Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijacked


  • This topic is locked This topic is locked
9 replies to this topic

#1 RpWilliams

RpWilliams

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 09 May 2010 - 11:20 AM

The issue came to being last week when I had Anti-virus Soft automatically installed onto my computer. I tried multiple things to get it removed and finally resulted in doing a system restore back to a normal state of my computer and ran multiple Mal-ware removal programs to kill it. Finally getting results I believed that my computer had returned to a normal state, sadly no, I've been constantly being redirected to random websites through my web searches, even randomly when I'm on the web just browsing a website I get booted from that site and sent to another ad-ware/spy ware site. Also this issue only comes to being on Firefox no other software is being affected from what I can tell other then my Google chrome can't connect to the internet since this issue has been occurring(I'm not sure if that is relevant or not). All suggestions are greatly appreciated. I hope we can kill this bug.
Also i'm sorry for my multiple posts they were caused by my firefox acting up and telling me that the internet was offline when in reality it was just mass posting.
>note: My GMER scan is still running.


DDS (Ver_10-03-17.01) - NTFSx86
Run by TheBoss at 12:06:13.11 on Sun 05/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1359 [GMT -4:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
svchost.exe
C:\WINDOWS\asuskbservice.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\anvshell.exe
C:\Program Files\HP Wireless Keyboard\KMaestro.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft Office\Office14\OfficeSAS\officeSASscheduler.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Microsoft Office\Office14\OfficeSAS\OfficeSAS.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\TheBoss\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://tudosearch.com/search.php?aff=10005&q=
uStart Page = hxxp://google.com/
uDefault_Page_URL = hxxp://google.com/
uDefault_Search_URL = hxxp://tudosearch.com/search.php?aff=10005&q=
mDefault_Page_URL = hxxp://google.com/
mDefault_Search_URL = hxxp://tudosearch.com/search.php?aff=10005&q=
mSearch Page = hxxp://tudosearch.com/search.php?aff=10005&q=
mStart Page = hxxp://google.com/
mSearchURL = hxxp://www.Google.com/
mSearchAssistant = hxxp://www.google.com/ie
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\mi1933~1\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: FreshDownload Bar: {ed0e8ca5-42fb-4b18-997b-769e0408e79d} - c:\progra~1\freshd~1\freshd~1\fdiebar.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:

Attached File  Attach.txt   11.34KB   3 downloads

Edited by Orange Blossom, 09 May 2010 - 03:58 PM.
Added in additional portions of log from another partial post. ~ OB


BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:30 AM

Posted 11 May 2010 - 08:16 AM

Hi,

Could you please run DDS again and this time attach dds.txt log as a file (like you did with attach.txt file)? Were you able to finish GMER scan?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 RpWilliams

RpWilliams
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 11 May 2010 - 09:34 AM

Well i'm not at home atm so I might be able to rerun the scan. As for the DDS whenever I try and post it on the forums it always doesn't post the full scan. Hopefully i'll be able to post it. Do you know of any alternatives for web browsering a safe way so that I may be able to post the full report? Thanks for the replies.


-Normally when I attach another file the browser crashes

Edited by RpWilliams, 11 May 2010 - 09:55 AM.


#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:30 AM

Posted 11 May 2010 - 09:45 AM

Hi,

As I said, try to attach the file instead of copy-pasting the contents. That will more likely work.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 RpWilliams

RpWilliams
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 11 May 2010 - 08:01 PM

Attached File  Attach.txt   11.48KB   3 downloadsAttached File  DDS.txt   19.16KB   6 downloadsAttached File  gmer.log   30.94KB   6 downloadsSorry for the delayed response. I've got all the logs. I hope this helps

#6 RpWilliams

RpWilliams
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 12 May 2010 - 08:48 AM

The computer seems to be getting worse. Massive delay in login time now. Should I just attempt to remove the suspicious files stated in the gmer scan and replace with files from my other win xp files.

#7 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:30 AM

Posted 12 May 2010 - 09:08 AM

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:
  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#8 RpWilliams

RpWilliams
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 12 May 2010 - 02:53 PM

Well the Combo fix ran and my computer is running much better then before. The browser seems to be cleansed from this virus. Here is the log.

Attached Files

  • Attached File  log.txt   26.18KB   2 downloads


#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:30 AM

Posted 13 May 2010 - 06:44 AM

Good. Please post fresh dds.txt contents too.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:30 AM

Posted 20 May 2010 - 12:26 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users