Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser re-direct and hijack help needed


  • This topic is locked This topic is locked
2 replies to this topic

#1 CoachOty

CoachOty

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 11 December 2009 - 10:53 AM

Our computer at work in the warehouse is infected with a re-direct or browser hijack. I have run malwarebytes and removed all known viruses. Un-installed Adware for it seemed corrupt as well. I finally got the hosts file diverted back to its default. However when you do a search in Google or any other engine it will show the results, but when clicking on them of course it takes you elsewere. I ran VundoFix and came up with nothing as well. TrendMicro is showing nothing also. Here is the Hijackthis log file, maybe someone can come up with some information so I may get this computer functioning. My concern is it will spread through out our network and create further problems. We are a small business in a small town, with very little resources.


Windows Vista Home Premium
Outlook and Firefox for browsers

Following tools used to try and dis-infect this computer:
Malwarebytes
ComboFix
HiJackThis
SpyHunter3
TrojanHunter
Ad-Aware
FixVundo
ATF-Cleaner

I have flound ZLOB.Trojan, plus Virtumonde, and Vondu (same thing I suppose) on this computer. The Hosts file was hijacked and I got it back to normal but still there is re-directing going on. I have downloaded the above programs and renamed them prior to opening them to detour them too from being jacked. Each scan I run says all is fine, however evertime I reboot more and more problems occur. I need to resolve this for my boss is losing faith in my ability, (never had this much trouble before)

Let me know what info you need and I will get on it quickly, your help is appreciated.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:25:22 AM, on 12/11/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Safe mode with network support

Running processes:
C:WindowsExplorer.EXE
C:Program FilesWindows Media Playerwmpnscfg.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesTrend MicroTrendSecureTSCFPlatformCOMSvr.exe
C:Program FilesTrend MicroTrendSecureTISProToolbarPlatformDependentProToolbarComm.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Window Title = Internet Explorer provided by Dell
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:Program FilesTrend MicroTrendSecureTISProToolbarTSToolbar.dll (file missing)
O4 - HKCU..RunOnce: [Application Restart #0] C:Program FilesWindows Media Playerwmpnscfg.exe
O4 - HKUSS-1-5-19..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-19..Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:Program FilesJavajre1.6.0binnpjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:Program FilesJavajre1.6.0binnpjpi160.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2Office12REFIEBAR.DLL
O17 - HKLMSystemCCSServicesTcpip..{7156E256-0CA1-414D-88B5-AF2771BA0C22}: NameServer = 205.152.37.23,205.152.132.23
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:Program FilesTrend MicroTrendSecureTISProToolbarTSToolbar.dll (file missing)
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:Windowssystem32AERTSrv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:Windowssystem32Ati2evxx.exe
O23 - Service: dlbf_device - - C:Windowssystem32dlbfcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver1050Intel 32IDriverT.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:Program FilesCommon FilesRoxio Shared9.0SharedCOMRoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:Program FilesCommon FilesRoxio Shared9.0SharedCOMRoxWatch9.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:Program FilesTrend MicroInternet SecuritySfCtlCom.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:Program FilesCommon FilesSureThing Sharedstllssvr.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:Program FilesTrend MicroBMTMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:Program FilesTrend MicroInternet SecurityTmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:Program FilesTrend MicroInternet SecurityTmProxy.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:Windowssystem32DRIVERSxaudio.exe

--
End of file - 4397 bytes

I uninstalled and renamed the malwarebytes dl and run the program again and these are the results:

Malwarebytes' Anti-Malware 1.42
Database version: 3345
Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18865

12/11/2009 12:19:17 PM
mbam-log-2009-12-11 (12-19-10).txt

Scan type: Full Scan (C:|D:|E:|)
Objects scanned: 255831
Time elapsed: 47 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 31
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExplorerCLSID{459b6bf8-5320-4c41-8833-85baedf31086} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsSaveDefense.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsAlphaAV (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsAlphaAV.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsAntispywarXP2009.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsAnti-Virus Professional.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsAntivirusPro_2010.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsgbn976rl.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionspersonalguard (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionspersonalguard.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsQuickHealCleaner.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsSafetyKeeper.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsSaveArmor.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsSecure Veteran.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssecureveteran.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsSecurityFighter.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsSecuritysoldier.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsSoftSafeness.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsTrustWarrior.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsWindows Police Pro.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsxp_antispyware.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsinit32.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsozn695m5.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionspctsAuxs.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionspctsGui.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionspctsSvc.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionspctsTray.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionspdfndr.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsrwg (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsrwg.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssmart.exe (Security.Hijack) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsUninstall.exedebugger (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionstaskmgr.exedebugger (Security.Hijack) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:UsersBetty WinninghamAppDataRoamingWindows PC Defender (Rogue.WindowsPCDefender) -> No action taken.

Files Infected:
C:UsersBetty WinninghamAppDataRoamingWindows PC DefenderInstructions.ini (Rogue.WindowsPCDefender) -> No action taken.

Edited by garmanma, 16 December 2009 - 08:29 PM.


BC AdBot (Login to Remove)

 


#2 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:01:34 AM

Posted 23 December 2009 - 09:47 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
PW

#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:34 AM

Posted 29 December 2009 - 12:04 PM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users