Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE Browser Hijack - Being Redirected and Random IE Windows


  • Please log in to reply
3 replies to this topic

#1 KennewickMan96

KennewickMan96

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 09 June 2010 - 12:08 AM

Yesterday I was called about a system that was exhibiting odd browser behavior. When I looked at the machine it was getting random windows popping up, and intermittently, Google searches would take me to a results page that when any link was clicked, would go to random sites. Here's two of the links:

hxxp://collegehockeystats.com/search.php

hxxp://www.bullz-eye.com/?amp;n=ab698423&cb=1234567890

The Google search redirects are not happening all the time. The system will work as it should, and then randomly start redirecting again.

I ran a Malwarebytes scan initially, and during the scan, it touched a file in the temporary internet files that kicked in Symantec AV. SAV reported the file "9e7f5787.exe" as [Trojan.FakeAV]. The rest of the Malwarebytes scan completed with the following registry keys infected:

HKCU\Software\avsoft (Trojan.Fraudpack)
HKCU\Software\avsuite (Rogue.AntivirusSuite)
HKLM\Software\avsoft (Trojan.Fraudpack)
HKLM\Software\avsuite (Rogue.AntivirusSuite)

All those items were quarantined and deleted successfully.

During the Malwarebytes scan I noticed a large number of temporary internet files being scanned in the [NetworkService] profile. I found this to be very odd. In looking closer, I noticed that the date and time stamps on the directories, and the index.dat, file were changing every few minutes, like the processes that were using that account, were continuing to use it.

Subsequent scans were done with Spybot, Ad-Aware, Windows Defender, and AVG Free. All those scans reported no infections. Windows Defender, Ad-Aware, and AVG were then removed from the system.

I tried running a Symantec AV complete scan, and the program will begin the scan and about 1 second later it reports "Scan stopped by user".

Here is the requested information:

DDS (Ver_10-03-17.01) - NTFSx86
Run by staff at 20:13:45.21 on Tue 06/08/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2527 [GMT -7:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\KS810\AScan.exe
C:\PVSW\Bin\W3DBSMGR.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\STAFF.SHANNON\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://msn.com/
uSearch Page = hxxp://www.live.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\keysca~1.lnk - c:\program files\ks810\AScan.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pervas~1.lnk - c:\pvsw\bin\W3DBSMGR.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: Web-Based Email Tools - hxxp://email02.secureserver.net/Download.CAB
DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} - hxxps://www.hpwindows7upgrade.arvato.com/north_america/Endcustomer/HPProdDetect.cab
DPF: {378A9604-2EBB-4A7E-8266-72F87CFB4197} - hxxps://www-atl.mytelevox.com/housecalls/cabs/ctlListView.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1254439159203
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1254586512181
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CCDA56E6-AE8D-4A43-846F-EE464650864A} - hxxp://192.168.1.33/WebView.cab
TCP: {20CD10F7-90A1-4EA6-9D03-97AD6A8A5967} = 192.168.1.254
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-6-8 18816]
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-5-2 30208]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-5-21 610304]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [2009-9-25 22016]
R3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-5-2 224256]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100608.004\NAVENG.sys [2010-6-8 85552]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100608.004\NAVEX15.sys [2010-6-8 1347504]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3c.tmp --> c:\windows\system32\3C.tmp [?]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [2009-9-25 28800]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2009-9-25 17536]

=============== Created Last 30 ================

2010-06-09 03:09:22 0 ----a-w- c:\documents and settings\staff.shannon\defogger_reenable
2010-06-09 02:08:49 0 d-----w- c:\program files\AVG
2010-06-09 00:37:34 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-08 07:39:07 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-08 07:39:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-06-08 07:35:48 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-06-08 07:24:18 0 d-----w- c:\program files\Sophos
2010-05-19 21:42:12 37376 ----a-w- c:\windows\system32\hpz3l43a.dll

==================== Find3M ====================

2010-04-29 22:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

============= FINISH: 20:15:29.51 ===============


Thank you in advance,

Scott

Attached Files


Edited by Orange Blossom, 09 June 2010 - 05:49 PM.
Deactivate links. ~ OB


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:50 AM

Posted 12 June 2010 - 01:35 PM

Hello KennewickMan96,

I notice that you are a business. Our purpose is to help the home user so they don't have to pay the high cost of taking their computers to a shop for repair of this nature. We are all volunteers, not paid employees. We work on "thank you"s and donations only and are not paid to do the job which you are paid to do.

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 KennewickMan96

KennewickMan96
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 15 June 2010 - 04:16 PM

Thank you so very much for all your assistance. It would have been nice to donate had you actually assisted. Problem solved with Combofix.exe.

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:50 AM

Posted 15 June 2010 - 07:15 PM

What ever the case, please don't think ComboFix cured everything. It isn't a cure all.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users