PostQ
asked on
Possible Browser Hijak?
I have a user who's computer constantly tries to call out to www.ajaxcdn.org/swf.swf. This is blocked by our firewall claiming that destination is a threat: "Threat (Mal/HTMLGen-A)". This will also happen several times a minute at some points, then go for an hour or so where there are no calls at all.
I've ran the typical scans, Malware Bytes, SAS, ADWCleaner, Norton, Spybot, and everything is coming back clean at this point. Cleaned all of the browser(s) cache, deleted temp files of everything, but this still calls out. Has anyone seen this before? Is this caused by something normal or not normal? It's only this one pc out of a couple hundred that do this.
I've ran the typical scans, Malware Bytes, SAS, ADWCleaner, Norton, Spybot, and everything is coming back clean at this point. Cleaned all of the browser(s) cache, deleted temp files of everything, but this still calls out. Has anyone seen this before? Is this caused by something normal or not normal? It's only this one pc out of a couple hundred that do this.
Just adding to younghv's good post.
I would try TDSSKiller from Kaspersky.
http://support.kaspersky.com/us/5350
Click on "How to disinfect a compromised system"
then on tdsskiller.exe
Download and run it.
If you try this on the infected computer it may not get to the site. If that is the case, download it on a different computer and copy it over.
It is very quick to run and very good at finding certain hijackers. It is NOT as thorough as what was recommended above but it is so quick that it is an excellent first step.
If it does find something, have it remove it, reboot, then run it again to make sure it is gone. Don't stop there, though. Follow up with younghv's suggestions to be more thorough.
I would try TDSSKiller from Kaspersky.
http://support.kaspersky.com/us/5350
Click on "How to disinfect a compromised system"
then on tdsskiller.exe
Download and run it.
If you try this on the infected computer it may not get to the site. If that is the case, download it on a different computer and copy it over.
It is very quick to run and very good at finding certain hijackers. It is NOT as thorough as what was recommended above but it is so quick that it is an excellent first step.
If it does find something, have it remove it, reboot, then run it again to make sure it is gone. Don't stop there, though. Follow up with younghv's suggestions to be more thorough.
Hi PostQ,
did you check for this toolbar?
http://www.spigot.com/remove-search-settings.html
Greetinx
Marcel
did you check for this toolbar?
http://www.spigot.com/remove-search-settings.html
Greetinx
Marcel
ASKER
Yes I looked through the Control Panel, didn't find anything unusual. TDSSKiller didn't find anything. I will attach the ComboFix Log. Didn't find any toolbars.
ComboFix.txt
ComboFix.txt
ASKER
Here is a sample of the firewall log from this machine. The first URL is the one that's being called to/blocked, the second one is the one it's calling from. This seems to not matter what the website is, it will try calling from eBay, google, all sorts of places. I purposefully put spaces in the blocked URL so that it won't be clickable. Here's the sample:
9/11/2013 10:54:27 AM DOMAIN\user PCName www .ajaxcdn. org/swf.swf Block Threat (Mal/HTMLGen-A) www.ebay.com
9/11/2013 10:54:27 AM DOMAIN\user PCName www .ajaxcdn. org/swf.swf Block Threat (Mal/HTMLGen-A) www.ebay.com
Combofix has done may deletion and fixes. See below:
(((((((((((((((((((((((((( (((((((((( ((( Other Deletions )))))))))))))))))))))))))) )))))))))) )))))))))) )))
.
.
c:\program files (x86)\AutocompletePro
c:\program files (x86)\AutocompletePro\AcRe moteUpdate .exe
c:\program files (x86)\AutocompletePro\Auto completePr o.dll
c:\program files (x86)\AutocompletePro\Inst Tracker.ex e
c:\program files (x86)\AutocompletePro\supp ort@predic tad.com\ch rome.manif est
c:\program files (x86)\AutocompletePro\supp ort@predic tad.com\ch rome\conte nt\browser Overlay.xu l
c:\program files (x86)\AutocompletePro\supp ort@predic tad.com\ch rome\conte nt\options .js
c:\program files (x86)\AutocompletePro\supp ort@predic tad.com\ch rome\conte nt\options .xul
c:\program files (x86)\AutocompletePro\supp ort@predic tad.com\ch rome\conte nt\utils.j s
c:\program files (x86)\AutocompletePro\supp ort@predic tad.com\de faults\pre ferences\p redictad.j s
c:\program files (x86)\AutocompletePro\supp ort@predic tad.com\in stall.rdf
c:\program files (x86)\AutocompletePro\Task Scheduler. dll
c:\program files (x86)\AutocompletePro\unin s000.dat
c:\program files (x86)\AutocompletePro\unin s000.exe
c:\programdata\3002.abs
c:\programdata\3002.xml
c:\programdata\3003.abs
c:\programdata\3003.xml
c:\programdata\ccontineuet oSSaave
c:\programdata\ccontineuet oSSaave\51 913acbd705 7.tlb
c:\programdata\ccontineuet oSSaave\da ta\ccontin euetoSSaav e.dat
c:\programdata\ConetInUyet yOsaavvea
c:\programdata\ConetInUyet yOsaavvea\ 51914457d6 8f1.tlb
c:\programdata\ConetInUyet yOsaavvea\ data\Conet InUyetyOsa avvea.dat
c:\programdata\Microsoft\W indows\Sta rt Menu\Programs\ccontineueto SSaave
c:\programdata\Microsoft\W indows\Sta rt Menu\Programs\ccontineueto SSaave\cco ntineuetoS Saave.lnk
c:\programdata\Microsoft\W indows\Sta rt Menu\Programs\ccontineueto SSaave\Uni nstall.lnk
c:\programdata\Microsoft\W indows\Sta rt Menu\Programs\ConetInUyety Osaavvea
c:\programdata\Microsoft\W indows\Sta rt Menu\Programs\ConetInUyety Osaavvea\C onetInUyet yOsaavvea. lnk
c:\programdata\Microsoft\W indows\Sta rt Menu\Programs\ConetInUyety Osaavvea\U ninstall.l nk
c:\programdata\uninstaller .exe
c:\users\user2\AppData\Loc al\assembl y\tmp
c:\users\user\AppData\Loca l\assembly \tmp
c:\usersuser\g2mdlhlpx.exe
c:\users\user3\AppData\Loc al\assembl y\tmp
c:\users\user4\AppData\Loc al\assembl y\tmp
c:\users\user5\AppData\Loc al\assembl y\tmp
(((((((((((((((((((((((((( (((((((((( ((( Other Deletions )))))))))))))))))))))))))) )))))))))) )))))))))) )))
And here:
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
Notify-SDWinLogon - SDWinLogon.dll
BHO-{C1ED9DA0-AFD0-4b90-AC 6A-D3874F5 91014} - c:\progra~2\SEARCH~1\Datam ngr\x64\BR OWSE~1.DLL
Toolbar-10 - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynT PEnh.exe
AddRemove-AutocompletePro2 _is1 - c:\program files (x86)\AutocompletePro\unin s000.exe
.- - - - ORPHANS REMOVED - - - -
We would still need some work to do, before that I would recommend you to disable or uninstall the various anti-virus, anti-spyware that you have installed and running.
As per the Combofix logs you have:
AV: Sophos Anti-Virus *Enabled/Updated* {65FBD860-96D8-75EF-C7ED-7 BE27E6C498 A}
FW: Sophos Client Firewall *Enabled* {5DC05945-DCB7-74B7-ECB2-D 2D780BF0EF 1}
SP: Sophos Anti-Virus *Enabled/Updated* {DE9A3984-B0E2-7A61-FD5D-4 09005EB033 7}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C 1CA5F20A4B 0}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-D A132C1ACF4 6}
Uninstall Spybot -Search and Destroy, stop the Windows Defender Services and stop the Sophos Anti-Virus Services.
Re-ran the Combofix and post the logs.
Thanks,
Sudeep Sharma
((((((((((((((((((((((((((
.
.
c:\program files (x86)\AutocompletePro
c:\program files (x86)\AutocompletePro\AcRe
c:\program files (x86)\AutocompletePro\Auto
c:\program files (x86)\AutocompletePro\Inst
c:\program files (x86)\AutocompletePro\supp
c:\program files (x86)\AutocompletePro\supp
c:\program files (x86)\AutocompletePro\supp
c:\program files (x86)\AutocompletePro\supp
c:\program files (x86)\AutocompletePro\supp
c:\program files (x86)\AutocompletePro\supp
c:\program files (x86)\AutocompletePro\supp
c:\program files (x86)\AutocompletePro\Task
c:\program files (x86)\AutocompletePro\unin
c:\program files (x86)\AutocompletePro\unin
c:\programdata\3002.abs
c:\programdata\3002.xml
c:\programdata\3003.abs
c:\programdata\3003.xml
c:\programdata\ccontineuet
c:\programdata\ccontineuet
c:\programdata\ccontineuet
c:\programdata\ConetInUyet
c:\programdata\ConetInUyet
c:\programdata\ConetInUyet
c:\programdata\Microsoft\W
c:\programdata\Microsoft\W
c:\programdata\Microsoft\W
c:\programdata\Microsoft\W
c:\programdata\Microsoft\W
c:\programdata\Microsoft\W
c:\programdata\uninstaller
c:\users\user2\AppData\Loc
c:\users\user\AppData\Loca
c:\usersuser\g2mdlhlpx.exe
c:\users\user3\AppData\Loc
c:\users\user4\AppData\Loc
c:\users\user5\AppData\Loc
((((((((((((((((((((((((((
And here:
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
Notify-SDWinLogon - SDWinLogon.dll
BHO-{C1ED9DA0-AFD0-4b90-AC
Toolbar-10 - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynT
AddRemove-AutocompletePro2
.- - - - ORPHANS REMOVED - - - -
We would still need some work to do, before that I would recommend you to disable or uninstall the various anti-virus, anti-spyware that you have installed and running.
As per the Combofix logs you have:
AV: Sophos Anti-Virus *Enabled/Updated* {65FBD860-96D8-75EF-C7ED-7
FW: Sophos Client Firewall *Enabled* {5DC05945-DCB7-74B7-ECB2-D
SP: Sophos Anti-Virus *Enabled/Updated* {DE9A3984-B0E2-7A61-FD5D-4
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-D
Uninstall Spybot -Search and Destroy, stop the Windows Defender Services and stop the Sophos Anti-Virus Services.
Re-ran the Combofix and post the logs.
Thanks,
Sudeep Sharma
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No other person was able to solve the problem.
The security apps you ran are solid, but have you tried RogueKiller (RK) or ComboFix?
Detailed RK instructions here:
https://www.experts-exchange.com/A_4922.html Rogue-Killer-What-a-great-
ComboFix:
Please download ComboFix by sUBs:(and attach the resulting log)
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and
Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your
next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically
restored before CF completes its run. If CF runs into difficulty and terminates
prematurely, the connection can be manually restored by restarting your machine.
If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
*** NOTE
Please post the logs generated for ComboFix so that we can
review the results.