[resolved]Browser Hijack - possible other infection

Unknown

Got this computer from a friend, and to my knowledge, never scanned anything beyond good old AVG virus and Ad-Aware. After giving everything the old one-two (ran Ad-Aware, Spybot, and AVG Anti-spyware), I've still got a %^*(#@#$ browser hijack going on. It's got ahold of my google search, and this cannot be allowed.

I've already cleared out a trojan, a downloader, a whole slew of other crap, and no luck getting rid of it all so far.

Anyway, here's my Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 1:40:40 AM, on 11/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Venom\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.homestarrunner.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [dmytd.exe] C:\WINDOWS\system32\dmytd.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware

7.5\avgas.exe" /minimized
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://gvtc6.blackboard.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7AAE3E4F-D28F-490D-B5B9-231F0CD85969}: NameServer =

85.255.114.35,85.255.112.13
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEA35107-678D-4E63-8F25-3D4307E61A96}: NameServer =

85.255.114.35,85.255.112.13
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB6D7066-BC54-4365-ADB4-4DAE546808E7}: NameServer =

85.255.114.35,85.255.112.13
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7BAB961-F78C-43BE-BA62-361CDB47184C}: NameServer =

85.255.114.35,85.255.112.13
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.35 85.255.112.13
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.35 85.255.112.13
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.35 85.255.112.13
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program

Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Unknown owner -

C:\WINDOWS\system32\CTsvcCDA.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Now, once we get this thing cleaned up, I'm going to have a nice chat with my thrice-damned husband about surfing the net for porn. I couldn't care less, but I'm the one that has to de-bug his comp when he does!

chiaz

Did you set homestarrunner.com as your homepage?
Is this supposed to be in the trusted zone: gvtc6.blackboard.com?

Dragonchilde

chiawaikian wrote:

Did you set homestarrunner.com as your homepage?
Is this supposed to be in the trusted zone: gvtc6.blackboard.com?

Yes and Yes.

chiaz

So what do you mean by:

It's got ahold of my google search

?

Meanwhile, run Panda ActiveScan.

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.

Dragonchilde

It's one of those google hijacks, where if you click a link in google it redirects to something else... usually porn or something for sale.

I'm scanning now with Panda.

Dragonchilde

Alright, here's my scan:

Adware:adware/megatds Windows registry
Spyware:Cookie/Atwola C:\Documents and Settings\Venom\Cookies\venom@atwola[1].txt

Dragonchilde

I've also got Downloader.Agent.uj, according to AVG anti-spyware. I can't get rid of the damned thing, either. I've tried three times, 1st time quarantine, 2nd time safe mode scan and delete on reboot, 3rd time safe mode scan and delete. Still there.

[532] VM_00D70000 -> Downloader.Agent.uj : Cleaned with backup (quarantined).
[556] VM_009F0000 -> Downloader.Agent.uj : Cleaned with backup (quarantined).

Last run.

chiaz

AVg doesn't pin-point the location, so it can be pretty hard to get rid of this.

Turn off Windows XP System Restore:

NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.

1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives" as shown in this illustration:
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. When you have finished, restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
5. Click Apply, and then click OK.



Now rescan with ewido and post the log in your next reply.

Dragonchilde

I turned off system restore before the last scan, but I will run ewido now. (Sorry it's taking so long to get back to you.)

Dragonchilde

__________________________________________________
ewido anti-spyware online scanner
http://www.ewido.net
__________________________________________________


Name: Downloader.Agent.uj
Path: [532] VM_00D70000
Risk: High

Name: Downloader.Agent.uj
Path: [556] VM_00B20000
Risk: High

Name: Downloader.Agent.uj
Path: [1408] VM_009D0000
Risk: High

Name: Downloader.Agent.uj
Path: [1516] VM_009A0000
Risk: High

Name: Downloader.Agent.uj
Path: [1524] VM_003B0000
Risk: High

Name: Downloader.Agent.uj
Path: [1540] VM_01130000
Risk: High

Name: Downloader.Agent.uj
Path: [1548] VM_003C0000
Risk: High

Name: Downloader.Agent.uj
Path: [1556] VM_00F30000
Risk: High

Name: Downloader.Agent.uj
Path: [1628] VM_00D80000
Risk: High


I can't figure out where this thing IS, nor what is causing it. It's apparently the culprit in the google redirection. As far as I know, that is the only symptom.

Dragonchilde

Alright, somehow I managed to get rid of the downloader, but now we have a new problem.

A nice little Trojan has risen from the ashes.

HEad, meet desk. Okay.

From AVG scan:

C:\WINDOWS\system32\csyjc.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
[1268] VM_01380000 -> Trojan.Small.fb : Cleaned with backup (quarantined).
[2696] VM_027D0000 -> Trojan.Small.fb : Cleaned with backup (quarantined).

Online scan with ewido:
(scanned in memory)
__________________________________________________
ewido anti-spyware online scanner
http://www.ewido.net
__________________________________________________


Name: Trojan.Small.fb
Path: [1268] VM_01380000
Risk: High

Name: Trojan.Small.fb
Path: [2696] VM_027D0000
Risk: High

Name: Trojan.Small.fb
Path: [3640] VM_00A80000
Risk: High

Going to continue the hunt for a cure....

Dragonchilde

ALRIGHT! After applying numerous solutions to the various things I found, I think I've managed to get rid of this sucker!

First, I ran the Downloader.Agent.uj removal tool found here: http://blog.evilissimo.net/2006/08/07/how-to-remove-trojandownloaderuj/

That got rid of the Downloader.Agent.uj that was hiding the trojan. Now I was getting the Trojan.small.fb on the scans, but again, AVG just plain wasn't removing it.

http://www.short-media.com/forum/showthread.php?t=49284 - I followed the steps to remove the 017 entries using hijackthis. I finally scanned clean on AVG after a couple more scans.

So over to Spybot I went. Everything came up groovy... except for Pipas.A. That proved to be stubborn, so I had to do some more digging to figure out what to do there.

I removed O4 - HKLM\..\Run: [dmldi.exe] C:\WINDOWS\system32\dmldi.exe (this particular beastie apparently creates random names starting with dm***.exe)

That let SSD get rid of that one.

Now I seem to be running clean, and the Google search hijack is gone. Here's my current HijackThis log just in case:

Logfile of HijackThis v1.99.1
Scan saved at 8:03:24 PM, on 11/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Venom\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.homestarrunner.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware

7.5\avgas.exe" /minimized
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://gvtc6.blackboard.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) -

http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program

Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Unknown owner -

C:\WINDOWS\system32\CTsvcCDA.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

If I find anything else, I'll let you know, but for now, this appears to be solved. I just figured I'd post my process in case anyone else needed a hand with these particular bugs. Good LORD, now I'm hoping I can keep this PC clean.

chiaz

I guesss everything should be all fine now. I'll bookmark that Downloader.Agent.uj removal tool link in case I should need it the next time.

The help you received here was free. Please read through some of these Prevention Tips that Short-Media offers.

This topic is now closed. If you wish it reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.

If you are not the user who started this thread, you must start a new Thread instead


Would you also be interested to join Short-Media (Team #93) with the Folding@Home Project? More information available at this link:
http://www.short-media.com/forum/showthread.php?t=29803

Dragonchilde

Thanks for your help!