Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirects, Strange Browser Behaviour


  • This topic is locked This topic is locked
2 replies to this topic

#1 JohnC-

JohnC-

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 22 March 2012 - 08:39 AM

Hello all, first time posting here, sorry if I haven't followed the correct protocol.

I have an XP pro machine which is exhibiting signs of a browser hijack. Also There are missing sections so certain websites, i.e. facebook's header and footer are displayed with no content in between, also when changing the settings of google's search form inputs are missing. I have attached screenshots.

I have used TDSKiller and it found the following virus: Virus.Win32.Rloader.a in the location C:\WINDOWS\system32\DRIVERS\ACPI.sys

A subsequent scan found nothing, yet the symptoms prevail.

Here are the logs as requested.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by USER at 12:38:23 on 2012-03-22
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1433 [GMT 0:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Retrospect\Retrospect 7.6\retrorun.exe
C:\Program Files\Iomega\REV System Software\RevUDF.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Iomega\REV System Software\ImIconXp.exe
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\TeamViewer\Version4\TeamViewer.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\USER\My Documents\Downloads\Defogger.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {B37D8AB5-3A6C-4219-BC46-93B26EF0E53D} - hxxp://211.174.251.155/XViewer.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{65E05048-71C9-412E-8F3A-840EDA1102FE} : DhcpNameServer = 192.168.1.254
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R0 imdrvfsf;Iomega File System Filter Driver;c:\windows\system32\drivers\imdrvfsf.sys [2007-1-5 30968]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R2 pgsql-8.3;BridgeIT pgSQL Service;c:\pgsql\bin\pg_ctl.exe runservice -w -n "pgsql-8.3" -d "c:\pgsql\data\" --> c:\pgsql\bin\pg_ctl.exe runservice -w -N pgsql-8.3 [?]
R2 TeamViewer4;TeamViewer 4;c:\program files\teamviewer\version4\TeamViewer_Service.exe [2009-1-28 185640]
R2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2008-10-30 1519168]
S3 FXDrv32;FXDrv32;\??\d:\fxdrv32.sys --> d:\FXDrv32.sys [?]
S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\ultramonmirror.sys --> c:\windows\system32\drivers\UltraMonMirror.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
.
=============== Created Last 30 ================
.
2012-03-22 12:30:58 6582328 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2372e743-117f-4c2e-ba3b-a83aa90145d3}\mpengine.dll
2012-03-22 12:16:47 -------- d-----w- c:\program files\ESET
2012-03-22 11:53:49 -------- d-----w- c:\program files\ophcrack
2012-03-22 11:28:10 -------- d-----w- c:\program files\AVAST Software
2012-03-22 11:28:10 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2012-03-22 10:38:01 98816 ----a-w- c:\windows\sed.exe
2012-03-22 10:38:01 518144 ----a-w- c:\windows\SWREG.exe
2012-03-22 10:38:01 256000 ----a-w- c:\windows\PEV.exe
2012-03-22 10:38:01 208896 ----a-w- c:\windows\MBR.exe
2012-03-22 10:37:55 -------- d-----w- C:\2ComboFix
2012-03-22 09:42:12 14664 ----a-w- c:\windows\stinger.sys
2012-03-22 09:41:25 -------- d-----w- c:\program files\stinger
2012-03-20 15:53:08 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-20 15:53:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-20 13:05:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-03-20 13:05:31 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-03-16 14:55:06 388096 ----a-r- c:\documents and settings\user\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-03-16 14:55:03 -------- d-----w- c:\program files\Trend Micro
2012-03-15 14:42:16 -------- d-----w- c:\documents and settings\user\application data\Windows Search
2012-03-15 14:26:33 -------- d-sha-r- C:\cmdcons
2012-03-15 13:56:22 6552120 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-03-15 13:35:53 69234 ----a-w- C:\regbakup.reg
2012-03-15 12:40:56 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-03-15 12:38:08 -------- d-----w- c:\program files\Microsoft Security Client
2012-03-15 12:29:34 -------- d-----w- c:\program files\VS Revo Group
2012-03-13 17:12:10 -------- d-----w- c:\documents and settings\user\local settings\application data\ApplicationHistory
2012-03-09 10:27:43 -------- d-----w- c:\documents and settings\user\application data\Malwarebytes
2012-03-09 10:27:26 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-03-09 10:22:46 -------- d-----w- c:\windows\system32\winrm
2012-03-09 10:22:37 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2012-03-09 10:22:24 -------- d-----w- c:\documents and settings\user\local settings\application data\Identities
2012-03-09 10:22:19 -------- d-----w- c:\documents and settings\user\application data\Windows Desktop Search
2012-03-09 10:21:13 -------- d-----w- c:\program files\Windows Desktop Search
2012-03-09 10:21:12 -------- d-----w- c:\windows\system32\GroupPolicy
2012-03-09 10:18:16 -------- d-----w- c:\windows\system32\URTTEMP
.
==================== Find3M ====================
.
2012-03-22 10:20:08 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 12:39:21.35 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:58 AM

Posted 24 March 2012 - 05:49 PM

I see ComboFix has been run on this computer, was it recently?

If so, please post the log which can be found at c:\Combofix.txt

also please post the TDSSKiller log(s) the should be in your C:\ drive

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:58 AM

Posted 29 March 2012 - 09:51 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users