Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijack Juggle.com


  • This topic is locked This topic is locked
2 replies to this topic

#1 downturn66

downturn66

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 04 October 2010 - 07:20 PM

Hello!

I am having trouble with a browser hijack that I've seen discussed here. I already had malwarebytes software on my machine so I ran that initially. It found several entries that it then removed. Upon reboot I got errors regarding this file:

\Temp\dwm.exe

After the reboot, I re-ran malwarebytes and it found no new issues. However, the browser issue still persists. I'm attaching the malware logs, and the DDS files. However, I tried running the GMER scan twice and the first time it cashed my PC to crash and reboot. The 2nd time, it finished after about 2 hours, but slowed my pc down so much i wasn't able to save the log file at all. It also locked up the PC. So, I'm unsure how to proceed on that one.

Thank you ahead of time for any assistance. What you guys do here is great, and it's greatly appreciated!

cj

Malware Log (before fix):

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4741

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/4/2010 1:31:17 PM
mbam-log-2010-10-04 (13-31-17).txt

Scan type: Quick scan
Objects scanned: 189244
Time elapsed: 12 minute(s), 14 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
C:\Documents and Settings\cjamison\Application Data\Microsoft\svchost.exe (Trojan.Downloader.Gen) -> Unloaded process successfully.
C:\Documents and Settings\cjamison\Local Settings\Temp\dwm.exe (Trojan.Downloader.Gen) -> Unloaded process successfully.
C:\Documents and Settings\cjamison\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\adver_id (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\Documents and Settings\cjamison\Application Data\Microsoft\Windows\shell.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe C:\WINDOWS\system32\ntdevice.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\cjamison\Application Data\Microsoft\svchost.exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\cjamison\Local Settings\Temp\dwm.exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\cjamison\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> Quarantined and deleted successfully.
C:\Documents and Settings\cjamison\Local Settings\Temp\0.6406964868592978.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\cjamison\Local Settings\Temp\nxfsss.bak (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Documents\Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Documents\Server\server.dat (Malware.Trace) -> Quarantined and deleted successfully.
_________________________________________

Malewarebyes (Clean scan):

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4741

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/4/2010 2:01:44 PM
mbam-log-2010-10-04 (14-01-44).txt

Scan type: Quick scan
Objects scanned: 188178
Time elapsed: 12 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
______________________________________________

DDS.txt:


DDS (Ver_10-03-17.01) - NTFSx86
Run by cjamison at 14:18:37.27 on Mon 10/04/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1313 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\Program Files\Sunbelt Software\SBEAgent\SBAMSvc.exe
C:\Program Files\Sunbelt Software\SBEAgent\SBPIMSvc.exe
C:\WINDOWS\system32\StacSV.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\SBEAgent\SBAMTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Symantec\Ghost\ngtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\cjamison\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.jamisonphoto.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2080306
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uWindows: Load=c:\docume~1\cjamison\locals~1\temp\dwm.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [NGTray] "c:\program files\symantec\ghost\ngtray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [Client Access Service] "c:\program files\ibm\client access\cwbsvstr.exe"
mRun: [Client Access Help Update] "c:\program files\ibm\client access\cwbinhlp.exe"
mRun: [Client Access Check Version] "c:\program files\ibm\client access\cwbckver.exe" LOGIN
mRun: [Client Access Express Welcome] "c:\program files\ibm\client access\cwbwlwiz.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SBAMTray] "c:\program files\sunbelt software\sbeagent\SBAMTray.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://file-01/officescan/console/ClientInstall/WinNTChk.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://file-01/officescan/console/ClientInstall/setup.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} - hxxps://file-01/officescan/console/html/AtxEnc.cab
DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxps://file-01/officescan/console/ClientInstall/RemoveCtrl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1216383370765
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: {A88B127D-D694-4EAA-92B9-EF20B32DDA5D} = 192.168.200.233,192.168.200.234
TCP: {F8CDBAEF-371E-44BC-8254-76891606D7E5} = 192.168.200.233 192.168.200.234
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2010-9-7 21464]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-5-13 98392]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2010-7-16 212568]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2007-6-20 79168]
R2 ngclient;Symantec Ghost Client Agent;c:\program files\symantec\ghost\ngctw32.exe [2007-11-14 660872]
R2 OSILLC;OSI LLC Protocol Driver for Windows 2000;c:\windows\system32\drivers\osillc.sys [2010-1-13 16896]
R2 SBAMSvc;VIPRE Enterprise Agent;c:\program files\sunbelt software\sbeagent\SBAMSvc.exe [2010-8-27 2763080]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-9-7 69976]
R2 SBPIMSvc;SB Recovery Service;c:\program files\sunbelt software\sbeagent\SBPIMSvc.exe [2010-8-27 181584]

=============== Created Last 30 ================

2010-10-04 17:16:33 0 d-----w- c:\docume~1\cjamison\applic~1\Malwarebytes
2010-10-04 17:15:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-04 17:15:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-04 17:15:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-04 17:15:53 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-27 11:17:10 3275 ----a-w- c:\windows\system32\wbem\Outlook_01cb5e35872e7ec0.mof
2010-09-20 11:22:24 58880 ------w- c:\windows\system32\dllcache\spoolsv.exe
2010-09-20 11:22:17 293376 ------w- c:\windows\system32\dllcache\winsrv.dll
2010-09-20 11:21:45 406016 ------w- c:\windows\system32\dllcache\usp10.dll
2010-09-08 02:05:25 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2010-09-07 11:30:53 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys

==================== Find3M ====================

2010-10-04 11:36:40 18944 ----a-w- c:\windows\system32\version.dll
2010-10-04 11:36:39 110080 ----a-w- c:\windows\system32\imm32.dll
2010-09-10 15:51:20 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-27 15:51:24 27984 ----a-w- c:\windows\system32\sbbd.exe
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 15:49:15 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll

============= FINISH: 14:19:45.71 ===============



Attached Files



BC AdBot (Login to Remove)

 


#2 downturn66

downturn66
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 07 October 2010 - 09:25 AM

You guys can lock this topic. My problem has been resolved.

thanks again!

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:24 PM

Posted 07 October 2010 - 04:21 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users