Jump to content

Recommended Posts

Customer has a Dell Inspiron 9100. Got a very bad infection from a false security pop-up.

Unable to determine which since could not run any scans. Desktop and Internet broken.

Reinstalled XP from the Dell restore partition. Fully Windows updated. Flash, Reader, Java, Firefox, Thunderbird, LibreOffice, all are the latest. Previous MailWasher.

Kaspersky Internet Security 2011. Full scan negative.

But customer reports hijacking of Google search links to shopping sites and eBay. This in Firefox and Chrome.

I am suspicious of MyWay from Dell restore partition. Uninstalled (?) from web advice, ie finding the uninstaller. Surely this Dell supported product does not hijack?

Spybot, AdAware, Malwarebytes, Avira. Repeated scans, including in safe mode. Lately, some indications but they can't be removed..

I have just run another Malwarebytes scan. Negative.

Have used CCLeaner to disable the usual-suspect annoying startup entries. Eg Adobe Speed Reader.

I will greatly appreciate your help with this.

----

Have run DeFogger, DDS, GMER. Attached are attach.txt and ark.txt in a zip folder.

MBAM log and DDS follow.

----

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6683

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

26/05/2011 12:53:08

mbam-log-2011-05-26 (12-53-08).txt

Scan type: Full scan (C:\|)

Objects scanned: 209777

Time elapsed: 36 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

MBAM

----

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Robert at 12:17:38 on 2011-05-28

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.432 [GMT 1:00]

.

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: Kaspersky Internet Security *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Internet Security *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe

C:\WINDOWS\system32\Drivers\bwcsrv.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Documents and Settings\Robert\My Documents\Downloads\dds.scr

C:\WINDOWS\system32\WSCRIPT.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

uSearch Page = hxxp://www.google.com

uDefault_Page_URL = hxxp://www.dell.co.uk/myway

uSearch Bar = hxxp://www.google.com/ie

uDefault_Search_URL = hxxp://www.google.com/ie

mStart Page = about:blank

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2011\ievkbd.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Thunderbird] "c:\program files\mozilla thunderbird\thunderbird" -turbo

uRun: [Google Update] "c:\documents and settings\robert\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe"

mRun: [DLBTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBTtime.dll,_RunDLLEntry@16

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\robert\startm~1\programs\startup\mailwa~1.lnk - c:\program files\firetrust\mailwasher pro\MailWasher.exe

IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2011\ie_banner_deny.htm

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: klogon - c:\windows\system32\klogon.dll

AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\robert\application data\mozilla\firefox\profiles\os2hkb2q.default\

FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)

FF - prefs.js: browser.startup.homepage - www.google.co.uk

FF - plugin: c:\documents and settings\robert\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

.

============= SERVICES / DRIVERS ===============

.

R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2010-6-9 132184]

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-5-9 64512]

R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]

R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-4-8 475736]

R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe [2010-11-2 365336]

R2 bwcdrv;BUFFALO Wireless Configuration;c:\windows\system32\drivers\BWCDRV.SYS [2003-12-21 19840]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2010-5-7 32856]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19472]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-4-7 136176]

S3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;c:\windows\system32\drivers\BCMWL5.SYS [2005-7-11 372480]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-4-7 136176]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-4-29 2151128]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-10 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-05-27 11:09:17 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-26 14:03:37 -------- d-----w- c:\windows\system32\NtmsData

2011-05-09 16:59:10 16432 ----a-w- c:\windows\system32\lsdelete.exe

2011-05-09 15:04:42 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys

2011-05-09 15:04:33 -------- d-----w- c:\program files\Lavasoft

2011-05-07 09:13:18 109240 ----a-w- c:\program files\mozilla firefox\extensions\kavantibanner@kaspersky.ru\components\abhelperxpcom.dll

.

==================== Find3M ====================

.

2011-04-13 22:40:10 4284416 ----a-w- c:\windows\system32\GPhotos.scr

2011-04-11 11:24:17 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-04-06 11:11:05 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-04-06 11:11:05 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-03-11 14:10:38 471552 ----a-w- c:\windows\apppatch\aclayers.dll

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 12:18:59.06 ===============

martal

hijack.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

I notice that you are using more than one antivirus program (Lavasoft and Kaspersky). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.

Outline the current issues this computer is experiencing.

Link to post
Share on other sites

Hello screen

Lavasoft is not running its process watch. It's disabled. But I will remove it entirely.

The problem is redirect, particularly from Google. For example, a search for 'avira download' gives the Google list. Click on avira.co.uk goes to www.winmaximiser.com. This in Firefox and Chrome. I've reset the customer's home page to Bing, which appers to be unaffected.

Also, Skype has stopped working (starts then fails). I don't know if this is related.

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Here is eset:

----

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6526

# api_version=3.0.2

# EOSSerial=a107604695cca642924c7b9d56bf09c3

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-06-10 11:50:22

# local_time=2011-06-10 12:50:22 (+0000, GMT Daylight Time)

# country="United Kingdom"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1280 16777175 100 0 5426909 5426909 0 0

# compatibility_mode=8192 67108863 100 0 682 682 0 0

# scanned=87486

# found=10

# cleaned=10

# scan_time=4905

C:\Documents and Settings\Robert\Local Settings\Application Data\Mozilla\Firefox\Profiles\os2hkb2q.default\Cache\4\5B\25142d01 JS/Kryptik.AQ.Gen trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Robert\Local Settings\Application Data\Mozilla\Firefox\Profiles\os2hkb2q.default\Cache\7\97\6D215d01 JS/Kryptik.AQ.Gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Robert\Local Settings\Application Data\Mozilla\Firefox\Profiles\os2hkb2q.default\Cache\A\38\FC6D0d01 JS/Kryptik.AQ.Gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Robert\Local Settings\Application Data\Mozilla\Firefox\Profiles\os2hkb2q.default\Cache\A\3C\0F1F0d01 PDF/Exploit.Gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Robert\Local Settings\Application Data\Mozilla\Firefox\Profiles\os2hkb2q.default\Cache\C\78\2FD79d01 PDF/Exploit.Gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Robert\Local Settings\Application Data\Mozilla\Firefox\Profiles\os2hkb2q.default\Cache\D\62\B201Dd01 JS/Kryptik.AQ.Gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Robert\Local Settings\Application Data\Mozilla\Firefox\Profiles\os2hkb2q.default\Cache\E\B3\9DA1Dd01 JS/Kryptik.AQ.Gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\i386\GTDownDE_87.ocx probably a variant of Win32/Adware.Agent.LCKGTSG application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0000685.rbf a variant of Win32/Injector.AHE trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP88\A0014703.ocx probably a variant of Win32/Adware.Agent.LCKGTSG application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

and SecurityCheck

---

Results of screen317's Security Check version 0.99.13

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

ESET Online Scanner v3

Kaspersky Internet Security 2011

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

CCleaner

Java 6 Update 24

Out of date Java installed!

Adobe Flash Player 10.3.181.14

Adobe Reader X (10.0.1)

Mozilla Firefox (x86 en-GB..)

Mozilla Thunderbird (3.1.10) Thunderbird Out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Kaspersky Lab Kaspersky Internet Security 2011 avp.exe

Kaspersky Lab Kaspersky Internet Security 2011 klwtblfs.exe

FireTrust MailWasher Pro MailWasher.exe

``````````End of Log````````````

Some new information: original restore of XP carried out at my place. This problem turned up immediately after PC returned to customer. I am following your instructions from customer's place.

Daughter (student) of customer reports: I have similar browser redirect when I am here but not anywhere else. Am/was suspecting possibility of router virus.

First impression: Google search appears to be working OK. Will reboot and wait for customer's feedback.

Link to post
Share on other sites

  • Staff

Hi,

Grab a fresh copy of ComboFix, run it, and post its log (don't attach it).

Please download GMER from one of the following locations and save it to your Desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

  • Double click GMER.exe.
    gmer_zip.gif
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
      GMER_thumb.jpg
      Click the image to enlarge it

    [*] Then click the Scan button & wait for it to finish.

    [*] Once done click on the [save..] button, and in the File name area, type in "ark.txt"

    [*]Save the log where you can easily find it, such as your desktop.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any <--- ROOTKIT entries

Please copy and paste the report into your Post.

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.