Solved

Internet Explorer Compromised?

Posted on 2009-04-06
46
876 Views
Last Modified: 2013-11-05
I have a user that has a very messed up internet Explorer.  To begin with, several times throughout the day, IE faults & brings up the termination window that asks if they would like to send or not send the error report.  If they just drag that away, they are able to continue working without issue for the day.  However, now the major issue that leads me to believe she's compromised is that whenever she goes to a site (most of them) that requires a login, she gets re-directed (on the same site though) to a page asking for a lot of personal information (see attachment).  Some that this happens on are wellsfargo.com, Ebay.com, CitiBankonline.com etc.  I have run Spybot, MalwareBytes, ComboFix & SAV & none of them found anything that fixed it.  I also have uninstalled IE7, reinstalled etc & everything still is broken.

Please advise if you have ever seen this.
Error.JPG
0
Comment
Question by:rustyrpage
  • 22
  • 17
  • 4
  • +1
46 Comments
 
LVL 7

Expert Comment

by:tplaya07
ID: 24081646
Just to make 100% sure, you did run updates on all the programs listed before you scanned, right?
I know you have SAV, but try downloading/running AVG Antivirus, as well as SuperAntiSpyware. This definately looks like some form of Malware/Virus.
Also, check your hosts file for any "weird" entries.
0
 
LVL 7

Expert Comment

by:tplaya07
ID: 24081653
Oh, why don't you also post a HJT log
http://majorgeeks.com/download3155.html
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24081654
All of them were updated - I can try SuperAntiSpyware, but do you really think SAV, ComboFix, MalwareBytes & Spybot would miss it?
0
 
LVL 7

Expert Comment

by:tplaya07
ID: 24081760
I agree it's doubtful, but in regards to AV software, all of them will detect things others won't. None are 100% perfect. Make sure to post the HJT log though as well.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24081768
I am doing the HJT now, I cannot uninstall the SAV as it is required by our security policy.  The HJT should shed enough light hopefully.
0
 

Expert Comment

by:dragonfirez
ID: 24081771
It seems like a BHO (Browser Helper Object) has keeps redirecting the user.  It does seem weird that ComboFix didnt catch the infection though.

Try downloading Autoruns, http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Once launched and its finished loading go up to the menu bar and select "Hide all microsoft entries"  then hit F5 (refresh). You can go to the Internet Explorer tab or just scroll down and look for files / entries that are unsigned have weird names or you dont think have any business being on the machine.  Try to delete those files and then run autoruns again and try to delete the entry in autoruns.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24081801
Logfile of HijackThis v1.99.1
Scan saved at 2:05:05 PM, on 4/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SecCopy\SecCopy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mstart.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mcomm.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mlauncher.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
\bionitweb\apps$\Installers\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Second Copy 2000] "C:\Program Files\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\320\g2mstart.exe "/Trigger RunAtLogon"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111705285187
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigner.hgtv.com/images/app/view22rte.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.aemf.org
O17 - HKLM\Software\..\Telephony: DomainName = corp.aemf.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.aemf.org
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = corp.aemf.org
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: GoToMyPC - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

0
 

Expert Comment

by:dragonfirez
ID: 24081992
I wondering if its this line:
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigner.hgtv.com/images/app/view22rte.cab

I know it says hdtv, but I am wondering if its some sort of hijack (especially since the redirect page shows its coming from ebay.com)
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24082004
So where would I go about removing that?
0
 
LVL 7

Expert Comment

by:tplaya07
ID: 24082063
Have you run AVG yet? Does it detect Trojan.Sinowal? Spysweeper has also been reported to detect this. You need to turn off System Restore though before running scans as if it is this Sinowal infection, it can embed itself in System Restore.
0
 
LVL 7

Expert Comment

by:tplaya07
ID: 24082105
http://forums.techguy.org/malware-removal-hijackthis-logs/584511-solved-trojan-sinowal.html

Quite a few people seem to experience the same problem and some mention host files and others mention a hijacked IE dll file, which would make sense if you are getting IE errors.
http://www.google.com/search?hl=en&q=Please+enter+as+more+information+as+possible+to+provide+your+complete+identification+and+to+activate+all+the+features+of+the+new+system&btnG=Google+Search&aq=f&oq=

Try turning off System Restore and do a SFC /scannow

0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24082506
I turned off System Restore & did SFC /Scannow to no luck.

I will look at the hosts file, but I wouldn't think that would do the image that I posted.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 24084502
From your logfile of HijackThis it seems you are running v1.99.1, which conceivably has missed something.
Recommend you install and run Trend HijackThis 2.02:
http://majorgeeks.com/Trend_Micro_HijackThis_d5554.html

Using HijackThis you could then Fix these next two log entries, as they are listed as (file missing) .. it's ~just possible~ they indicate an infection.  
Then we could see if they 'regenerate' at bootup >>

O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)

0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24087630
So you're saying to just delete those two entries & see what happens?
0
 
LVL 7

Expert Comment

by:tplaya07
ID: 24088886
And also run AVG if possible. As mentioned before, some other people were able to detect a sinowal trojan with AVG that some other AV scanners missed.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 24089324
Yes, just delete the two "020" entries, they aren't doing anything with the 'file missing' statement, & it may tell us something .. sorry about the delay, i just logged on.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 24089432
Also if convenient you may like to run HijackThis 2.02.  We can then get the logfile analysed to see if there's any difference.

There are two more free scanners you may like to try, then if we still find nothing i guess we can assume the machine is clean & try something else >

Trend Micro's online virus scanner:            
http://housecall.trendmicro.com/uk/
Ideal for scanning online, using "Safe Mode with networking".      

Kaspersky online virus scanner, which is a good way to find out if you have any viruses or spyware without having to uninstall your existing antivirus software>
http://www.kaspersky.co.uk/virusscanner
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24100120
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:19, on 4/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SecCopy\SecCopy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mstart.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mcomm.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mlauncher.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\NTR global\NTRsupport Installable RC\installablerc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Second Copy 2000] "C:\Program Files\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\320\g2mstart.exe "/Trigger RunAtLogon"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111705285187
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigner.hgtv.com/images/app/view22rte.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.aemf.org
O17 - HKLM\Software\..\Telephony: DomainName = corp.aemf.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.aemf.org
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = corp.aemf.org
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: NTRsupport Installable RC (installablerc) - NTRglobal - C:\Program Files\NTR global\NTRsupport Installable RC\installablerc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8025 bytes
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24100130
AVG found nothing, I am running http://www.kaspersky.co.uk/virusscanner now.  As far as the 020 entries, I went & ran HJT again & they weren't there.....strange.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 24100219
The HijackThis logfile looks ok except for possibly these four entries.   They may well be ok, but in case they are not, do you know the IP or Domain 'corp.aemf.org'?
If you definitely DO NOT, you can Fix them with HijackThis >>

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.aemf.org
O17 - HKLM\Software\..\Telephony: DomainName = corp.aemf.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.aemf.org
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = corp.aemf.org

0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24100231
No, that is our domain.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24100239
Looking at the page, it really does look authentic (in other words, the submit button for the information is hosted on Ebay's website etc)....but it is only on this one computer that it is asking for that.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 7

Expert Comment

by:tplaya07
ID: 24102186
I really don't think it's authentic. I read multiple different forums (from the google results link I provded earlier) with people who claim to have contacted Paypal and Ebay and both deny that ihas anything to do with their sites.

Do you have your phishing filter turned on in IE7? Tools-->Internet Option-->Advanced tab, scroll all the way down and click "Turn On Automiatic Website checking"

BTW, did you ever get a chance to look through your HOSTS file? It may be a redirector of some sort in there. Spybot will likely have a huge section, but you don't need to worry about scanning through those. Just anything before or after the Spybot entries.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24102248
HOSTS file is clean with just localhost.  Phishing filter has been on (and we use OpenDNS)
0
 
LVL 7

Expert Comment

by:tplaya07
ID: 24102522
Hmmm...I've been reading about this same issues on multiple other sites for hours, but NOONE seems to have a solution. If HOSTS is clean, AV/Malware/Spyware scans return nothing, I can only surmise that its a corrupt file(s)...maybe a IE dll file??? I'll be completely honest man, you fastest solution may be to just save your important files and do a clean install (I wouldn't even rely on a Restore) that formats the drive. However, if you want to stick it out and try and find and answer (for yourself and quite a few others out there), I'll keep throwing out suggestions, albeit some may be farfetched and/or time consuming. Your call?

BTW, you do have SP3 with all the latest windows updates, right?
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24102535
Unfortunately this is the computer of someone importan that has applications from 4 years ago that are un-findable =).  That said, Firefox is totally fine...weird!

I have uninstalled IE7 then re-installed, no avail.  I have run sfc /scannow, no avail.  

I have been doing IT for 15 years, I KNOW that there's always a solution, this is just ticking me off!
0
 
LVL 7

Expert Comment

by:tplaya07
ID: 24102852
Yeah, I agree...they're is always a solution. It just what lengths people are willing to go to find it.

I was rereading through this whole post and you mentioned that IE faults and trys to send an error report. Is this still happening (since you reinstalled IE7)?

What does the corresponding entry in event viewer say?

Does this page come up EVERY time you go to Ebay, Paypal, Weelsfargo, etc, or only intermittently?
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24107353
It hasn't faulted since I did the re-install of IE7 (or at least it doesn't seem to).

One time I just filled in fake information on the ebay one & once I did that, it didn't come up again until I cleared my cookies....but, otherwise it comes up every time.
0
 
LVL 7

Accepted Solution

by:
tplaya07 earned 500 total points
ID: 24108344
I know you mentioned you've already tried the sfc /scannow, but did you try sfc /purgecache as well?
Also, do you still have System Restore disabled? If not, keep it disabled as it may be corrupt.

http://www.windowsnetworking.com/articles_tutorials/Internet-Explorer-corrupted-fix.html

Okay, here is the not so fun part. About halfway down the page is a list of Internet Explorer related DLL's. Either one by one or via a batch file(s), you need to unregister the current DLLs and then replace them with the ones located either in your I386 folder or from an XP CD with slipstreamed SP3. The latter would be better IMO, as the I386 folder may be compromised as well. I'm sure you know of plenty of places to download the XP w/ slipstreamed SP3. (And for the mods, I am NOT suggesting piracy in any way, since this user already has a valid/legit serial number).
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24109572
For those that have this same problem - one other thing that I have noticed is that the infection actually is compromising the secure page....what I mean is that the bank website or Ebay etc still is what is in the URL page with the valid SSL cert etc....but when you hit submit on their login screen, it gives the warning about secure & unsecure content.  VERY weird.  

As far as the DLLs go - I can slipstream my SP3 in without a problem, but before I do that, can I just pull the DLLs from a working computer & register them?  I can just write a batch file really quick.
0
 
LVL 7

Expert Comment

by:tplaya07
ID: 24109915
Yeah. Whereever you can get the dll files is fine...preferrably as long as it's not from the compromised system.
One more thing, I don't recall if you said you tried it already, but have you tried opening IE without add-ons to see if the problem is still there? There should be a link in Start Menu > Programs > Accessories > System Tools. If not, you can always go to Start > Run >
"C:\Program Files\Internet Explorer\iexplore.exe" -extoff
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24110071
Yeah, even with the no add-ons it still doesn't work.  So if I find all of those DLLs in my system32 folder, I can just copy them over to their system32 folder & run that batch, correct?
0
 
LVL 7

Expert Comment

by:tplaya07
ID: 24110249
To make it a little easier, you could copy/paste all the lines from the batch file in the link above into Notepad, and then do a Find and Replace to unregister the DLLs.
Find  "/s"
Replace with "/u"
You may have to browse through the list though and make minor adjustments, as not all of the commands are the same. Then use the list as a reference to copy the DLLs from another computer and paste into the compromised PC. Remeber to register the files though once their pasted.

**Also, do a sfc /purgecache before you proceed with the above steps.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24110260
Some of these files I am not finding in the system32 folder - where else could they be?
0
 
LVL 7

Expert Comment

by:tplaya07
ID: 24110444
I just noticed the date of that article was 2005, which I would assume the files refer to SP1 or maybe SP2, so files may be different.

I'm sorry to keep jumping around, but before we move forward with this, let's try something else...
From Add/Remove Programs, remove IE7, SP3, and ALL updates/patches in relation to Windows and Internet Explorer. Then run CCLeaner. Run both the "Cleaner" AND "Registry" buttons on the left to get rid of any orphaned registry entries. Additionally, you can run any other Disk Cleaning and Registry Cleaning utilities that you are familiar/comfortable with...the more the better. Then reboot the PC.

Now you should be back at IE6 and SP2. Do you still experience the same issue?
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24110459
I tried to do that with just IE6 & it still did it - however, I am not able to remove SP3 as the person already ran CCleaner & deleted the windows update backups.
0
 
LVL 7

Expert Comment

by:tplaya07
ID: 24110733
You should be able to download SP3 again and run the setup file to reinstall it....then uninstall from Add/Remove Programs.
0
 
LVL 7

Expert Comment

by:tplaya07
ID: 24131840
Any updates rusty?
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24131848
I was not able to uninstall/re-install SP3.  For now I am having them use Firefox since they cannot have any more interruptions.

I am just shocked that so many people have this problem & yet no one knows the fix.
0
 
LVL 7

Expert Comment

by:tplaya07
ID: 24132131
Yeah...a Google search reveals that quite a few people are having the problem, but I guess it's not widespread "enough" for the major AV/Malware companies to implement a fix yet.
So, it wouldn't let you download and install SP3 though (right over the top of the existing one)??? That's very strange.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24132137
I have never successfully been able to do that honestly.
0
 
LVL 7

Expert Comment

by:tplaya07
ID: 24132527
You donwloaded this one, correct?
http://www.microsoft.com/downloads/details.aspx?FamilyId=5B33B5A8-5E76-401F-BE08-1E1555D4F3D4&displaylang=en

At what point does it get hung up and not let you install or overwrite? Is there any error message. I am wondering if this is related somehow.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24132561
I will have to look - like I mentioned, this is our president's assistant.  I had more time to work on it last week as she was out of the office...now I have pretty much no time to work on it.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24796177
We ended up swapping the computer to a laptop, so the problem "went away" =)

I will distribute points for a "thanks for the effort"
0
 
LVL 6

Author Closing Comment

by:rustyrpage
ID: 31567230
Thanks for your help
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now