Jump to content

Roland redirected


roland67

Recommended Posts

Have done pretty much everything up to posting an HJT report so here it is. I am not sure what the no name toolbar thing is but I do not believe it has anything to do with my problem. I would like to know what it is and get rid of it though. When I do a search on google, I am redirected to ezanga, smartbidsearch and such ilk. Thanks in advance for any help.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:16:03 PM, on 1/28/10

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\SPAMfighter\sfus.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\Roland\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab

O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)

O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: Google Update Service (gupdate1c9c093d6268446) (gupdate1c9c093d6268446) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe

Link to comment
Share on other sites

  • Replies 54
  • Created
  • Last Reply

Top Posters In This Topic

I am not sure what the no name toolbar thing is but I do not believe it has anything to do with my problem.

If you mean this:

O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)

...

O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)

then it's (or rather, it was, since the file is missing) the AVG 8 toolbar (AVGTOOLBAR.DLL). Looks to me like AVG has been removed, but left the registry entries behind.

.

Link to comment
Share on other sites

Malwarebytes' Anti-Malware 1.44

Database version: 3660

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/29/10 9:34:01 PM

mbam-log-2010-01-29 (21-34-01).txt

Scan type: Full Scan (C:\|)

Objects scanned: 235613

Time elapsed: 1 hour(s), 7 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\IE.ico (Malware.Trace) -> Quarantined and deleted successfully.

Link to comment
Share on other sites

A Firefox problem? Ah, that's my specialty!

A quick search of the Mozillazine forums turned up this thread about exactly this problem:

Seems that a virus is installing itself as a Firefox extension, removal instructions here.

Probably easier to just delete the entire Extensions folder in your Firefox profile, then reinstall your extensions. See this page for help.

To simplify fixing problems like this, I recommend backing up your Firefox profile. With backups, you could fix this in about a minute.

Link to comment
Share on other sites

  • Administrator

What you should be able to do is fully uninstall Firefox too, and remove prefs, etc.

Starting a new profile would be easier I think. Start Firefox in Safe Mode to access a way to create a new profile, if I recall correctly.

Link to comment
Share on other sites

<snip>

Starting a new profile would be easier I think. Start Firefox in Safe Mode to access a way to create a new profile, if I recall correctly.

Sorry, Tarun, you don't recall correctly. Those brilliant Firefox devs decided to make opening the Profile Manager command line. It differs in different Windows versions, for XP:

* Windows 2000 and XP

1. Exit Firefox. To close Firefox, at the top of the Firefox window, select the File menu, and then select Exit.

2. Open the Windows Start menu and click Run....

3. In the Run dialog, enter the following:

firefox.exe -ProfileManager

4. Click OK.

Note: If the Profile Manager window does not appear, you may need to specify the full path of the Firefox program, enclosed in quotes; for example:

"C:\Program Files\Mozilla Firefox\firefox.exe" -ProfileManager

On my XP machine I can use firefox.exe -p and it works. The main thing is, don't leave out the space after firefox.exe (a very common error). Full instructions here.

I was afraid this might be tough to get rid of; it's said to be a variant of the Vundo trojan, which has been evolving for a long time and getting increasingly hard to completely remove. It may be hiding in the Registry and reinstalling itself after you remove it.

Anyway, try a new profile; if that works, great. If not, try completely uninstalling Firefox and doing a clean install.

If still no joy, it means there's more work to do. You definitely need to get this malware off your machine, not just work around it by using Chrome.

Link to comment
Share on other sites

Vundofix says no vundo found. I can't believe this. I have never had an infection this tough to be rid of. I really appreciate that there are people like you guys out there to help. Thanks for your efforts. Shall we try something else?

Link to comment
Share on other sites

If it's not Vundo, browser redirects + measures that defeat MBAM and other anti-malware packages = the TDSS rootkit.

.

In that case, I don't think those scanners would run at all. Also, MBAM is supposed to be able to detect TDSS - though it can't remove it. Still, we have only one source that says it's a Vundo variant, it might be something else. Your guess is as good as any...

If Roland67 ever returns (you out there, Roland?), I'd say run MBAM and SAS again with the latest updated definitions - they may have learned to detect this. If they still don't find anything - since no one here seems to know how to fix this, you should try one of the specialized malware-removal forums, such as those at:

Bleeping Computer

Spybot Forums

MajorGeeks Forums

Make sure you check out their forum rules, posting guidelines, etc, and follow them. Don't be surprised if you have to wait a few days for a response - they get real busy.

Link to comment
Share on other sites

If Roland67 ever returns (you out there, Roland?), ...

Hmmm.. Last post was on 10-Feb, just after Patch Tuesday.

If the TDSS rootkit is present on a computer, installing the latest Windows Update (= MS10-015 / kb977165) will result in a BSoD and unable to boot in safe mode. Only solution is to boot from a CD or a USB drive - but you will have to do that anyway to replace the driver file modified by the rootkit (usually atapi.sys or iastor.sys, but it may sometimes be any of a dozen others).

If this is actually the problem (and we still don't know for sure), there's plenty of info over at Bleeping Computer.

.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.

×
×
  • Create New...