Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijack on Windows 2003 Server


  • Please log in to reply
No replies to this topic

#1 WinnebagoBoater

WinnebagoBoater

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 25 April 2011 - 02:56 PM

I've got a Windows 2003 Server with Service Pack 2 and IE 7. It has become infected with something that is causing the browser to be redirected to some other website than what is displayed from a google search or even just typeing in a URL in the address field will take me to another "garbage" site. I've run MalwareBytes and TDS Killer on this server and both come up clean. Being that this is a Windows 2003 server, it seems that there are not as many tools available to clean up this type of infection. I have attached a Hijack this log. If anyone has any ideas I'd like to here them?

Thanks in advance!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:54:07 PM, on 4/22/2011
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.17096)
Boot mode: Normal

Running processes:
C:\Documents and Settings\pquser3\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BHPS\Sys187\bin\bhntsrvc.exe
C:\Program Files\SIS\DMS Communications Manager 9.9\CMHelperService.exe
C:\Program Files\SIS\DMS Communications Manager 9.9\CommManager.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
C:\PROGRA~1\BHPS\emul\bin\portmap.exe
C:\Program Files\BHPS\Pmap1\bin\MapperMonService.exe
C:\Program Files\BHPS\JRE160\bin\javaw.exe
C:\program files\Qlink\tuner\Tuner.exe
C:\Program Files\BHPS\lic\bin\lmgrd.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\BHPS\lic\bin\lmgrd.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\BHPS\lic\bin\bhepcls.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\sda\bin\tgsrvc.exe
C:\Program Files\SIS\DMS Communications Manager 9.9\support\tvnserver.exe
C:\PROGRA~1\BHPS\emul\bin\dbmang.exe
C:\Program Files\BHPS\MAPU\bin\DBMonService.exe
C:\Program Files\BHPS\TYPU\bin\DBMonService.exe
C:\Program Files\BHPS\MAPU\bin\tbmux32.exe
C:\Program Files\BHPS\MAPU\bin\QLinkService.exe
C:\Program Files\BHPS\TYPU\bin\tbmux32.exe
C:\Program Files\BHPS\TYPU\bin\QLinkService.exe
C:\Program Files\BHPS\MAPU\bin\tbkern32.exe
C:\Program Files\BHPS\TYPU\bin\tbkern32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\sda\bin\sprtcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\UPS\WSTD\UPSNA1Msgr.exe
C:\Program Files\Browny02\Brother\BrStMonW.exe
C:\Program Files\SIS\DMS Communications Manager 9.9\support\tvnserver.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\Program Files\interwise\participant\pull.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\UPS\WSTD\WSTDMessaging.exe
C:\Program Files\Browny02\BrYNSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\program files\Qlink\tuner\lib\minituner.exe
C:\Documents and Settings\pquser3\Application Data\U3\0000162152701C2F\LaunchPad.exe
C:\MGtools.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\MGTools\analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dealer.toyota.com/Login.aspx?TYPE=33554433&REALMOID=06-000845d0-03e7-1f0b-840f-80f79e010000&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=$SM$3avwEkwuc/460YK4oHZM8/VmkXpfSzmNXW560V31kCCeIWXsHXeYYA==&TARGET=$SM$http://dealer.toyota.com/default.aspx (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [sda] "C:\Program Files\sda\bin\sprtcmd.exe" /P sda
O4 - HKLM\..\Run: [NA1Messenger] C:\UPS\WSTD\UPSNA1Msgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [BrStsMon00] C:\Program Files\Browny02\Brother\BrStMonW.exe /AUTORUN
O4 - HKLM\..\Run: [tvncontrol] "C:\Program Files\SIS\DMS Communications Manager 9.9\support\tvnserver.exe" -controlservice -slave
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O4 - Global Startup: Push Client.LNK = C:\Program Files\interwise\participant\pull.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\WSTDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\pquser3\windows\system32\mswsock.dll' missing
O15 - Trusted Zone: *.164.109.25.72
O15 - Trusted Zone: *.207.130.86.35
O15 - Trusted Zone: *.acura.com
O15 - Trusted Zone: *.acuraclientpurchaseexperience.com
O15 - Trusted Zone: *.acurainfo.programhq.com
O15 - Trusted Zone: *.acuraspinplay.programhq.com
O15 - Trusted Zone: *.ahm-ownerlink.com
O15 - Trusted Zone: *.ahmdealer.com
O15 - Trusted Zone: *.edcor.com
O15 - Trusted Zone: http://www.in.honda.com
O15 - Trusted Zone: *.honda.com
O15 - Trusted Zone: *.honda.vo.llnwd.net
O15 - Trusted Zone: *.hondaadcmd.com
O15 - Trusted Zone: *.hondacars.com
O15 - Trusted Zone: *.hondainfo.programhq.com
O15 - Trusted Zone: *.hondamap.com
O15 - Trusted Zone: *.hondapqr.com
O15 - Trusted Zone: *.hondaprofessional.com
O15 - Trusted Zone: *.hondaspinplay.programhq.com
O15 - Trusted Zone: *.hondasso.com
O15 - Trusted Zone: *.jdpa.com
O15 - Trusted Zone: *.jdpower.com
O15 - Trusted Zone: *.pcsc.acurasrs.com
O15 - Trusted Zone: *.prospectingacurasrs.com
O15 - Trusted Zone: http://www.satorisauto.com
O15 - Trusted Zone: http://dealer.toyota.com
O15 - Trusted Zone: *.toyota.com
O15 - Trusted Zone: *.toyotaworkout.com
O15 - Trusted Zone: *.travelhq.com
O15 - Trusted Zone: *.uotdealereducation.com
O15 - Trusted Zone: *.xmradio.com
O15 - Trusted IP range: *.164.109.25.72
O15 - Trusted IP range: *.207.130.86.35
O15 - Trusted IP range: 199.194.99.130
O15 - ESC Trusted Zone: http://www.ieaddons.com
O15 - ESC Trusted Zone: http://dealers.mazdausa.com
O15 - ESC Trusted Zone: http://dealer.toyota.com
O16 - DPF: {00906302-0F14-442C-B39C-275F61BC25BC} (atSdaCfg Control) - http://199.194.99.130/apps/autoTools/sda/common/atSdaCfg.CAB
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://dsra1he.ds.adp.com/sdccommon/download/tgctlsi.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://dsra1he.ds.adp.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01118F00-3E00-11D2-8470-0060089874ED} (SupportSoft RemoteControl Class) - http://dsra1he.ds.adp.com/sdccommon/download/ssrc.cab
O16 - DPF: {01119400-3E00-11D2-8470-0060089874ED} (SupportSoft Listener Control) - http://dsra1he.ds.adp.com/sdccommon/download/sprtctlln.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.in.honda.com/Rraaapps/RRAAsec/Codebase/RRAAINAX/RYXAINAX_LandscapePrintingActiveX.cab
O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.in.honda.com/rraaapps/rraasec/codebase/RRAAINAX/RraainAX.CAB
O16 - DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} (SysEngW2k Control) - file:///E:/autorun/PC-CONFIG-CHECK.CAB
O16 - DPF: {73A8D51E-578B-4E4E-8FF8-112E51DBFBE3} (ADPConn Class) - http://mazda.oeconnection.com/ActiveX/DMSISM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://hondatraining.webex.com/client/v_mywebex-t20/training/ieatgpc.cab
O16 - DPF: {F9A6E266-28AD-11D7-92CC-ECB440000000} (reaap02a.clsRegistry) - http://www.in.honda.com/rraaauto/programs/codebase/INLoaderWEB/reaap02a.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AA2A9DA-6EBB-4A67-A8BC-7FECD959874D}: NameServer = 199.194.99.180
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\Documents and Settings\pquser3\WINDOWS\system32\browseui.dll (file missing)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Documents and Settings\pquser3\WINDOWS\system32\browseui.dll (file missing)
O23 - Service: 187 Snap-on NT Service (187_BH_NT_Service) - Snap-on Business Solutions - C:\Program Files\BHPS\Sys187\bin\bhntsrvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BrYNSvc - Brother Industries, Ltd. - C:\Program Files\Browny02\BrYNSvc.exe
O23 - Service: Bell & Howell Database Manager (dbmang) - ProQuest Business Solutions Inc. - C:\PROGRA~1\BHPS\emul\bin\dbmang.exe
O23 - Service: DMS Communications Manager - SIS - C:\Program Files\SIS\DMS Communications Manager 9.9\CommManager.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ONC/RPC Portmapper (portmapper) - ProQuest Business Solutions Inc. - C:\PROGRA~1\BHPS\emul\bin\portmap.exe
O23 - Service: pqeauto.database.dbmonitor.MAPU - Snap-on Business Solutions - C:\Program Files\BHPS\MAPU\bin\DBMonService.exe
O23 - Service: pqeauto.database.dbmonitor.TYNU - Snap-on Business Solutions - C:\Program Files\BHPS\TYPU\bin\DBMonService.exe
O23 - Service: pqeauto.energy.mappermonitor - ProQuest Business Solutions - C:\Program Files\BHPS\Pmap1\bin\MapperMonService.exe
O23 - Service: Qlink_EndPoint (QlinkEndPoint) - BMC Software, Inc. - C:\program files\Qlink\tuner\Tuner.exe
O23 - Service: QLinkService.MAPU - Snapon Business Solutions - C:\Program Files\BHPS\MAPU\bin\QLinkService.exe
O23 - Service: QLinkService.TYPU - Snapon Business Solutions - C:\Program Files\BHPS\TYPU\bin\QLinkService.exe
O23 - Service: Snap-on Product License Manager - Macrovision Corporation - C:\Program Files\BHPS\lic\\bin\lmgrd.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: SupportSoft Repair Service (sda) (tgsrvc_sda) - SupportSoft, Inc. - C:\Program Files\sda\bin\tgsrvc.exe
O23 - Service: TightVNC Server (tvnserver) - GlavSoft LLC. - C:\Program Files\SIS\DMS Communications Manager 9.9\support\tvnserver.exe

--
End of file - 12317 bytes

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users