Jump to content

(re-attempt) Browser Hijack log


Recommended Posts

I just read the part where we're not supposed to post a reply to our topic, so I'm consolidating it here. Please feel free to remove my previous topic here: http://forums.malwarebytes.org/index.php?showtopic=93801

My friend dropped off his computer. Malware Bytes found 6 threats and cleaned them. After a reset, things appeared to be working better, but search results still redirect.

Details:

  • Windows XP SP3
  • hosts file is clean
  • affects all browsers (IE, FF 6, Chrome)

Using firebug, the 200 OK "response" I receive from the remote server (and it looks like it's coming from the correct url) when I click on a link in google/yahoo is as follows (note that the "action" will often change, but the myform.submit() function is always the same):

<html><body><form id="mfrm" name="myform" action="http://www.yahsmin.com" method="post"><input type="hidden" name="url" value="http://clickcertain.org/go.php?id=acd763a6e47c55d93bbf4eb7fa6cc982&aid=531&said=direc30&lastpage=BxsbH1VAQBgYGEEIAAAIAwpBDAACQBxQBwNSCgFJHBoIChcfUgwCHB9JDB9SVkkIHDAGC1IZSRcHHVIbSR5SHB4aBgEEFldZSR8JUh9JHAwDBgoBG1IfHBZJHAYbClJJHAAaHQwKUgcfSR8NF1JeSQAeUkkOHlJJDh4GUkkOHgNSSQgcMBwCUkkIHDAaHwNSSQ0OGVIAAUFdQwAdQR0wCAxBHTAfGEFJCR9SWV4MDVxdDQtWX1hfXF8NV0kNBhhSXl5aXUkNBgdSW1ldSRsMB1JeSQoMB1JZSR8cBlInJx82Ox8FKShCCQxfPig%2BFyEGOysuQV5cXltbXV5bWl1YV15BXQ%3D%3D"></form><script type="text/javascript">document.forms["myform"].submit();</script></body></html>

Attached are the following files:

dds.txt

gmer.log

hijackthis.log

mbam-log-2011-08-25*.txt - results where malicious things were detected

mbam-log-2011-08-26*.txt - results after cleaning

ComboFix.txt

Domain name information for the clickcertain.org site, just in case it changes:

Domain Name:CLICKCERTAIN.ORG
Created On:16-Jul-2011 20:15:37 UTC
Last Updated On:16-Jul-2011 21:08:18 UTC
Expiration Date:16-Jul-2012 20:15:37 UTC
Sponsoring Registrar:Bizcn.com, Inc. (R1248-LROR)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:orgjt10847334897
Registrant Name:Jackson Trinity
Registrant Organization:JacksonTrinity
Registrant Street1:1354 Corista Drive
Registrant Street2:
Registrant Street3:
Registrant City:Henderson
Registrant State/Province:NV
Registrant Postal Code:89052
Registrant Country:US
Registrant Phone:+1.7022700647
Registrant Phone Ext.:
Registrant FAX:+1.7022700647
Registrant FAX Ext.:
Registrant Email:jacksontrinity@hotmailbox.com
Admin ID:orgjt10847335104
Admin Name:Jackson Trinity
Admin Organization:JacksonTrinity
Admin Street1:1354 Corista Drive
Admin Street2:
Admin Street3:
Admin City:Henderson
Admin State/Province:NV
Admin Postal Code:89052
Admin Country:US
Admin Phone:+1.7022700647
Admin Phone Ext.:
Admin FAX:+1.7022700647
Admin FAX Ext.:
Admin Email:jacksontrinity@hotmailbox.com
Tech ID:orgjt10847335562
Tech Name:Jackson Trinity
Tech Organization:JacksonTrinity
Tech Street1:1354 Corista Drive
Tech Street2:
Tech Street3:
Tech City:Henderson
Tech State/Province:NV
Tech Postal Code:89052
Tech Country:US
Tech Phone:+1.7022700647
Tech Phone Ext.:
Tech FAX:+1.7022700647
Tech FAX Ext.:
Tech Email:jacksontrinity@hotmailbox.com
Name Server:NS1.CLICKCERTAIN.ORG
Name Server:NS2.CLICKCERTAIN.ORG

Just tried ESET Online. Problem is still here, but these are the results (and I'm curious why MSSE and McAfee didn't catch them):

C:\Program Files\AWS\WeatherBug\Install\WxBugSetup60b6.04.0.9m.EXE	a variant of Win32/AdInstaller application	deleted - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2161\A0213562.EXE a variant of Win32/AdInstaller application deleted - quarantined
C:\WINDOWS\SYSTEM32\dosaxapp.dll a variant of Win32/Urlbot.NAN trojan cleaned by deleting - quarantined

dds.txt

gmer.log

hijackthis.log

mbam-log-2011-08-25 (19-19-13).txt

mbam-log-2011-08-26 (20-56-55).txt

ComboFix.txt

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

I notice that you are using more than one antivirus program (AVG and Microsoft). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.

Please don't attach logs. Copy and paste them instead.

Next, update MBAM, run a Quick Scan, and post its log. Grab a fresh copy of ComboFix, run it, and post its log. Also post a fresh DDS log.

Are you currently connected through a router?

Link to post
Share on other sites

  • 3 weeks later...
  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.