Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Firefox Searches Hijacked following cured? Security Essentials Infection

  • This topic is locked This topic is locked
8 replies to this topic

#1 Irishpanther


  • Members
  • 4 posts
  • Local time:11:58 AM

Posted 20 February 2010 - 10:32 PM

I recently was a victim of an attack of the Security Essentials 2010 malware. I managed to clear the most evident problems of that following the guide/tutorial on this site. That infection began Wednesday evening 3 days ago, and I was cleaned up by last night. Later last night I noticed that my google searches would usually redirect. Occasionally they will work when I click a search result, but it seems that well over half the time I end up redirected and the sites i'm sent to show no pattern I've been able to discern yet.

Earlier I was troubleshooting this and did come across a vonabuka.dll line in a HJT log and removed it. I've since restarted several times and these logs are from the system in it's current state and how it will remain until we can work this problem.

I've followed the prep guide for posting here and so included here are the DDS and GMER logs.

Thanks in advance for your help and especially your time.

EDIT I should add, whatever it is that's left, or that was infected during the Security Essentials ordeal and is now resisting removal is not detected by Symantec, Spybot, AdAware, or Malwarebytes. And when I ran the gmer scan, it did pop up that it found something. I have never used this before though so I don't know if that's usual or not. end edit.


DDS (Ver_09-12-01.01) - NTFSx86
Run by IrishPanther at 21:10:44.76 on Sat 02/20/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.828 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: ActiveArmor Firewall *enabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Google\Update\\GoogleCrashHandler.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\gbpvr\GBPVRRecordingService.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\gbpvr\PVRX2.exe
C:\Program Files\gbpvr\PVRX2.exe
C:\Program Files\Brownie\BrstsWnd.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\program files\rhthcdnmkukwkf\pzpbpklv.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\program files\rhthcdnmkukwkf\pzpbpklv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Brownie\Brnipmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
T:\spyware fixes\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\adobe acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\irishpanther\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Google Update] "c:\documents and settings\irishpanther\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [shicoxp] c:\windows\shicoxp.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb06.exe
mRun: [Adobe Version Cue CS2] "c:\program files\adobe\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"
mRun: [QuickTime Task] "c:\program files\quicktime alternative\qttask.exe" -atboottime
mRun: [QuickTime Task] "c:\program files\quicktime alternative\qttask.exe" -atboottime
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\irishpanther\startm~1\programs\startup\carneg~1.lnk - c:\program files\permissiontv\bin\dmtray.exe
StartupFolder: c:\docume~1\irishpanther\startm~1\programs\startup\gb-pvr~1.lnk - c:\program files\gbpvr\GBPVRTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\multim~1.lnk - c:\program files\mmtaskbar\MultiMon.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\\gears.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
Trusted Zone: aol.com\free
Trusted Zone: plaxo.com\www
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\irishpanther\applic~1\mozilla\firefox\profiles\ndrdks20.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msnbc.msn.com/|http://mail.google.com/mail/?auth=DQAAAG0AAAA-osUIfZlqew1fDqAc75MB03c_3IX0QPDzjBdT7iMn_1mCbQEl8I5QTJpc1-Eau7hE62BhLIR5urZLNHcl6FzS1ntJLLjq23VA2VDPZFMb-JyhGHye3dOioVUkrE-jC-X4WCH7Z5NAXRec9jkuNnzF&zx=1q2ypvif1bbqy|http://www.ndnation.com/index.php|http://www.geocaching.com/
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

==================== Find3M ====================

2008-09-04 13:11:06 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090420080905\index.dat

============= FINISH: 21:12:39.04 ===============

Attached Files

Edited by Irishpanther, 21 February 2010 - 07:36 AM.

BC AdBot (Login to Remove)


#2 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:58 PM

Posted 22 February 2010 - 04:16 PM


My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic. if you still need help please give me a brief description of your problems.

Unfortunately your logs show you have a rootkit infection, so you should be aware of the following information.

One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.

  • Go to Kaspersky and Download TDSSKiller.zip.
  • Extract the contents of TDSSKiller.zip to your Desktop.
  • Click Start >> Run then copy and paste the following bold command line into the Run box and click OK.
"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • Follow the instructions to type in "delete" when it asks you what to do when if finds something.
  • When done, a log file should be created on your C: drive called TDSSKiller.txt please post this log in your next reply.



#3 Irishpanther

  • Topic Starter

  • Members
  • 4 posts
  • Local time:11:58 AM

Posted 22 February 2010 - 10:32 PM

Thanks for your response and the info, especially regarding the severity of the problem. I've tried to educate myself more about rootkit infections and am leaning pretty far towards reformat and reinstall, especially since I could upgrade to windows 7 through my university. I am glad that my computer has been shutdown or I've had it unplugged from the net for all about about 12 hours since the infection, though I realize that even seconds are enough.

Since I am so unfamiliar with rootkits, I wonder if you could offer some information or advice. The majority of my files are on three other physical drives and a couple of partitions on the physical drive other than C. I also dualboot Ubuntu. If I wanted to backup my documents folder from windows, should I do that from the other OS, or is windows ok to use for that? Second, I'm guessing a 100% answer isn't possible, but if I reformat the C drive and reinstall windows, will that pretty much do it? Or is it common to also see the rootkit infect the other partitions? Does it even work that way? Seems it needs to be on the boot drive and then also it messes mostly with the registry, which would be wiped if C is reformatted.

I appreciate any info you can give me on these issues. I'll keep trying to read up, but as I said before I'm leaning towards just wiping this and starting over, but want to make sure I don't end up here again since this is new to me.

#4 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:58 PM

Posted 23 February 2010 - 02:05 PM

If you format the drive then the rootkit will be removed and if you can upgrade to Windows 7 then why not. The thing to consider when
deciding whether to format is what you use it for, if you do any kind of finacial transactions on it then I would be more inclined to format.
You will be ok to back up from windows just make sure you know what you are backing up, let me know what you want to do.


#5 Irishpanther

  • Topic Starter

  • Members
  • 4 posts
  • Local time:11:58 AM

Posted 24 February 2010 - 10:36 PM

Thanks for the response. I think I have decided to reformat and reinstall. I will probably not start until this weekend or Friday evening. I am fortunate in that I have other options so while this is a major inconvenience, I am not rushed. I'm planning and going in and checking what there is on the C partition of that first drive that isn't part of my backup schedule. I haven't gone through a windows install lately, but am assuming I'll go through a step at somepoint where it asks me whether I want to upgrade or install new, and then where I want to install it and give me an option to do a full format (or whatever they call the one that's not the quick format.) Assuming this goes to plan I'll be fine. I'll post again when I'm completely back up and running so we can close this topic, but I'd prefer to not do that until I've at least gotten to the point of reformatting the drive which should be when the rootkit has been effectively wiped. Thanks again. Please let me know if there's anything else I should be considering as I do this.

#6 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:58 PM

Posted 25 February 2010 - 04:00 PM

Ok I will leave the topic open incase you have any problems.


#7 Irishpanther

  • Topic Starter

  • Members
  • 4 posts
  • Local time:11:58 AM

Posted 27 February 2010 - 10:09 AM

I just wanted to leave an update, so that this doesn't appear abandoned. I back up a few things that were part of my regular backups last night. I've been working on trying to install Windows 7. So far no luck. The DVD doesn't boot and doesn't show as even being there in any OS on that system in either of my drives. It does work on my laptop, the only other place I've been able to try. I have tried hunting down if the issue is something with dual layer discs, but all my drives support that, and as best i can tell, the install disc is not dual layer, though I've had trouble getting definitive info on that. Other DVDs and CDs work, even the bootable ubuntu install disc. So I'm working on it still.

Is there anyway this could be related to the infection? Doesn't make sense to me, but since the disc reads in other computers, and the drives work with other discs in the infected system I'm running out of obvious reasons. I may try and clean the system with the tool you suggested above and go from there...thus far I haven't done that since I was going to reformat the drive anyway.

I hope it's ok I'm updating without any progress...I don't mean to needlessly bump this topic, I just want to let you or any other mods know i'm still working on it.

#8 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:58 PM

Posted 27 February 2010 - 03:59 PM

Its fine to keep me updated, I really don't have any idea why the CD won't work though, the malware can't affect anything running outside
windows so that shouldn't be any issue. You might be better posting in the Windows 7 forum to see if anyone has any ideas.


#9 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:58 PM

Posted 04 March 2010 - 04:42 PM

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users