80

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa921c170

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa9205580

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa9219900

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa9219b10

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa921db10

#: 056 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa9205670

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa9202210

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa921c9f0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa921c7a0

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa9219280

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa921cf10

#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa921cf90

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa9202070

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa921b180

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa921af40

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa921d6f0

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa921d150

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa9204be0

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa921d540

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa9205190

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa9202440

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa921c4e0

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa921a200

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa921a080

Shadow SSDT
-------------------
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa9203e70

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa9203f20

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa9203fe0

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa9202d60

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa9204250

==EOF==

Edited by stephanpark, 12 December 2009 - 07:43 PM.


#5 stephanpark

stephanpark
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:07:16 AM

Posted 12 December 2009 - 07:50 PM

And here is the results of GooredFix.

GooredFix by jpshortstuff (06.12.09.1)
Log created at 16:49 on 12/12/2009 (Stephan Park)
Firefox version 3.5.5 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [09:41 03/01/2007]
{99a0337c-6303-4879-b72e-500fd9aaca8c} [23:20 20/09/2009]
{99a0337c-6303-4879-b72e-500fd9aaca8c}(2) [21:04 18/09/2009]
{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} [10:18 18/03/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [23:01 01/04/2009]
{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [16:38 11/06/2009]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [03:06 20/08/2009]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [20:53 16/11/2009]

C:\Documents and Settings\Stephan Park\Application Data\Mozilla\Firefox\Profiles\liign8eg.default\extensions\
{0538E3E3-7E9B-4d49-8831-A227C80A7AD3} [23:55 11/06/2009]
{19503e42-ca3c-4c27-b1e2-9cdb2170ee34} [03:50 07/12/2009]
{20a82645-c095-46ed-80e3-08825760534b} [09:24 07/08/2009]
{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [08:34 13/08/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [23:58 05/08/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [10:18 18/03/2009]

---------- Old Logs ----------
GooredFix[00.46.04_13-12-2009].txt

-=E.O.F=-

#6 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:16 AM

Posted 12 December 2009 - 07:57 PM

dtminf Please start your own topic, even if you have similar issues, it is easier on volunteers and people reading the forums for information if you begin your own topic

#7 stephanpark

stephanpark
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:07:16 AM

Posted 13 December 2009 - 05:34 PM

This is not a bump.
My system suddenly couldn't find my only user profile on my machine. At the login screen, a strange and Win2000 style popup stated that the computer couldn't read my profile and was starting up into a default user. I didn't want to make a mess so I let it create the user and then when stable rebooted. Now, my profile is just fine, no popup and I log in fine. But in order to get rid of that default account in "User Accounts", I attempted to find in the list of users. Oddly some of the icons are x-ed out, and there is no default user in the list. Just mine and a grayed out Guest icon. Also, in the C:\Documents and Settings directory, default user seems to be a clone of Administrator only without a password.

I'm not sure this is relevant, but anything scary that has never happened before will be posted just in case. Hope this is OK.

Edited by stephanpark, 13 December 2009 - 05:38 PM.


#8 stephanpark

stephanpark
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:07:16 AM

Posted 13 December 2009 - 10:15 PM

Hey, I shot an email to ESET's tech support. They told me to use Avenger and Anti-Malware in Safe Mode then normal. Seems to have done the trick.

Here is the portions that may be of interest, oh, avenger didn't seem to find anything after Anti-Malware did it's job.

Malwarebytes' Anti-Malware 1.42
Database version: 3337
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\NeoChronos (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

I guess I'm done here. Um, hope this helps someone?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users