Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

seek.ind.in - browser hijack - trouble removing!


  • This topic is locked This topic is locked
2 replies to this topic

#1 universe81

universe81

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 08 February 2012 - 10:09 PM

Hi there, I have somehow been infected by a browser hijacker which always redirects to seek.ind.in I'm usually very careful so now sure how this sneaky trojan slipped by. Haven't been able to remove it with any standard malware tools ie. malwarebytes, spybot, etc.

I ran Combofix after reading a few other posts in this forum, but no luck so far. Below is my log - any help would be greatly appreciated!

_______________________________________________________________________-

ComboFix 12-02-08.02 - JessicaHooper 02/08/2012 18:55:47.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.316 [GMT -8:00]
Running from: c:\documents and settings\JessicaHooper\My Documents\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-01-09 to 2012-02-09 )))))))))))))))))))))))))))))))
.
.
2012-02-05 03:17 . 2012-02-05 03:17 74240 ----a-w- c:\windows\system32\bdea.sys
2012-01-25 02:19 . 2012-02-09 02:32 -------- d-----w- c:\documents and settings\JessicaHooper\Application Data\Dropbox
2012-01-25 00:43 . 2012-01-25 00:43 -------- d-----w- c:\program files\iPod
2012-01-25 00:42 . 2012-01-25 00:43 -------- d-----w- c:\program files\iTunes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-06 01:47 . 2011-10-18 18:48 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 23:24 . 2010-12-11 22:49 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-02 19:53 . 2011-03-27 17:37 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2010-12-11 . 679A7259741F6A09994F02CE261B5F2E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
[-] 2010-10-11 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49 94208 ----a-w- c:\documents and settings\JessicaHooper\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49 94208 ----a-w- c:\documents and settings\JessicaHooper\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49 94208 ----a-w- c:\documents and settings\JessicaHooper\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49 94208 ----a-w- c:\documents and settings\JessicaHooper\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-29 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-29 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-29 137752]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-06 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-17 421736]
.
c:\documents and settings\JessicaHooper\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\JessicaHooper\Application Data\Dropbox\bin\Dropbox.exe [2012-1-18 24246216]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 10:44 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-02-22 11:57 406992 ----a-w- c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-12-11 22:17 136176 ----atw- c:\documents and settings\JessicaHooper\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2007-10-08 22:13 1101824 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2010-10-29 20:06 5915480 ----a-w- c:\program files\Logitech\Vid HD\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2010-05-08 02:35 165208 ----a-w- c:\program files\Logitech\LWS\Webcam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-06 01:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-12-04 00:46 14944136 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 21:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-11-22 16:29 2424560 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 20:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TELUS_McciTrayApp]
2010-10-05 21:16 1573888 ----a-w- c:\program files\TELUS\McciTrayApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
2009-08-05 00:49 1068424 ----a-w- c:\program files\Trojan Remover\Trjscan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tsa.exe]
2010-12-16 01:20 4318520 ----a-w- c:\program files\TELUS\TELUS security advisor\Tsa.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Documents and Settings\\JessicaHooper\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
"c:\\Program Files\\TELUS\\TELUS security advisor\\ServicepointService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\JessicaHooper\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
R1 bdea;bdea;c:\windows\system32\bdea.sys [2/4/2012 7:17 PM 74240]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 10:41 AM 67656]
R2 ServicepointService;ServicepointService;c:\program files\TELUS\TELUS security advisor\ServicepointService.exe [9/17/2011 9:09 AM 689464]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/16/2012 7:29 PM 136176]
S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [11/9/2010 6:46 PM 20704]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/16/2012 7:29 PM 136176]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 4:49 AM 227232]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [12/5/2010 8:54 PM 18432]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 12:37 PM 517096]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 00:57]
.
2012-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-17 03:29]
.
2012-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-17 03:29]
.
2012-02-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1078145449-1417001333-1004Core.job
- c:\documents and settings\JessicaHooper\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-11 22:17]
.
2012-02-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1078145449-1417001333-1004UA.job
- c:\documents and settings\JessicaHooper\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-11 22:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.mytelus.com
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 192.168.1.254 75.153.176.9
FF - ProfilePath - c:\documents and settings\JessicaHooper\Application Data\Mozilla\Firefox\Profiles\6cqkyfkf.default\
FF - prefs.js: browser.startup.homepage - www.google.ca
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-08 18:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(668)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\netprovcredman.dll
.
- - - - - - - > 'explorer.exe'(1296)
c:\windows\system32\WININET.dll
c:\documents and settings\JessicaHooper\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2012-02-08 19:01:20
ComboFix-quarantined-files.txt 2012-02-09 03:01
.
Pre-Run: 3,482,873,856 bytes free
Post-Run: 3,474,313,216 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 8E1949EE3E93C6B2B3E9399AB539D54C

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:53 PM

Posted 11 February 2012 - 07:34 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:53 PM

Posted 16 February 2012 - 09:18 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users