Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with browser hijacker/redirector (Hijackthis log)


  • This topic is locked This topic is locked
2 replies to this topic

#1 robjarno

robjarno

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 18 May 2010 - 01:01 PM

EDIT:Moved to Virus,Trojan and Malware Removal Logs ~~boopme

When using mozilla firefox it redirects all my search results when clicking on them. Usually my browser will skip to a different search engine. I thought I had a rootkit virus but after few scans it didn't detect it anymore. Here's the log.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:49:47 AM, on 5/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Java\jre1.6.0_15\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\CatPC\mosaic\MBEService\MBESrvS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\WINDOWS\system32\PGPserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Siemens\RLAClient\RlaService.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
C:\WINDOWS\system32\SgLogPlayer.exe
C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\WINDOWS\TEMP\mosaicLogonInfo_run.exe
C:\Program Files\OfficeScan NT\CNTAoSMgr.exe
C:\WINDOWS\TEMP\TI38EC.EXE
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\OfficeScan NT\pccntmon.exe
C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\WINDOWS\CatPC\mosaic\MBEService\MBESrvS.exe
C:\Program Files\Everything\Everything.exe
C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
C:\DOCUME~1\ctna2056\LOCALS~1\Temp\mosaicprofilemanager_run_ctna2056.exe
C:\DOCUME~1\ctna2056\LOCALS~1\Temp\mosaicHDSizeCheck_run.exe
C:\Documents and Settings\ctna2056\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\ctna2056\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\ctna2056\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\ctna2056\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\ctna2056\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\ctna2056\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\ctna2056\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Documents and Settings\ctna2056\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\ctna2056\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\ctna2056\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Documents and Settings\ctna2056\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe
C:\Documents and Settings\ctna2056\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.de/sphome.aspx
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://intranet/en/home/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer - powered by mosaic.®
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *cinterion.internal;<local>
F2 - REG:system.ini: UserInit=CatUInit
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SafeOnline BHO - {69D72956-317C-44bd-B369-8E44D4EF9801} - C:\WINDOWS\system32\PxSecure.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre1.6.0_15\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre1.6.0_15\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [USM] C:\Program Files\Siemens\USM\USM.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SgeEcView] "C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [mosaic Basic Environment Service] C:\WINDOWS\CatPC\mosaic\MBEService\MBESrvS.exe -usermode
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Everything] "C:\Program Files\Everything\Everything.exe" -startup
O4 - HKCU\..\Run: [CatUserRun] "C:\Program Files\CatPC\bin\exec32.exe" /wh /c "C:\Program Files\CatPC\bin\chgreg5.exe" /c
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [GoToMeeting] "C:\Program Files\Citrix\GoToMeeting\456\g2mstart.exe" "/Trigger RunAtLogon"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\ctna2056\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2722838507-780940124-2024854793-1271\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'at1sia03')
O4 - HKUS\S-1-5-21-2722838507-780940124-2024854793-1364\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'ctna0040')
O4 - HKUS\S-1-5-21-2722838507-780940124-2024854793-6802\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'ctna1995')
O4 - HKUS\S-1-5-21-3838604106-3843094658-1304332703-1007\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-21-2722838507-780940124-2024854793-1364 Startup: RestartCheckAfterIns.bat (User 'ctna0040')
O4 - S-1-5-21-2722838507-780940124-2024854793-1364 User Startup: RestartCheckAfterIns.bat (User 'ctna0040')
O4 - Global Startup: PGPtray.exe.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.cdmatech.com
O15 - Trusted Zone: *.bb.com.br
O15 - Trusted Zone: *.bradesco.com.br
O15 - Trusted Zone: *.bradescoprime.com.br
O15 - Trusted Zone: *.investshop.com.br
O15 - Trusted Zone: *.itau.com.br
O15 - Trusted Zone: *.jfgranja.com.br
O15 - Trusted Zone: *.serasa.com.br
O15 - Trusted Zone: *.unibanco.com.br
O15 - Trusted Zone: *.eng.mobilephone.net
O15 - Trusted Zone: *.fgv.br
O15 - Trusted Zone: *.finavigate.com
O15 - Trusted Zone: *.gov.br
O15 - Trusted Zone: *.industrial-it-center.net
O15 - Trusted Zone: *.leo.org
O15 - Trusted Zone: *.lufthansa.com
O15 - Trusted Zone: *.lufthansa.de
O15 - Trusted Zone: *.tdg.mobilephone.net
O15 - Trusted Zone: *.unicamp.br
O15 - Trusted Zone: *.sap-ag.de (HKLM)
O15 - Trusted Zone: *.sap.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cinterion.internal
O17 - HKLM\Software\..\Telephony: DomainName = cinterion.internal
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cinterion.internal
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cinterion.internal
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: PGPmapih.dll
O20 - Winlogon Notify: NotLog - SGLogEx.dll (file missing)
O20 - Winlogon Notify: SGLogNotification - SGLogNotification.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre1.6.0_15\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: mosaic Basic Environment Service (MBEService) - Siemens AG - SIS GO CS BAS C DT - C:\WINDOWS\CatPC\mosaic\MBEService\MBESrvS.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\ntrtscan.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
O23 - Service: RlaService - Siemens and Partners - C:\Program Files\Siemens\RLAClient\RlaService.exe
O23 - Service: SafeGuard® Easy Control (SgeCtl) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
O23 - Service: SafeGuard SGLOG Player (SgLogPlayer) - Utimaco Safeware AG - C:\WINDOWS\system32\SgLogPlayer.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\TmProxy.exe
O23 - Service: SafeGuard® Easy Workstation Server (WksCfgSrv) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe

--
End of file - 12411 bytes

Edited by boopme, 18 May 2010 - 02:20 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 19 May 2010 - 04:24 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a GMER log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or GMER log please refer to this page and in step #6 and Step #7 and Step #8 for further instructions on downloading and running DDS & GMER. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-GMER log
-Description of any remaining problems you may still have.


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 30 May 2010 - 01:40 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users