Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need to remove browser hijacker/redirector


  • This topic is locked This topic is locked
9 replies to this topic

#1 perthcomp

perthcomp

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 16 March 2011 - 10:40 AM

This one is being very stubborn... scans with superantispyware and malwarebytes havent helped. Microsoft Security Essentials either.... scans done in safe mode... hijackthis doesnt show anything that I can tell is the cause...

Any help is appreciated!!! I'm getting paid to fix this computer so Id usually just do a reformat by now as its often quicker than tracking down bugs like this. So if anyone wants to make a few dollars Im happy to pay/donate for some speedy assistance....

.
DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by pat at 23:18:19.00 on Wed 03/16/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.21 [GMT 8:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\pat\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\pat\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\pat\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\pat\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\pat\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\pat\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\pat\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\pat\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\pat\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\pat\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [EPSON Stylus T20 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatieap.exe /fu "c:\windows\temp\E_S89.tmp" /EF "HKCU"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\pat\applic~1\mozilla\firefox\profiles\mnq1kx3d.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/?d=4d57c4b1&i=23&tp=ab&nt=1&q=
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2009-1-12 37040]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-18 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-11 67656]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-28 135664]
.
=============== Created Last 30 ================
.
2011-03-16 09:45:15 -------- d-----w- c:\docume~1\pat\applic~1\Malwarebytes
2011-03-16 09:45:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-16 09:45:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-16 09:44:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-16 09:44:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-16 06:26:14 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-16 06:26:03 -------- d-----w- c:\program files\Freemake
2011-03-16 06:25:23 -------- d-----w- c:\program files\Astonsoft
2011-03-16 06:24:19 5943120 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{8ef62b16-df36-46ab-b132-cf4afe9d59b6}\mpengine.dll
2011-03-16 06:18:48 -------- d-----w- c:\program files\Microsoft Security Client
2011-02-17 03:46:32 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-02-17 03:46:32 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
2011-03-16 06:25:45 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 10:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 22:15:52 667136 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 22:15:52 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-12-20 22:15:51 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 15:30:29 369664 ----a-w- c:\windows\system32\html.iec
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_MHV2060AT_PL rev.000000A0 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x823045D9]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8230a970]; MOV EAX, [0x8230a9ec]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8234E9C0]
3 CLASSPNP[0xF8595FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000071[0x82390910]
5 ACPI[0xF84EC620] -> nt!IofCallDriver[0x804E37D5] -> [0x82390D98]
\Driver\atapi[0x8238BE38] -> IRP_MJ_CREATE -> 0x823045D9
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskFUJITSU_MHV2060AT_PL____________________000000A0#5&3254358e&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8230441F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 23:19:00.67 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 AM

Posted 17 March 2011 - 09:37 PM

Hello perthcomp and welcome to BleepingComputer. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Any underlined text in my posts indicates a clickable link.
  • If you have any questions at all, please stop and ask before proceeding.
Posted Image Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Attach that log, please.
Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • TDSSKiller log
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 perthcomp

perthcomp
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 18 March 2011 - 11:56 PM

Thanks RP.... Ive got the clients computers for a few days so hopefully can get it all fixed up for them.

TDSS Killer and Combofix logs attached... fingers crossed its got rid of everything!!

Thanks for your help, let me know how it looks.

Attached Files



#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 AM

Posted 19 March 2011 - 12:00 AM

perthcomp:

How is it running now? Please do this next:

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Posted Image Please run ESET Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.
Please include the following in your next post:
  • How is the computer running now?
  • MBAM log
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 perthcomp

perthcomp
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 19 March 2011 - 12:36 AM

MBAM found (and removed) 3 copies of a PCUpdate107_2114....dunno if that was there before.... gonna do the ESET online scan now.

Thanks again.

#6 perthcomp

perthcomp
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 19 March 2011 - 02:26 AM

no redirecting yet... will do more testing... sometimes it would happen after a longer period of time... logs below... eset says 2 found, 0 removed but..?? is that normal?? should I manually track those files down and delete??

------------------------------------------------------------------------------
MBAM log

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6103

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

3/19/2011 1:35:38 PM
mbam-log-2011-03-19 (13-35-38).txt

Scan type: Full scan (C:\|)
Objects scanned: 164163
Time elapsed: 27 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\pat\my documents\downloads\pcupdate107_2114 (1).exe (Rogue.BestMalwareProtection) -> Quarantined and deleted successfully.
c:\documents and settings\pat\my documents\downloads\pcupdate107_2114 (2).exe (Rogue.BestMalwareProtection) -> Quarantined and deleted successfully.
c:\documents and settings\pat\my documents\downloads\pcupdate107_2114.exe (Rogue.BestMalwareProtection) -> Quarantined and deleted successfully.



-----------------------------------------------------------------

ESET LOG


C:\System Volume Information\_restore{0C24EBAF-24E4-4A01-A03A-B2A9CF1C3964}\RP354\A0021752.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{0C24EBAF-24E4-4A01-A03A-B2A9CF1C3964}\RP354\A0021755.DLL Win32/Toolbar.MyWebSearch application

#7 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 AM

Posted 19 March 2011 - 11:26 AM

perthcomp:

Those ESET detections are in the System Restore Cache and will be cleared when we uninstall ComboFix. The logs look good, all I have left for you is some very important cleanup:

Posted Image Uninstall ComboFix
  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall
Posted Image

Posted Image Delete the following tools along with any other logs you saved from our work:
  • DDS
  • GMER
  • TDSSKiller
Posted Image Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
Posted Image Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Please review this post for some helpful information.
Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#8 perthcomp

perthcomp
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 20 March 2011 - 02:39 AM

Thanks again!!

No redirecting happening now!!!

#9 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 AM

Posted 20 March 2011 - 09:59 AM

You're welcome, perthcomp. Take care.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 AM

Posted 20 March 2011 - 10:01 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users