Solved

IE overtaken

Posted on 2004-08-08
14
1,050 Views
Last Modified: 2010-04-11
Win200 Pro. Downloaded security updates unattended. After the update were downloaded data continued to be received. Removed multiple Trojans and viruses. Only thing remaining is a browser hijacker. Have executed Hijack This, Spywareguard and every other BHO tool possible. Listed below is part of the Hijack This log file. I've been the registry and deleted only to have them loaded again.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lfnmcjw.biz?u=1526 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lfnmcjw.biz?u=1526 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)

O13 - DefaultPrefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - WWW Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - Home Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - Mosaic Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=

I cannot get rid of this IE specific hijacker. HELP.
0
Comment
Question by:cactusdr
  • 8
  • 5
14 Comments
 
LVL 3

Expert Comment

by:Fairco
ID: 11746019
Here's some help for manual removal:
To find out the problematic file, download Sysinternal's Registry Monitor ( http://www.sysinternals.com/ntw2k/source/regmon.shtml ), and set it up to monitor the hijacked registry keys. It will catch the process that causes the key's change.
Likely it will be explorer.exe, since today's spywares install themselves as shell extenison, making the shell itself do the dirty job.
In this case you need to review all the installed shell extensions. Crawling trought the registry is one way, but I recommend using this tool: http://www.snapfiles.com/get/shellexview.html
0
 
LVL 4

Accepted Solution

by:
munkyxtc earned 100 total points
ID: 11746279
Are you running the PC in safemode?  If not, I would recommend doing that first -- Chances are the registry entries are reappearing because there is a service or small file that is not being detected by S&D; therefore, as soon as machine is restarted they will again trigger, and you're back where you started --  

You can start the PC in safemode by restarting and hitting F8 -- you will be asked then to start in safemode.

You may also want to try this applications in safemode:

CoolWebShredder -- www.spywareinfo.com/~merijn/files/CWShredder.exe

Ad-Aware - http://www.lavasoftusa.com/support/download/
Download reference from the same location

Also, can you post the entire HiJack this log?  I'd like to see the processes running on the machine as well.  

Thanks.
0
 

Author Comment

by:cactusdr
ID: 11746379
I'm getting ready to go at it with the above advice. What was said made me think that I should give you some infor on what I previously repaired. After the update, when I tried to restart, the system got hung. Opened task Manager and the explorer.exe CPU reading was at 99. Ended the process and manually ran explorer.exe. Loading continued. Installed another spyware app and restarted. Did the same thing but would not rerun explorer.exe. Task Manger had 4 instances of a program....wuam.exe. Ended the 4 and loading coninued WITH explorer.exe running. Deleted that program and it has worked since. Does this add to the story or confirm your advice? Thanks!
0
 
LVL 4

Expert Comment

by:munkyxtc
ID: 11746445
waum.exe is a virus known as W32/Rbot-M

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update Time=wuam.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update Time=wuam.exe

and delete them if they exist.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\Microsoft Update Time=wuam.exe.

and delete it if it exists.

Close the registry editor and reboot your computer.
0
 
LVL 4

Expert Comment

by:munkyxtc
ID: 11746460
At this point, it should be said that if you didn't already, you should disable system restore for the time being -- If you do not, the virus will only propegate into that reserved area of the system, and further infect the hard drive once it has been cleaned from the partition.  Do disable system restore in windows XP, do the following:

1)Click Start > Programs > Accessories > Windows Explorer
2)Right-click My Computer, and then click Properties.
3)Click the System Restore tab.
4)Check the "Turn off System Restore" or "Turn off System Restore on all drives"
5)Click Apply. A confirmation window will appear As noted in the message, this will delete all existing restore points. Click Yes to do this.
6)Click OK.
7)Restart Machine --

To turn on Windows XP System Restore
1)Click Start.
2)Right-click My Computer, and then click Properties.
3)Click the System Restore tab.
4)Uncheck the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
5)Click Apply, and then click OK.

Also to add to my above post I found the following

W32/Rbot-M is a worm which attempts to spread to remote network shares.

W32/Rbot-M contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in the
background as a service process.

W32/Rbot-M spreads to network shares with weak passwords as a result of the
backdoor Trojan element receiving the appropriate command from a remote user.

When W32/Rbot-M is run it copies itself to the Windows system folder with the
filename wuam.exe and deletes the original copy if that filename was wuam.exe.

In order to run automatically when Windows starts up W32/Rbot-M creates the
following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update Time=wuam.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update Time=wuam.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update Time=wuam.exe.

W32/Rbot-M attempts to contact the host babe.thekiller.biz.
0
 
LVL 4

Expert Comment

by:munkyxtc
ID: 11746471
whoops -- just noted that it was 2k Pro...for some reason I was thinking XP -- irregardless, the above notes should be helpful, and a start on the bigger issue here.
0
 

Author Comment

by:cactusdr
ID: 11746489
I don't think Win2000 Pro has System Restore
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:cactusdr
ID: 11746493
Sorry for the post. I've got a great program called Restistry Crawler. I ran it last night and deleted every instance of wuam.exe.
0
 
LVL 4

Expert Comment

by:munkyxtc
ID: 11746514
>>I don't think win2000 Pro has system restore<<

Your correct -- it doesn't; That's why I posted my retract above: Date: 08/08/2004 10:52AM EDT

>>Sorry for the post. I've got a great program called Restistry Crawler. I ran it last night and deleted every instance of wuam.exe.<<

Glad to hear you got that straightened out.

Still try running the apps I suggested in safemode...reboot, and post the HT log.
0
 

Author Comment

by:cactusdr
ID: 11746538
Getting ready to shut it down and restart. Until then, here's the entire HT log:

Logfile of HijackThis v1.97.7
Scan saved at 8:17:48 AM, on 8/8/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Mixer.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\mFire Accelerator\mfireaccel.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\mFire\dialer.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\DOCUME~1\mb\LOCALS~1\Temp\7zOp68B8\shexview.exe
E:\Program Files\Maxthon\Maxthon.exe
D:\Protection\HijackThis\HijackThis.exe
D:\Protection\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lfnmcjw.biz?u=1526 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lfnmcjw.biz?u=1526 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\mFire Accelerator\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINNT\System32\mshelper.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Registry Crawler] E:\PROGRA~1\RCrawler\RCrawler.exe -TRAYONLY
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: mFire Accelerator Client.lnk = C:\Program Files\mFire Accelerator\mfireaccel.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\mFire Accelerator\mfireaccel.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\mFire Accelerator\mfireaccel.exe/227
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Unknown file in Winsock LSP: c:\progra~1\mfirea~1\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\mfirea~1\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\mfirea~1\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\mfirea~1\sliplsp.dll
O13 - DefaultPrefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - WWW Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - Home Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - Mosaic Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O17 - HKLM\System\CCS\Services\Tcpip\..\{1886DBB9-B46F-4A2E-86E8-E5A2296800FF}: NameServer = 209.244.0.3 209.244.0.4

FYI: mfire is an internet accelerator that's been on the system a long time.
0
 
LVL 4

Expert Comment

by:munkyxtc
ID: 11746617
I'd remove all of this:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lfnmcjw.biz?u=1526 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lfnmcjw.biz?u=1526 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)

O13 - DefaultPrefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - WWW Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - Home Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - Mosaic Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O17 - HKLM\System\CCS\Services\Tcpip\..\{1886DBB9-B46F-4A2E-86E8-E5A2296800FF}: NameServer = 209.244.0.3 209.244.0.4
0
 
LVL 4

Expert Comment

by:munkyxtc
ID: 11746634
Also, make sure you delete all the files out of your recycle bin, and do the following:

go to START>Run

type CMD press enter

when the window opens up make sure you are at C:\ if not use cd.. to get there, and then:

type DEL *.tmp /s [there are spaces between the del and * and also between tmp and /s]

This will delete all temp files on the harddrive -- Also, I never noticed, did you run the scans in safemode?  
0
 

Author Comment

by:cactusdr
ID: 11746924
munkyxct----You da man!!!!!!!
I cleared the recycle bin then started in Safe Mode. Ran CWS and Ad-Aware. Instead of perm. deleting the items found in CWS, I sent them to the Recycle Bin so that I could view the contents after normal restart. Ran HT after CWS and A-A and the guilty entries still appeared. Ran CWS again and nothing was found. Ran HT and all the entries were gone. Restarted normally and checked the Recycle Bin. The following files were in the Bin:

mshelper.dll  (C:\WINNT\System32)
mtwcnl32.dll  (C:\WINNT\System32)
Readme        (C:\Program Files\Internet Explorer)

Cleared the Bin and ran the CMD as you stated. Can't delete one File as it's 'in use'. Opened Internet Options and the home page was 'Blank'. Bingo.
Before I give the points, would you briefly explain to me why Safe Mode? I ran CWS, Ad-Aware and Hijack This while running normally but the entries ALWAYS propogated. Why?
0
 
LVL 4

Expert Comment

by:munkyxtc
ID: 11747441
>>would you briefly explain to me why Safe Mode?<<

Sure, safemode is a diagnostic boot sequence loaded into windows operating systems -- When you boot into safemode, only the bare essential items are loaded, meaning only files that windows needs to startup, nothing else - It is an extremely powerful tool when dealing with adware/spyware because these applications exploit security flaws in the system, and make it look like they are system processes therefore, the spyware removal tools cannot remove them, since they look like a system process [which is looks makes it look like the system would become unstable if they were removed] therefore they are not removed during a scan when the machine is booted normally.  When you start in safemode, these services/processes do not startup since windows say 'I don't need these files to boot' when the spyware removal tool is run, it will recognize the file name, or applicatioin as not required by windows; therefore allowing you to remove the files.  Ok, I hope that better explains 'why safemode' but more inportantly, I'm glad I was able to help get your PC back up and running.  anything else, just ask.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now