Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 - IE11 - sd-team.info


  • This topic is locked This topic is locked
6 replies to this topic

#1 fwiltonv

fwiltonv

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 12 December 2016 - 06:16 PM

Hi everyone,

 

I found (via a Google Search) this same exact issue: every time my PC boots-up, I get an IE11 instance with the 'sd-team.info' webpage being loaded. Obviously, after closing this, and having ran HitmanPro + Norton 2016 several times, including Safe-Mode AntiVirus/Malware scans, I am yet unable to get rid of this particular Malware.

 

The topic I was reading was: https://www.bleepingcomputer.com/forums/t/624241/sd-steaminfo-redirects-to-zodiac-gameinfo-popup-on-startup/; this fix was applied to Windows 10, and I noticed that there were particularities to the solution provided by the user 'nasdaq'.

 

Which is why I come to you, hoping someone can help me with this, and aid me in my utter ignorance as to how I can get past this.

 

I tried - via msconfig - tick off the 'on startup' HKCU-bound entry, but on-boot, it was there again, which makes me think that there's an .EXE of sorts being ran on-boot to prevent me from releasing my PC from this annoying Malware; so this was to no avail.

 

Now, I've just downloaded and ran the FRST tool for the very first time, and having gone to '%SystemDrive%\FRST\Logs' I got the FRST.txt and the Addition.txt, as stated

 

I don't want to be annoying in any way, and paste the results of both here, so I attached the FRST.txt to this topic, hoping it will suffice to get a solution for this.

 

I'm also hoping I can learn something through this, and perhaps arrange a solution of my own henceforth.

 

Here's an excerpt of the problem FRST found, and that I noticed in the msconfig:

 

HKU\S-1-5-21-1780176937-2504480433-3509159420-1000\...\Run: [fravascon] => explorer.exe hxxp://sd-steam.info <===== ATTENTION

 

I thank you in advance for your time, and attention.

 

Best regards mates.

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,922 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:11 AM

Posted 13 December 2016 - 09:39 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Did you create this BdBkpFolder ?
Startup: C:\Users\fravascon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BdBkpFolder [2016-12-11] ()
What are the .exe files in it?
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(Microsoft Corporation) C:\Windows\System32\msconfig.exe
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-1780176937-2504480433-3509159420-1000\...\Run: [fravascon] => explorer.exe hxxp://sd-steam.info <===== ATTENTION
GroupPolicy\User: Restriction <======= ATTENTION
GroupPolicyUsers\S-1-5-21-1780176937-2504480433-3509159420-1007\User: Restriction <======= ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION
GroupPolicyScripts\User: Restriction <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
Toolbar: HKLM - DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar64.dll [2011-01-20] ()
Toolbar: HKLM-x32 - DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll [2011-01-20] ()
Toolbar: HKU\S-1-5-21-1780176937-2504480433-3509159420-1000 -> DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar64.dll [2011-01-20] ()
FF SearchPlugin: C:\Users\fravascon\AppData\Roaming\Mozilla\Firefox\Profiles\jebr6yzm.default\searchplugins\bingp.xml [2015-10-21]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin HKU\S-1-5-21-1780176937-2504480433-3509159420-1000: ubisoft.com/uplaypc -> C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll [No File]
CHR StartupUrls: Default -> "hxxp://www.google.pt/","hxxp://search.conduit.com/?ctid=CT3314958&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=2&UP=SP885778B5-2106-488E-BF27-523DD6A1FDCA","hxxp://blank/"
CHR Plugin: (Native Client) - C:\Users\fravascon\AppData\Local\Google\Chrome\Application\52.0.2743.116\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Users\fravascon\AppData\Local\Google\Chrome\Application\52.0.2743.116\pdf.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Users\fravascon\AppData\Local\Google\Chrome\Application\52.0.2743.116\gcswf32.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll => No File
CHR Plugin: (Skype Toolbars) - C:\Users\fravascon\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.5.0.7280_0\npSkypeChromePlugin.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll => No File
CHR Plugin: (Java(TM) Platform SE 6 U32) - C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll => No File
CHR Plugin: (Java Deployment Toolkit 6.0.320.5) - C:\Windows\SysWOW64\npdeployJava1.dll => No File
CHR Plugin: (Pando Web Plugin) - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll => No File
CHR Plugin: (Veetle TV Player) - C:\Program Files (x86)\Veetle\Player\npvlc.dll => No File
CHR Plugin: (Veetle TV Core) - C:\Program Files (x86)\Veetle\plugins\npVeetle.dll => No File
CHR Plugin: (PDF-XChange Viewer) - C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll => No File
CHR Extension: (Norton Security Toolbar) - C:\Users\fravascon\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjabmdjcfcfdmffimndhafhblfmpjdpe [2016-12-11]
CHR Extension: (Chrome Web Store Payments) - C:\Users\fravascon\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-01]
CHR Extension: (Chrome Media Router) - C:\Users\fravascon\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-08-30]
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security\Engine\22.8.1.14\Exts\Chrome.crx [2016-12-12]
CHR HKU\S-1-5-21-1780176937-2504480433-3509159420-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security\Engine\22.8.1.14\Exts\Chrome.crx [2016-12-12]
S3 TBPanel; no ImagePath
U3 aooryhov; C:\Windows\System32\Drivers\aooryhov.sys [0 ] (Intel Corporation) <==== ATTENTION (zero byte File/Folder)
S3 BRDriver64_1_3_3_E02B25FC; \??\C:\ProgramData\BitRaider\support\1.3.3\E02B25FC\BRDriver64.sys [X]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
S3 NAVENG; \??\C:\Program Files (x86)\Norton Security\NortonData\22.5.2.15\Definitions\SDSDefs\20161211.001\ENG64.SYS [X]
S3 NAVEX15; \??\C:\Program Files (x86)\Norton Security\NortonData\22.5.2.15\Definitions\SDSDefs\20161211.001\EX64.SYS [X]
S4 nvvad_WaveExtensible; system32\drivers\nvvad64v.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]


C:\Windows\System32\Drivers\aooryhov.sys

reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

CHR dev: Chrome dev build detected! <======= ATTENTION

Your copy of Chrome has been compromised

Unless you did this yourself, malware has changed your Chrome version into the Development Build. Among other things this allows malware to install any extension it wants.

Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

Before you do Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

Re-install Chrome and the Bookmarks.

If you want to save all your settings refer to this page.
Follow the instructions before removing Chrome.
http://juan2geek.com/how-to-backup-and-restore-entire-google-chrome-setting/
<<<>>>

Please post the Fixlog.txt and include the Addition.txt file that was created by the Farbar tool.

Let me know if the problem persists.

#3 fwiltonv

fwiltonv
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 13 December 2016 - 10:40 AM

Hi NASDAQ,

 

Many thanks for your prompt reply!

 

===

Did you create this BdBkpFolder ?
Startup: C:\Users\fravascon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BdBkpFolder [2016-12-11] ()
What are the .exe files in it?
===

 

I did not create that folder! It is empty however. Do you think I should delete it anyway?

 

I completed all the steps with Chrome, and I have reinstalled it, and imported the old bookmarks, cheers for that.

 

You will find attached the FixLog and the Addition.txt created previously, let me know if this is alright.

 

The problem however, does not seem to be completely over with, when I went to MSCONFIG, I noticed that the 'explorer.exe http://sd-steam.info' HKCU entry is still there, but not ticked for running on start-up. This worries me a bit, but I don't know? I've attached a screenshot of the MSCONFIG entry for your perusal.

 

Thanks for your time in advance,

Cheers buddy!

Attached Files



#4 fwiltonv

fwiltonv
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 13 December 2016 - 10:45 AM

Update: the IE11 bogus website just popped up again. The fix did not work. Help!



#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,922 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:11 AM

Posted 13 December 2016 - 01:24 PM

The startup for hxxp://sd-steam.info was found in your Addition.txt file.

The empty folder will be removed with this fix.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
CloseProcesses:

Task: {57C22541-48CC-42F1-8F0D-8690FAFB5CE5} - \Steam-S-1-8-22-9865GUI -> No File <==== ATTENTION
Task: {B2BD3729-73E5-4136-AF0B-42C63E3EE77E} - \AutoKMS -> No File <==== ATTENTION
Task: {F2CFA057-1A42-4664-930E-16EBC8575647} - System32\Tasks\fravascon => /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v fravascon /t REG_SZ /d "explorer.exe hxxp://sd-steam.info" <==== ATTENTION
HKU\S-1-5-21-1780176937-2504480433-3509159420-1000\...\Run: [fravascon] => explorer.exe hxxp://sd-steam.info <===== ATTENTION
AlternateDataStreams: C:\Windows:nlsPreferences [386]
AlternateDataStreams: C:\Users\fravascon\Downloads\353.30-desktop-win8-win7-winvista-64bit-international-whql.exe:BDU [0]
AlternateDataStreams: C:\Users\fravascon\Downloads\BlueStacks-ThinInstaller.exe:BDU [0]
AlternateDataStreams: C:\Users\fravascon\Downloads\Combined-Community-Codec-Pack-64bit-2015-10-18 (1).exe:BDU [0]
AlternateDataStreams: C:\Users\fravascon\Downloads\ComicRackSetup09176.exe:BDU [0]
AlternateDataStreams: C:\Users\fravascon\Downloads\Diplomacy_4.3 (1).exe:BDU [0]
AlternateDataStreams: C:\Users\fravascon\Downloads\Diplomacy_4.3.exe:BDU [0]
AlternateDataStreams: C:\Users\fravascon\Downloads\DOSBox0.74-win32-installer.exe:BDU [0]
AlternateDataStreams: C:\Users\fravascon\Downloads\GoogleEarthSetup.exe:BDU [0]
AlternateDataStreams: C:\Users\fravascon\Downloads\havdetectiontool.exe:BDU [0]
AlternateDataStreams: C:\Users\fravascon\Downloads\iTunes6464Setup.exe:BDU [0]
AlternateDataStreams: C:\Users\fravascon\Downloads\Popcorn-Time-0.3.7.2-Setup.exe:BDU [0]
AlternateDataStreams: C:\Users\fravascon\Downloads\porntime.exe:BDU [0]
AlternateDataStreams: C:\Users\fravascon\Downloads\RapportSetup (1).exe:BDU [0]
AlternateDataStreams: C:\Users\fravascon\Downloads\RapportSetup.exe:BDU [0]
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\fravascon
Startup: C:\Users\fravascon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BdBkpFolder

Reboot: 

End

Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

===

For your added security I suggest that you update the following programs.

JAVA

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882
===

ADOBE FLASH PLAYER

Go to this page with Firefox or Opera to download the current version for your browser:
https://get.adobe.com/flashplayer/

Note:
Flash Player is pre-installed in Google Chrome and updates automatically!
Flash Player is pre-installed in IE/Hedge and updates automatically!
===

ADOBE SHOCKWARE

Navigate to this page and follow the instructions to get the latest version.
https://www.adobe.com/shockwave/welcome/

=====

Remove the old version via the Control Panel >Programs > Programs and Features if still present.
Adobe Flash Player 20 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 20.0.0.306 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.0 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.0.6.147 - Adobe Systems, Inc.)
Java 8 Update 111 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180111F0}) (Version: 8.0.1110.14 - Oracle Corporation)

#6 fwiltonv

fwiltonv
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 13 December 2016 - 04:53 PM

Hi NASDAQ,

 

You brilliant man, you did it.

 

I'm sorry for not attaching the Addition_12-12-2016 23.07.00.txt originally, I'm a n00b, and my ignorance delayed the fixing of the problema.

 

I've attached the FixLog to this post, though!

 

Also, I removed:

 

Adobe Flash Player 20 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 20.0.0.306 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.0 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.0.6.147 - Adobe Systems, Inc.)
Java 8 Update 111 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180111F0}) (Version: 8.0.1110.14 - Oracle Corporation)

 

And re-installed everything like you told me in your previous post.

 

Just one last spurt of questions, I guess: why couldn't MalwareBytes, HitmanPro, or Norton 2016 fix or find this? Is it because it's not necessarily Malware, or a Virus, but just a registry key? Is sd-steam.info something like a honeypot for bigger n00bs to then download all manners of terrible things?

 

Also, would you recommend me reading (or a place where I could do so, I noticed there are courses you guys have for learning, but 0 spots were available) something for any further similar issues I might have?

 

Thanks for everything though.

 

Cheers!

 

 

 

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,922 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:11 AM

Posted 14 December 2016 - 09:00 AM



Just one last spurt of questions, I guess: why couldn't MalwareBytes, HitmanPro, or Norton 2016 fix or find this?

Browser hijacker set in the registry is very hard to find by these tool.
They have to assumed that it could have been set by the owner.

Also, would you recommend me reading (or a place where I could do so, I noticed there are courses you guys have for learning, but 0 spots were available) something for any further similar issues I might have?

If you want to learn about this you will have to take a Trainee's class.

Check these out.

https://www.bleepingcomputer.com/forums/t/532535/malware-removal-training-program/
http://www.spywareinfoforum.com/topic/34-the-boot-camp-here-anti-malware-training/

Good luck.

===


If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users