roland67 Posted January 29, 2010 Posted January 29, 2010 Have done pretty much everything up to posting an HJT report so here it is. I am not sure what the no name toolbar thing is but I do not believe it has anything to do with my problem. I would like to know what it is and get rid of it though. When I do a search on google, I am redirected to ezanga, smartbidsearch and such ilk. Thanks in advance for any help. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:16:03 PM, on 1/28/10 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\crypserv.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\Program Files\SPAMfighter\sfus.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\Roland\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file) O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file) O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file) O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing) O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe O23 - Service: Google Update Service (gupdate1c9c093d6268446) (gupdate1c9c093d6268446) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
Administrator Tarun Posted January 29, 2010 Administrator Posted January 29, 2010 Hi Roland, have you downloaded the tools for your OS from the Anti-Malware Toolkit? You'll also want to get Avast, because v5 is now out.
James_A Posted January 29, 2010 Posted January 29, 2010 I am not sure what the no name toolbar thing is but I do not believe it has anything to do with my problem. If you mean this: O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file) ... O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file) then it's (or rather, it was, since the file is missing) the AVG 8 toolbar (AVGTOOLBAR.DLL). Looks to me like AVG has been removed, but left the registry entries behind. .
roland67 Posted January 29, 2010 Author Posted January 29, 2010 Have run all recommended utilities prior to posting HJT. Also did Trend Micro Housecall.
Administrator Tarun Posted January 29, 2010 Administrator Posted January 29, 2010 The reason I asked is because I do not see the Malwarebytes Service listed. Your log appears clean, though.
roland67 Posted January 30, 2010 Author Posted January 30, 2010 I did run Malwarebytes antimalware but this has not fixed my problem. My browser has definitely been hijacked. Any ideas?
Administrator Tarun Posted January 30, 2010 Administrator Posted January 30, 2010 Please post your scan log from Malwarebytes.
roland67 Posted January 30, 2010 Author Posted January 30, 2010 Malwarebytes' Anti-Malware 1.44 Database version: 3660 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 1/29/10 9:34:01 PM mbam-log-2010-01-29 (21-34-01).txt Scan type: Full Scan (C:\|) Objects scanned: 235613 Time elapsed: 1 hour(s), 7 minute(s), 19 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\IE.ico (Malware.Trace) -> Quarantined and deleted successfully.
Administrator Tarun Posted February 1, 2010 Administrator Posted February 1, 2010 Not seeing any issues. Are you still experiencing issues?
roland67 Posted February 2, 2010 Author Posted February 2, 2010 Finally gave up and switched to google chrome from Firefox. Problem appears to be gone unless I use Firefox.
greenknight Posted February 2, 2010 Posted February 2, 2010 A Firefox problem? Ah, that's my specialty! A quick search of the Mozillazine forums turned up this thread about exactly this problem: Seems that a virus is installing itself as a Firefox extension, removal instructions here. Probably easier to just delete the entire Extensions folder in your Firefox profile, then reinstall your extensions. See this page for help. To simplify fixing problems like this, I recommend backing up your Firefox profile. With backups, you could fix this in about a minute.
roland67 Posted February 7, 2010 Author Posted February 7, 2010 Thanks guys. I have tried all these things and still have redirects. Maybe if I delete all references to firefox from my registry? Not sure how to do that safely.
Administrator Tarun Posted February 7, 2010 Administrator Posted February 7, 2010 You could just create a new Firefox profile and that should fix it.
roland67 Posted February 7, 2010 Author Posted February 7, 2010 Ok. I have tried that now and am redirected to info.com. If I hit back button I go to intended site.
roland67 Posted February 7, 2010 Author Posted February 7, 2010 Google chrome seems to be clean. I like firefox better and this redirect thing is driving me crazy.
Eldmannen Posted February 7, 2010 Posted February 7, 2010 Uninstall Firefox, then delete your Firefox profile, and all the extensions. Like, you can remove C:\Documents and Settings\Roland\Application Data\Mozilla Then you install Firfox again
Administrator Tarun Posted February 7, 2010 Administrator Posted February 7, 2010 What you should be able to do is fully uninstall Firefox too, and remove prefs, etc. Starting a new profile would be easier I think. Start Firefox in Safe Mode to access a way to create a new profile, if I recall correctly.
greenknight Posted February 8, 2010 Posted February 8, 2010 <snip> Starting a new profile would be easier I think. Start Firefox in Safe Mode to access a way to create a new profile, if I recall correctly. Sorry, Tarun, you don't recall correctly. Those brilliant Firefox devs decided to make opening the Profile Manager command line. It differs in different Windows versions, for XP: * Windows 2000 and XP 1. Exit Firefox. To close Firefox, at the top of the Firefox window, select the File menu, and then select Exit. 2. Open the Windows Start menu and click Run.... 3. In the Run dialog, enter the following: firefox.exe -ProfileManager 4. Click OK. Note: If the Profile Manager window does not appear, you may need to specify the full path of the Firefox program, enclosed in quotes; for example: "C:\Program Files\Mozilla Firefox\firefox.exe" -ProfileManager On my XP machine I can use firefox.exe -p and it works. The main thing is, don't leave out the space after firefox.exe (a very common error). Full instructions here. I was afraid this might be tough to get rid of; it's said to be a variant of the Vundo trojan, which has been evolving for a long time and getting increasingly hard to completely remove. It may be hiding in the Registry and reinstalling itself after you remove it. Anyway, try a new profile; if that works, great. If not, try completely uninstalling Firefox and doing a clean install. If still no joy, it means there's more work to do. You definitely need to get this malware off your machine, not just work around it by using Chrome.
roland67 Posted February 9, 2010 Author Posted February 9, 2010 Have followed your instructions. Unfortunately no joy. What next?
greenknight Posted February 9, 2010 Posted February 9, 2010 Give VundoFix a try. Instructions on how to use it are on the download page. It removes many of the variants of Vundo, let's hope it works on this one.
roland67 Posted February 10, 2010 Author Posted February 10, 2010 Vundofix says no vundo found. I can't believe this. I have never had an infection this tough to be rid of. I really appreciate that there are people like you guys out there to help. Thanks for your efforts. Shall we try something else?
greenknight Posted February 10, 2010 Posted February 10, 2010 Did you already run SUPERAntispyware? You could also try the Symantec Trojan.Vundo Removal Tool. Again, instructions are on the download page.
James_A Posted February 15, 2010 Posted February 15, 2010 Just a thought... If it's not Vundo, browser redirects + measures that defeat MBAM and other anti-malware packages = the TDSS rootkit. .
greenknight Posted February 15, 2010 Posted February 15, 2010 If it's not Vundo, browser redirects + measures that defeat MBAM and other anti-malware packages = the TDSS rootkit. . In that case, I don't think those scanners would run at all. Also, MBAM is supposed to be able to detect TDSS - though it can't remove it. Still, we have only one source that says it's a Vundo variant, it might be something else. Your guess is as good as any... If Roland67 ever returns (you out there, Roland?), I'd say run MBAM and SAS again with the latest updated definitions - they may have learned to detect this. If they still don't find anything - since no one here seems to know how to fix this, you should try one of the specialized malware-removal forums, such as those at: Bleeping Computer Spybot Forums MajorGeeks Forums Make sure you check out their forum rules, posting guidelines, etc, and follow them. Don't be surprised if you have to wait a few days for a response - they get real busy.
James_A Posted February 15, 2010 Posted February 15, 2010 If Roland67 ever returns (you out there, Roland?), ... Hmmm.. Last post was on 10-Feb, just after Patch Tuesday. If the TDSS rootkit is present on a computer, installing the latest Windows Update (= MS10-015 / kb977165) will result in a BSoD and unable to boot in safe mode. Only solution is to boot from a CD or a USB drive - but you will have to do that anyway to replace the driver file modified by the rootkit (usually atapi.sys or iastor.sys, but it may sometimes be any of a dozen others). If this is actually the problem (and we still don't know for sure), there's plenty of info over at Bleeping Computer. .
Recommended Posts