Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Web browser hijack, persistent and untraceable - www.delta-homes.com as homepage


  • This topic is locked This topic is locked
7 replies to this topic

#1 Sadzonka

Sadzonka

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:01 AM

Posted 04 July 2013 - 11:28 AM

The same homepage [http://www.delta-homes.com] on all browsers - IE, Firefox and Chrome. This issue appeared few hours ago, just like that. I've been trying to do something with it since then. It's not a matter of changing the homepage; nor simple add-ons to browsers, nor programs visible (and removable) in Control Panel. It's much more persistent and hard to remove or even find. It's not the same as "Delta Search" or "Delta Search Toolbar", it's much worse. No anti-malware or anti-virus program seem to be able to detect it. Since I've really run out of ideas, I believe You are my last chance to get rid of that annoying malware.

 

Thanks in advance!

 

It looks like this: http://img826.imageshack.us/img826/1287/ufnj.png

 

 

My log:

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 10.0.9200.16611  BrowserJavaVersion: 10.25.2
Run by A at 17:49:17 on 2013-07-04
Microsoft Windows 7 Home Premium   6.1.7601.1.932.81.1045.18.3562.2052 [GMT 2:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\ProgramData\eSafe\eGdpSvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Users\A\Local Settings\Apps\F.lux\flux.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\svchost.exe -k secsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.google.com
BHO: FGCatchUrl: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - c:\program files\flashget\jccatch.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: FlashGet GetFlash Class: {F156768E-81EF-470C-9057-481BA8380DBA} - c:\program files\flashget\getflash.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
EB: <No Name>: {555D4D79-4BD2-4094-A395-CFC534424A05} - LocalServer32 - <no file>
EB: <No Name>: {555D4D79-4BD2-4094-A395-CFC534424A05} - LocalServer32 - <no file>
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [Google Update] <no file>
mRun: [USB3MON] "c:\program files\intel\intel® usb 3.0 extensible host controller driver\application\iusb3mon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [RTHDVCPL] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [IMSS] "c:\program files\intel\intel® management engine components\imss\PIconStartup.exe"
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: &Download All with FlashGet - c:\progra~1\flashget\jc_all.htm
IE: &Download with FlashGet - c:\progra~1\flashget\jc_link.htm
IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} - hxxps://www.bph.pl/pi/components/bph/SignActivX.cab
DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{65AEB3E3-443C-4376-B81B-DDBF6E8C6981} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{7882A71B-A0A7-4A3F-9761-657825CEEDB8} : DHCPNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\a\appdata\roaming\mozilla\firefox\profiles\cu9clt9p.default-1372950239333\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: c:\program files\intel\intel® management engine components\ipt\npIntelWebAPIIPT.dll
FF - plugin: c:\program files\intel\intel® management engine components\ipt\npIntelWebAPIUpdater.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\program files\nokia\nokia suite\npNokiaSuiteEnabler.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\ubisoft\ubisoft game launcher\npuplaypc.dll
FF - plugin: c:\program files\ubisoft\ubisoft game launcher\npuplaypchub.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\a\appdata\local\google\update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: c:\users\a\appdata\local\roblox\versions\version-6cfc785e896545ae\NPRobloxProxy.dll
FF - plugin: c:\users\a\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1167637.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_224.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - ExtSQL: 2013-07-04 15:31; wrc@avast.com; c:\program files\alwil software\avast5\webrep\FF
FF - ExtSQL: 2013-07-04 17:06; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\a\appdata\roaming\mozilla\firefox\profiles\cu9clt9p.default-1372950239333\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-07-04 17:07; {66E978CD-981F-47DF-AC42-E3CF417C1467}; c:\users\a\appdata\roaming\mozilla\firefox\profiles\cu9clt9p.default-1372950239333\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [2013-7-4 49376]
R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [2013-7-4 175176]
R1 AppleCharger;AppleCharger;c:\windows\system32\drivers\AppleCharger.sys [2012-12-19 19056]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-4-3 770344]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-5-31 369584]
R2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\common files\abbyy\finereadersprint\9.00\licensing\NetworkLicenseServer.exe [2009-5-14 759048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-5-31 29816]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-5-31 66336]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2013-7-4 46808]
R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\intel\icls client\HeciServer.exe [2012-3-7 461024]
R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files\intel\intel® management engine components\dal\Jhi_service.exe [2012-12-19 165144]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 52\starwind\StarWindServiceAE.exe [2009-12-23 370688]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2013-1-18 383264]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2012-12-19 363800]
R2 WsysSvc;Wsys Service;c:\programdata\esafe\eGdpSvc.exe [2013-5-19 386112]
R3 iusb3hub;Sterownik koncentratora Intel® USB 3.0;c:\windows\system32\drivers\iusb3hub.sys [2012-12-19 350016]
R3 iusb3xhc;Sterownik kontrolera hosta Intel® USB 3.0 eXtensible;c:\windows\system32\drivers\iusb3xhc.sys [2012-12-19 793920]
R3 MEI;Intel® Management Engine Interface ;c:\windows\system32\drivers\HECI.sys [2012-12-19 46080]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2012-12-19 490088]
RUnknown asdws;asdws; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-6-3 162408]
S3 AppleChargerSrv;AppleChargerSrv;system32\AppleChargerSrv.exe --> system32\AppleChargerSrv.exe [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 BEService;BattlEye Service;c:\program files\common files\battleye\BEService.exe [2013-5-22 53248]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2012-1-9 137600]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2012-1-9 8576]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-9 52224]
S4 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;"c:\program files\logmein hamachi\hamachi-2.exe" -s --> c:\program files\logmein hamachi\hamachi-2.exe [?]
SUnknown asdrm;asdrm; [x]
.
=============== File Associations ===============
.
FileExt: .txt: txtfile=c:\windows\system32\NOTEPAD.EXE %1 [UserChoice]
.
=============== Created Last 30 ================
.
2013-07-04 14:59:40    --------    d-----w-    c:\users\a\appdata\roaming\Nitroplus
2013-07-04 14:12:15    --------    d-----w-    c:\users\a\appdata\roaming\Anvisoft
2013-07-04 14:12:06    --------    d-----w-    c:\programdata\Anvisoft
2013-07-04 14:12:04    --------    d-----w-    c:\program files\Anvisoft
2013-07-04 14:04:58    --------    d-----w-    c:\programdata\TorchCrashHandler
2013-07-04 13:41:22    --------    d-----w-    c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2013-07-04 13:40:37    --------    d-----w-    c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2013-07-04 13:32:13    175176    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2013-07-04 13:32:10    49376    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2013-07-04 13:31:42    --------    d-----w-    C:\sh4ldr
2013-07-04 13:00:44    176    ----a-w-    c:\windows\DeleteOnReboot.bat
2013-07-04 12:19:39    --------    d-----w-    c:\program files\Enigma Software Group
2013-07-04 12:18:33    --------    d-----w-    c:\windows\E89498D814304A2BA76A4A71326981E9.TMP
2013-07-04 12:18:32    --------    d-----w-    c:\program files\common files\Wise Installation Wizard
2013-07-04 11:50:17    --------    d-----w-    c:\users\a\appdata\roaming\Malwarebytes
2013-07-04 11:50:04    --------    d-----w-    c:\programdata\Malwarebytes
2013-07-02 08:35:43    7068072    ----a-w-    c:\programdata\microsoft\windows defender\definition updates\{edd6b3af-c2b3-4ab0-b84b-3972a6f61a7a}\mpengine.dll
2013-06-19 12:02:59    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-06-13 19:27:25    --------    d-----w-    c:\users\a\appdata\roaming\savedata
2013-06-12 18:36:46    9089416    ----a-w-    c:\windows\system32\FlashPlayerInstaller.exe
2013-06-12 14:40:51    2706432    ----a-w-    c:\windows\system32\mshtml.tlb
2013-06-12 14:40:50    218112    ----a-w-    c:\program files\internet explorer\sqmapi.dll
2013-06-12 14:37:00    2877440    ----a-w-    c:\windows\system32\jscript9.dll
2013-06-12 12:38:51    1505280    ----a-w-    c:\windows\system32\d3d11.dll
2013-06-12 12:38:50    24576    ----a-w-    c:\windows\system32\cryptdlg.dll
2013-06-12 12:38:48    492544    ----a-w-    c:\windows\system32\win32spl.dll
2013-06-12 12:38:46    903168    ----a-w-    c:\windows\system32\certutil.exe
2013-06-12 12:38:45    43008    ----a-w-    c:\windows\system32\certenc.dll
2013-06-12 12:38:45    140288    ----a-w-    c:\windows\system32\cryptsvc.dll
2013-06-12 12:38:45    1160192    ----a-w-    c:\windows\system32\crypt32.dll
2013-06-12 12:38:45    103936    ----a-w-    c:\windows\system32\cryptnet.dll
2013-06-12 12:38:41    1230336    ----a-w-    c:\windows\system32\WindowsCodecs.dll
2013-06-12 12:38:39    3968872    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-06-12 12:38:39    3913576    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-06-12 12:38:38    1293672    ----a-w-    c:\windows\system32\drivers\tcpip.sys
.
==================== Find3M  ====================
.
2013-07-04 14:29:55    770344    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2013-06-12 19:48:23    867240    ----a-w-    c:\windows\system32\npdeployJava1.dll
2013-06-12 19:48:17    789416    ----a-w-    c:\windows\system32\deployJava1.dll
2013-06-12 18:36:47    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-12 18:36:47    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-05-19 17:26:00    1598626    ----a-w-    c:\program files\wrar420pl.exe
2013-05-17 01:25:57    1767936    ----a-w-    c:\windows\system32\wininet.dll
2013-05-17 01:25:26    61440    ----a-w-    c:\windows\system32\iesetup.dll
2013-05-17 01:25:26    109056    ----a-w-    c:\windows\system32\iesysprep.dll
2013-05-14 08:40:13    71680    ----a-w-    c:\windows\system32\RegisterIEPKEYs.exe
2013-05-09 08:59:10    61680    ----a-w-    c:\windows\system32\drivers\aswRdr2.sys
2013-05-09 08:59:09    66336    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2013-05-09 08:58:37    41664    ----a-w-    c:\windows\avastSS.scr
2013-05-02 00:06:08    238872    ------w-    c:\windows\system32\MpSigStub.exe
2013-04-13 04:45:16    474624    ----a-w-    c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45:15    2176512    ----a-w-    c:\windows\apppatch\AcGenral.dll
2013-04-12 13:45:29    1211752    ----a-w-    c:\windows\system32\drivers\ntfs.sys
2013-04-10 05:18:40    728424    ----a-w-    c:\windows\system32\drivers\dxgkrnl.sys
2013-04-10 05:18:40    218984    ----a-w-    c:\windows\system32\drivers\dxgmms1.sys
2013-04-10 03:14:06    2347520    ----a-w-    c:\windows\system32\win32k.sys
2006-05-03 10:06:54    163328    --sha-r-    c:\windows\system32\flvDX.dll
2007-02-21 11:47:16    31232    --sha-r-    c:\windows\system32\msfDX.dll
2008-03-16 13:30:52    216064    --sha-r-    c:\windows\system32\nbDX.dll
2010-01-06 23:00:00    107520    --sha-r-    c:\windows\system32\TAKDSDecoder.dll
.
============= FINISH: 17:49:49,60 ===============
 

 



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:01 AM

Posted 04 July 2013 - 05:28 PM

Hello Sadzonka,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the Post button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  • I will be analyzing your log. I will get back to you with instructions.
1.
Download AdwCleaner
  • Double click on AdwCleaner.exe to run the tool.
    ***Note: Windows Vista and Windows 7 users:
    Right click in the adwCleaner.exe and select
    Run%20as%20admin.png
  • Click the Delete button.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your next reply.
  • Or you can find the logfile at C:\AdwCleaner[R1].txt.
2.
  • Download RogueKiller on the desktop
  • Close all the running processes
  • Under Vista/Seven, right click -> Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • When prompted, Click Scan
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again
Things to include in your next reply::
AdwCleaner log
Roguekiller log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 Sadzonka

Sadzonka
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:01 AM

Posted 04 July 2013 - 07:28 PM

Thanks for quick reply! Here is my AdwCleaner log, but I'm afraid it's in Polish. It selected language automaticaly and there doesnt seem to be an option to change it anywhere... So:

 

AdwCleaner log:

 

 

# AdwCleaner v2.304 - Log utworzony 05/07/2013 o 02:14:17
# Aktualizacja 03/07/2013 przez Xplode
# System operacyjny : Windows 7 Home Premium Service Pack 1 (32 bits)
# Użytkownik : A - A-KOMPUTER
# Tryb uruchomienia : Normalny
# Ścieżka : C:\Users\A\Desktop\adwcleaner.exe
# Opcja [Szukaj]


***** [Usługi] *****


***** [Pliki / Foldery] *****

Folder Znaleziono : C:\ProgramData\eSafe

***** [Rejestr] *****

Klucz Znaleziono : HKLM\Software\eSafeSecControl

***** [Przeglądarki Internetowe] *****

-\\ Internet Explorer v10.0.9200.16611

[OK] Rejestr w porządku.

-\\ Mozilla Firefox v22.0 (pl)

Plik : C:\Users\A\AppDAtA\RoAming\MozillA\Firefox\Profiles\0417uv6i.default-1372958145138\prefs.js

[OK] Plik w porządku.

-\\ Google Chrome v27.0.1453.116

Plik : C:\Users\A\AppDAtA\LocAl\Google\Chrome\User DAtA\DefAult\Preferences

[OK] Plik w porządku.

*************************

AdwCleaner[R1].txt - [924 octets] - [05/07/2013 02:14:17]

########## EOF - C:\AdwCleaner[R1].txt - [983 octets] ##########
 

 

 

RogueKiller log:

 

 

 

RogueKiller V8.6.2 [Jul  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : hxxp://www.adlice.com/forum/
Website : hxxp://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : A [Admin rights]
Mode : Scan -- Date : 07/05/2013 02:21:33
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] eGdpSvc.exe -- C:\ProgramData\eSafe\eGdpSvc.exe [7] -> ZAKOŃCZONO [TermProc]

¤¤¤ Registry Entries : 3 ¤¤¤
[HJ SMENU] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] IRP[IRP_MJ_CREATE] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED ([Address] Unknown @ 0xC28DC1F8)
[Address] IRP[IRP_MJ_CLOSE] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED ([Address] Unknown @ 0xC28DC1F8)
[Address] IRP[IRP_MJ_DEVICE_CONTROL] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED ([Address] Unknown @ 0xC28DC1F8)
[Address] IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED ([Address] Unknown @ 0xC28DC1F8)
[Address] IRP[IRP_MJ_POWER] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED ([Address] Unknown @ 0xC28DC1F8)
[Address] IRP[IRP_MJ_SYSTEM_CONTROL] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED ([Address] Unknown @ 0xC28DC1F8)
[Address] IRP[IRP_MJ_PNP] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED ([Address] Unknown @ 0xC28DC1F8)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts




¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG HD502HI ATA Device +++++
--- User ---
[MBR] 1d2f84fce79f3faf6aeb55c1747849f0
[BSP] 1d269232e6f2ff34cf83f298b44e5a9d : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 476838 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: SAMSUNG HD502HI ATA Device +++++
--- User ---
[MBR] 2d8021dc9899e1629fb90fe2a49f0581
[BSP] 4e7607cf9232853555ef0250a63144af : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 953867 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_07052013_022133.txt >>

 

 

 

 

I'm afraid that malware is still present; delta-homes.com is still my homepage at all browsers and I can't do anything about it.

 

EDIT: Few moments ago that homepage changed appearance. Now it looks like this: http://img153.imageshack.us/img153/7943/sltl.png

I know it's nothing important, but I wouldn't want to confuse people who might have the same problem.


Edited by Sadzonka, 05 July 2013 - 05:42 PM.


#4 Sadzonka

Sadzonka
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:01 AM

Posted 07 July 2013 - 04:12 PM

Well, it appears that I've actually managed to deal with this problem myself.

 

It seems that the actual malware have been already removed a while ago by one of the following programs: AdwCleaner, RogueKiller or Malwarebytes. At first many programs were unsuccessful in detecting it, because it was a new threat - it simply wasn't in their databases yet.

 

This, however, haven't solved the problem with changed homepage. Like curing the disease, but without removing it's symptoms.

 

To cut it short, it wasn't caused by faulty programs, plug-ins for browser or browsers' settings. It was about shortcuts. All shortcuts to popular browsers have been edited by malware (Firefox, IE, Chrome; while leaving Torch untouched). I mean ALL shortcuts - on descop, Start bar or even taskbar. To remove it, one simply has to delete and recreate them manually OR edit them (in shortcut's properties there is a line about location of object the shortcut leads to, for example "C:\Program Files\Mozilla Firefox\firefox.exe". The virus adds another part, something containing the unwanted homepage's address. Removing that line from shortcut's properties restores the original homepage). To fully restore the browser's previous functionality, I recommend reseting browser to default state.

 

One more thing - I normally don't use descop shortcuts to My Computer and My Documents, but I've noticed that they randomly appeared when malware was still present. I recommend to check said shortcuts as well, just in case. They might also have been edited in some way.

 

I guess that's it. All programs I use to scan for malware say I'm clean.

I'm describing it here in hope that someone with similiar problem might find it useful.

 

I believe the topic can be closed now.


Edited by Sadzonka, 07 July 2013 - 04:16 PM.


#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:01 AM

Posted 07 July 2013 - 04:33 PM

Your Roguekiller log is showing you are still infected.

 

  •    
  • Re-Run RogueKiller
       
  • Close all the running processes
       
  • Under Vista/Seven, right click -> Run as Administrator
       
  • Otherwise just double-click on RogueKiller.exe
       
  • When prompted, Click Delete 
       
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
       
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:01 AM

Posted 09 July 2013 - 04:33 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 3-5 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 Sadzonka

Sadzonka
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:01 AM

Posted 12 July 2013 - 07:47 PM

Have you even read what I've written? I feel like I'm talking to some bot here. Rogue Killer log posted above is outdated. I've removed the threat with one of mentioned tools and now everything claims my computer is free from any malware. As I have clearly stated already - the thread may and should be closed.



#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:01 AM

Posted 14 July 2013 - 09:37 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users