Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacker- serach engine redirect


  • Please log in to reply
No replies to this topic

#1 ssaver

ssaver

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 03 August 2010 - 11:48 AM

HI,
I have a user that shows symptoms of a browser hijacker.
XP Service pack 3 all updates done except they have issue with the authentication update. But that may or may not be related. The computer worked fine except that one update.

Last week they got a search engine hijacker (click on link and it redirects) Spybot was able to clean it. Today the symptoms returned but it now will not allow me to open task manger, any virus program or download site.
So it has a seperate popup window when I open IE8, redirect serach results from google, will not allow taskmanger, or other virus/malware programs to open is waht I ahve noticed.

Booted to safe mode
Ran Spybot found nothing
Ran combo fix
When I restarted everything was fine
Reinstalled AVG, decide to delay running MS defender popup until after AVG install.
When I went into defender the symptoms returned, I also can not do update on defender.

Here is the log

Thanks for any help


ComboFix 10-08-02.03 - Nicole LaMotte 08/03/2010 10:54:03.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.670 [GMT -4:00]
Running from: c:\documents and settings\Nicole LaMotte\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Nicole LaMotte\g2mdlhlpx.exe
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\certstore.dat
c:\windows\system32\Iasv32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IAS
-------\Service_6to4
-------\Service_Ias


((((((((((((((((((((((((( Files Created from 2010-07-03 to 2010-08-03 )))))))))))))))))))))))))))))))
.

2010-08-03 13:38 . 2010-08-03 13:38 -------- d-sh--w- c:\documents and settings\LocalService\UserData
2010-08-02 19:58 . 2010-08-02 19:58 -------- d-----w- c:\documents and settings\Nicole LaMotte\Application Data\Apple Computer
2010-07-27 18:03 . 2010-07-27 18:03 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-21 13:10 . 2010-07-21 13:10 1615200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-07-21 13:10 . 2010-07-21 13:10 921440 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgemc.exe
2010-07-21 13:10 . 2010-07-21 13:10 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-07-21 13:10 . 2010-07-21 13:10 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll
2010-07-11 23:01 . 2010-07-11 23:01 -------- d-----w- c:\program files\CCleaner
2010-07-08 12:02 . 2010-07-08 12:02 -------- d-----w- c:\program files\Microsoft.NET
2010-07-08 12:01 . 2010-07-08 12:01 -------- d-----w- c:\windows\system32\winrm
2010-07-08 12:01 . 2010-07-08 12:01 -------- d-----w- c:\windows\system32\GroupPolicy
2010-07-08 12:00 . 2010-07-08 12:01 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2010-07-08 11:47 . 2010-04-16 11:43 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-03 14:10 . 2009-10-28 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-08-03 12:45 . 2008-12-11 21:00 -------- d-----w- c:\program files\LogMeIn
2010-08-03 08:13 . 2010-06-30 14:57 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-02 14:09 . 2006-08-03 19:54 -------- d-----w- c:\documents and settings\Nicole LaMotte\Application Data\AdobeUM
2010-07-28 18:45 . 2010-05-27 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-03 11:13 . 2010-07-30 05:19 170932 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Professional_32_1033.dat
2010-07-03 00:42 . 2007-06-04 14:30 -------- d-----w- c:\program files\Google
2010-07-02 23:45 . 2006-08-03 12:36 74840 -c--a-w- c:\documents and settings\Nicole LaMotte\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-02 23:40 . 2010-07-02 23:40 -------- d-----w- c:\program files\MSBuild
2010-07-02 23:40 . 2010-07-02 23:40 -------- d-----w- c:\program files\Reference Assemblies
2010-07-01 20:54 . 2010-07-01 20:54 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-14 14:31 . 2006-08-03 11:45 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-09 18:47 . 2008-12-11 21:01 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-06-09 18:47 . 2008-12-11 21:01 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-06-09 18:47 . 2008-12-11 21:01 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-05-28 19:23 . 2006-08-03 11:47 87263 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2010-05-28 15:40 . 2010-05-28 15:40 1956656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-05-28 15:40 . 2010-05-28 15:40 1975408 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\GoogleToolbarInstaller_en32_signed.exe
2010-05-28 13:09 . 2006-08-03 11:45 23348 -c--a-w- c:\windows\system32\emptyregdb.dat
2010-05-06 10:41 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Auto Backup"="c:\program files\Auto Backup\ABackup.exe" [2007-11-13 1078240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-30 339968]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 172032]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-14 413696]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184]

c:\documents and settings\Nicole LaMotte\Start Menu\Programs\Startup\
HSMuser.exe [2007-12-4 897536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
WorldCard Start-up.lnk - c:\program files\WorldCard\WIN32\PPCTRL.EXE [2006-8-3 356456]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\documents and settings\Nicole LaMotte\My Documents\Drive e\My Documents\Eudora\EuShlExt.dll" [2001-04-12 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-06-09 18:47 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Install\\StartProg\\HSMuser.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT.EXE"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Documents and Settings\\Nicole LaMotte\\Start Menu\\Programs\\Startup\\HSMuser.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 7:46 PM 12856]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S0 cerc6;cerc6; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 w600bus;Sony Ericsson W600 driver (WDM);c:\windows\system32\DRIVERS\w600bus.sys --> c:\windows\system32\DRIVERS\w600bus.sys [?]
S3 w600mdfl;Sony Ericsson W600 USB WMC Modem Filter;c:\windows\system32\DRIVERS\w600mdfl.sys --> c:\windows\system32\DRIVERS\w600mdfl.sys [?]
S3 w600mdm;Sony Ericsson W600 USB WMC Modem Drivers;c:\windows\system32\DRIVERS\w600mdm.sys --> c:\windows\system32\DRIVERS\w600mdm.sys [?]
S3 w600mgmt;Sony Ericsson W600 USB WMC Device Management Drivers;c:\windows\system32\DRIVERS\w600mgmt.sys --> c:\windows\system32\DRIVERS\w600mgmt.sys [?]
S3 w600obex;Sony Ericsson W600 USB WMC OBEX Interface Drivers;c:\windows\system32\DRIVERS\w600obex.sys --> c:\windows\system32\DRIVERS\w600obex.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 8:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-08-03 c:\windows\Tasks\autorun virus scan.job
- c:\install\Virus\autorun virus scan.bat [2006-08-03 21:40]

2010-08-01 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [2008-04-14 12:00]

2010-07-31 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2008-04-14 12:00]

2010-08-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2010-08-03 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-29 02:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
TCP: {D4EC5B65-20FC-44BF-AD51-20CBF6E1FFBA} = 64.105.199.74,64.105.159.250
DPF: {F6676623-8BBD-479C-A51B-05868728708C} - hxxp://www.leonardotravelebooks.com/ebooks/DIGITALDM2.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Notify-avgrsstarter - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-03 11:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\NICOLE~1\LOCALS~1\Temp\RGID.tmp 7075 bytes

scan completed successfully
hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x866D8EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7656f28
\Driver\ACPI -> ACPI.sys @ 0xf74e9cb8
\Driver\atapi -> atapi.sys @ 0xf747b852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7371bb0
PacketIndicateHandler -> NDIS.sys @ 0xf737ea21
SendHandler -> NDIS.sys @ 0xf735c87b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(764)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2588)
c:\windows\system32\WININET.dll
c:\program files\Auto Backup\ABscr.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
c:\windows\system32\wscntfy.exe
c:\documents and settings\Nicole LaMotte\Start Menu\Programs\Startup\HSMuser.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
.
**************************************************************************
.
Completion time: 2010-08-03 11:18:27 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-03 15:18

Pre-Run: 199,124,533,248 bytes free
Post-Run: 199,155,712,000 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin

- - End Of File - - E6CDF56FE4B6A7EED1C39300C0A1C4CE


Thanks for any help you can give me

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users