Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked browser search hits (much like other trojan reports here)


  • This topic is locked This topic is locked
2 replies to this topic

#1 jeffc_lenovot43

jeffc_lenovot43

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 20 April 2010 - 12:23 PM

I have been fighting either one or two trojans/rootkits for the past 11 days. One is a browser search hit/random tabs

opened issue. It appears to be a rootkit. The second is something that's executing on a PID for svchost.exe and that

initiates internet chatter that leaves droppings in the NetworkService profile's temporary internet, cookies and

browser history caches.

I had hoped that I could cure this/these on my own, and failed. I do not believe that I've made any uncorrectable

steps (e.g., I backed up registry keys before deleting, etc.)

The tools I've used in the attempt have been: aVast; Malwarebytes' Anti-Malware; SUPERAntiSpyware; Spyware S&D;

TDSSKiller; HijackThis; GMER/MBR.exe; Windows Defender; Ad-Aware; ATF-Cleander; HouseCall; HitManPro; and ComboFix.

As the GMER log indicated a suspicious modification to atapi.sys, I attempted to replace it by using the recovery

console and the expand command to get a copy from the service pack cab. I've downloaded, but not really used, OTL.

One of the symptoms of my infection has been the inability to run ComboFix (attempts ending in a BSOD with a message

about mbr.sys - sound familiar). Yesterday I noticed a post that suggested executing ComboFix from safe mode. I

attempted that and it succeeded (log attached).

Other odd symptoms include the creation of the FEATURE_BROWSER_EMULATION registry key and population of the key with

the key/value pair 'svchost.exe=0x00001f40'.

Whatever's tickling the internet has the ability to get to sites where various bad things are found and during this

time I've been infected three times with fake AV software that has used either ave.exe or, most recently, both

ave.exe and av.exe to install/run junk. I've used MBAM to get rid of those in combination with a registry file that

restores the keys that get hammered.

I have never run ComboFix (or any other tool) in a non-default fashion (simply executed the program/started a

scan/etc.)

I have three goals: 1) Get rid of the virus(es); 2) a device driver on the SCSI controller (must be on-board) seems

to have gone missing (the box reports "new hardware found" and cannot find a driver to repair the issue); and 3) the

aVast task bar client no longer starts on user log-on.

Can someone help? I'm close to my wit's end. Thanks in advance.

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:50 PM

Posted 25 April 2010 - 06:47 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:50 PM

Posted 30 April 2010 - 06:51 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users