Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijack on WinXPsp3, "Internet Security 2010"


  • This topic is locked This topic is locked
3 replies to this topic

#1 jgaffke

jgaffke

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 19 January 2010 - 03:21 PM

Was hovering (not clicking) with mouse over a weblink embedded in an email message while in Thunderbird when I saw an "Internet Security 2010" window pop up and "scan" my hard drive for malware, disable the task manager, and basically take over the machine. (Perhaps the timing was just a coincidence? Can mouse hovering in thunderbird really bring on this much trouble? Why?)

I first tried Malwarebytes, that managed to shut down most of the pop up windows, but still have a nasty Browser Hijack. Logfile attached far below. Later tried Ad-Aware, it found nothing. Did a Accessories/SystemTools/SystemRestore to a checkpoint created the day before the event, did not help.

I mostly use Firefox, though have since found out that ie was running for Active Desktop. Removed all of c:\Documents*\*\App*\Mozilla and c:\Documents*\*\App\Microsoft\Internet* Removed and reinstalled firefox. No change. Nothing in Windows/system32/drivers/etc/hosts looks amiss. Internet Explorer is also hijacked.

If I get the browser hijack shut down, is this machine to be trusted?

Thanks!
Jerry
#################



DDS (Ver_09-12-01.01) - NTFSx86
Run by jerryg at 10:31:57.34 on Tue 01/19/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2000.1411 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\dellxpm09b_6017v022\wdm\stacsv.exe
svchost.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\vsnp2uvc.exe
C:\WINDOWS\tsnp2uvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\jerryg\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [FixCamera] c:\windows\FixCamera.exe
mRun: [snp2uvc] c:\windows\vsnp2uvc.exe
mRun: [tsnp2uvc] c:\windows\tsnp2uvc.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\jerryg\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250543123671
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Notify: ckpNotify - ckpNotify.dll
Notify: igfxcui - igfxdev.dll
Hosts: 198.107.47.250 swift

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jerryg\applic~1\mozilla\firefox\profiles\q9knr3d1.default\
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2007-5-24 2234800]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2007-5-24 36368]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-8-17 103744]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2007-5-24 110032]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2007-5-24 673456]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-8-12 108160]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-8-12 244368]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-8-12 110080]
R3 OA001Afx;Provides a software interface to control audio effects of OA001 camera.;c:\windows\system32\drivers\OA001Afx.sys [2009-8-12 148056]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2009-8-12 144672]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2009-8-12 277504]
S0 cerc6;cerc6; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-8-20 133104]
S2 SSIPDDP;SSIPDDP;c:\windows\system32\drivers\SSIPDDP.SYS [2009-8-17 54272]
S3 Pdv;EDT Pdv;c:\windows\system32\drivers\pdv2k.sys [2009-12-8 82104]
S3 XilinxFirmwareLpLoader;XilinxFirmwareLpLoader;c:\windows\system32\drivers\xusb_xlp.sys [2009-8-18 17280]

=============== Created Last 30 ================

2010-01-19 01:40:40 0 d-----w- c:\program files\Trend Micro
2010-01-18 23:07:20 0 d-----w- c:\windows\system32\wbem\Repository
2010-01-18 19:02:35 0 d-----w- c:\docume~1\jerryg\applic~1\Mozilla(2)
2010-01-18 19:02:26 0 d-----w- c:\program files\Mozilla Firefox(2)
2010-01-17 20:56:28 0 dc----w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-17 20:56:19 0 d-----w- c:\program files\Lavasoft
2010-01-16 04:43:42 2572 ----a-w- C:\Desktop_good.htt
2010-01-16 04:43:29 5163 ----a-w- C:\Desktop_bad.htt
2010-01-16 00:55:38 0 d-----w- c:\docume~1\jerryg\applic~1\Malwarebytes
2010-01-16 00:55:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-16 00:55:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-15 23:48:16 1 ----a-w- C:\s
2010-01-08 20:02:19 16384 ----a-w- C:\.todo8.swp
2010-01-07 20:17:08 62763 ----a-w- C:\FullMedUart.pdf
2010-01-07 20:14:25 347853 ----a-w- C:\FullMedUart.ps
2010-01-07 15:58:57 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-01-07 15:58:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-12-22 17:29:20 950 ----a-w- C:\unconstrained.py

==================== Find3M ====================

2009-12-02 23:32:34 225280 ----a-w- c:\windows\system32\clseredt.dll
2009-12-02 23:31:48 82104 ----a-w- c:\windows\system32\drivers\pdv2k.sys
2009-11-18 18:24:33 4195213 ----a-w- C:\roger.zip
2009-11-17 19:42:57 3224834 ----a-w- C:\roger_rev07_base.zip
2009-11-06 00:46:35 154938 ----a-w- C:\edtmech.zip

============= FINISH: 10:32:13.43 ===============



######################################

Here's the initial malwarebytes log, all items were acted upon.



Malwarebytes' Anti-Malware 1.44
Database version: 3573
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/15/2010 7:50:47 PM
mbam-log-2010-01-15 (19-50-30).txt

Scan type: Full Scan (C:\|)
Objects scanned: 484335
Time elapsed: 1 hour(s), 49 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 11
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\helper32.dll (Trojan.FakeAlert) -> No action taken.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\IS2010 (Rogue.InternetSecurity2010) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internet security 2010 (Rogue.Installer) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon32.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon32.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\winlogon32.exe) Good: (userinit.exe) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\Program Files\InternetSecurity2010 (Rogue.InternetSecurity2010) -> No action taken.

Files Infected:
C:\Documents and Settings\jerryg\Local Settings\Temporary Internet Files\Content.IE5\8LM3G16J\SetupIS2010[1].exe (Rogue.Installer) -> No action taken.
C:\Program Files\InternetSecurity2010\IS2010.exe (Rogue.Installer) -> No action taken.
C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\helper32.dll (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\Winlogon32.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\jerryg\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> No action taken.
C:\Documents and Settings\jerryg\Start Menu\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> No action taken.
C:\USR5637-2kXpVista32-bit.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00003fba.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\warning.html (Trojan.FakeAlert) -> No action taken.


####################
END

Attached Files


Edited by jgaffke, 19 January 2010 - 06:46 PM.


BC AdBot (Login to Remove)

 


#2 jgaffke

jgaffke
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 20 January 2010 - 10:00 PM

I've mostly recovered from backups, doubt I will be going back to the infected disk. So no real need for action on this.

But I'm still curious, where is the browser hijack hiding? How best to avoid infections like this? Had McAfee on, was operating behind a fire wall. Infection seems to have happened immediately after hovering my mouse on a web link from within thunderbird, though that may just be a coincidence. Could it have come in through Internet Explorer via Active Desktop?

Seems I can no longer edit the original post, or I would have put this at the top.

I appreciate all the time you folks must be putting into this effort, lots of new logs since I posted.
Thanks!
Jerry

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,829 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:36 PM

Posted 25 January 2010 - 09:53 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log

Please do NOT post logs as attachments, unless you are unable to copy/paste a log directly in the reply box.


Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,829 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:36 PM

Posted 03 February 2010 - 10:20 AM

Due to lack of feedback, this topic is now closed.

If you are the original topic starter and you need this topic reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users