Jump to content

Malware redirecting search results


Recommended Posts

Hi,

I observed two problem symptoms on my Win7 PC.

1. Some malware claiming to be Antivirus s/w got intsalled and prompted to be started. It disguised itself as different binaries. I killed it it several times in TaskManager and it got re-spawned again with a new name. Then I killed csrss.exe that was running from one C:/Users/me/AppData/Local/Temp. csrss.exe was respawned in a couple of minutes but did not see the fake-Antivrus running. I am not sure if its really gone.

2. Second issues is my google and yahoo searches are getting hijacked. When I click on search results it takes me to some other search engine. I think, csrss.exe running from C:/Users/me/AppData/Local/Temp is responsible, but I cant kill it permanently.

Can someone help me. Here is my hijackthis logs

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 11:25:34 AM, on 12/26/2010

Platform: Windows 7 (WinNT 6.00.3504)

MSIE: Internet Explorer v8.00 (8.00.7600.16700)

Boot mode: Normal

Running processes:

C:\Users\myusername\AppData\Roaming\dwm.exe

C:\Users\myusername\AppData\Roaming\Microsoft\conhost.exe

C:\Users\myusername\AppData\Local\Temp\csrss.exe

C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

C:\Program Files (x86)\WebEx\Connect\connect.exe

C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE

C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

C:\Program Files\Lenovo\Zoom\TpScrex.exe

C:\Program Files (x86)\McAfee\VirusScan Enterprise\shstat.exe

C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe

C:\Program Files (x86)\Java\jre6\bin\jusched.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Program Files (x86)\Altiris\Altiris Agent\AeXAgentUIHost.exe

C:\Program Files (x86)\Iron Mountain\Connected BackupPC\Agent.exe

C:\Program Files (x86)\emplyr\CSAgent\bin\okclient.exe

C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe

C:\Program Files (x86)\WebEx\Connect\wbxcOIEx.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Program Files (x86)\emplyr\VPN Client\vpngui.exe

C:\Users\myusername\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://wwwin.emplyr.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wwwin.emplyr.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by emplyr

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:57050

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F3 - REG:win.ini: load=C:\Users\myusername\AppData\Local\Temp\csrss.exe

F2 - REG:system.ini: UserInit=userinit.exe

O2 - BHO: Virtual Account Numbers Helper - {17424104-1444-4810-85D7-B4DA413C5A9A} - C:\Program Files (x86)\Virtual Account Numbers\CitiVANHelper.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: Virtual Account Numbers - {7A21A046-B886-4A62-9D69-EF2059B0A27B} - C:\Program Files (x86)\Virtual Account Numbers\CitiVANToolbar.dll

O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files (x86)\Altiris\Altiris Agent\AeXAgentActivate.exe /logon

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor

O4 - HKLM\..\Run: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices

O4 - HKLM\..\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [AgentUiRunKey] "C:\Program Files (x86)\Iron Mountain\Connected BackupPC\Agent.exe" -ni -sss -e http://localhost:16386/

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [conhost] C:\Users\myusername\AppData\Roaming\Microsoft\conhost.exe

O4 - HKCU\..\Run: [WebEx Connect] "C:\Program Files (x86)\WebEx\Connect\connect.exe"

O4 - HKCU\..\Run: [Google Update] "C:\Users\myusername\AppData\Local\Google\Update\GoogleUpdate.exe" /c

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')

O4 - Startup: OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE

O4 - Global Startup: emplyr Security Agent.lnk = ?

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000

O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105

O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer

\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer

\WriterBrowserExtension.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - (no file)

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O15 - Trusted Zone: http://www.emplyr.com

O15 - Trusted Zone: http://wwwin.emplyr.com

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emplyr.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{C9524146-F94D-42D6-80F9-A46FEF519666}: Domain = emplyr.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{C9524146-F94D-42D6-80F9-A46FEF519666}: NameServer = 171.70.168.183,171.68.226.120

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emplyr.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = emplyr.com,emplyr.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = emplyr.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = emplyr.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = emplyr.com,emplyr.com

O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

O20 - AppInit_DLLs: AMINIT32.dll csauser.dll

O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files (x86)\Altiris\Altiris Agent\AeXNSAgent.exe

O23 - Service: AgentService - Iron Mountain Incorporated - C:\Program Files (x86)\Iron Mountain\Connected BackupPC\AgentService.exe

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)

O23 - Service: WebEx Service Host for Support Center (atashost) - WebEx Communications, Inc. - C:\Windows\SysWOW64\atashost.exe

O23 - Service: CMGShield - Unknown owner - C:\Windows\system32\CmgShieldSvc.exe (file missing)

O23 - Service: emplyr Security Agent (CSAgent) - emplyr Systems, Inc. - C:\Program Files (x86)\emplyr\CSAgent\bin\CSAControl.exe

O23 - Service: emplyr Security Agent Monitor (CSAgentMon) - emplyr Systems, Inc. - C:\Program Files (x86)\emplyr\CSAgent\bin\CSAControl.exe

O23 - Service: emplyr Systems I.T. VPN Service (CVPND) - emplyr Systems, Inc. - C:\Program Files (x86)\emplyr Systems\VPN Client\cvpnd.exe

O23 - Service: Lenovo Doze Mode Service (DozeSvc) - Lenovo. - C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE

O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)

O23 - Service: EMS - Unknown owner - EMSService.exe (file missing)

O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\Windows\system32\ibmpmsvc.exe (file missing)

O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files (x86)\iPass\iPassConnect\iPassConnectEngine.exe

O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files (x86)\iPass\iPassConnect\iPassPeriodicUpdateApp.exe

O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files (x86)\iPass\iPassConnect\iPassPeriodicUpdateService.exe

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: Lenovo Camera Mute (LENOVO.CAMMUTE) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\CAMMUTE.exe

O23 - Service: Lenovo Microphone Mute (LENOVO.MICMUTE) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe

O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe

O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - Unknown owner - C:\Windows\system32\mfevtps.exe (file missing)

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: Power Manager DBC Service - Lenovo - C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)

O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe

O23 - Service: TightVNC Server (tvnserver) - GlavSoft LLC. - C:\Program Files (x86)\TightVNC\tvnserver.exe

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: emplyr AnyConnect VPN Agent (vpnagent) - emplyr Systems, Inc. - C:\Program Files (x86)\emplyr\emplyr AnyConnect VPN Client\vpnagent.exe

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)

O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--

End of file - 14662 bytes

Link to post
Share on other sites

Hello winuser99! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Step 1

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 2

Download DDS and save it to your desktop from here or here or here.

Double click dds.scr to run the tool.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop. Post them back to your topic.

In your next reply, please include these log(s):

  1. Malwarebytes' Anti-Malware log
  2. DDS log with Attach.txt

Link to post
Share on other sites

Hi Borislav,

Let me begin with saying, I appreciate your help.

Since, my last email, I made some unsuccessfull attempts to move to previous System Restore Points.

Before I received you msg, I had started the "Full Scan", but I stopped the scan, midway, when I received your msg. I deleted the threat as suggested by mbam. The log is attached. mbam-full.

After that I started quick scan and deleted the threat as suggested. Logs is attached. mbam-quick. PC was rebooted when suggested by tool.

DDS and Attach logs are also attached. I am attaching HJT log collected again after the above mentioned steps.

Thanks

files.zip

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.