Hijacked by *ww.syssecuritysite.com and infected by Zlob.downloader and hp100.TMP [Archive]

View Full Version : Hijacked by *ww.syssecuritysite.com and infected by Zlob.downloader and hp100.TMP

Richie_B43

2006-07-08, 02:05

Hi guys,

I was lucky enough to find your site whilst doing a Google search for some solution to *ww.syssecuritysite.com, (One 'w' omitted to prevent the address coming up as a link.), which suddenly appeared last night and completly hijacked both Internet Explorer and my Tiscali Broadband browser.

It not only took over my Home Page, it overwrote all URL's typed into the address bar, and also seemed to provide an open door for about five different Trojans, a couple of which my installed anti-virus and anti-spyware could not delete. (Luckily the Google taskbar wasn't affected so I still was able to get access to the net).

I have followed the "self help" removal instructions (very clearly) set out in Tashi's sticky Smitfraud: post and it seems to have done the trick ... so here is my rapport.txt report, Ewido log and HJY log for you to have a look at. (The Spybot-S&D scan came up clear).

Thanks in advance,

Richie.

-----------------------------------------------------
SmitFraudFix v2.68b

Scan done at 17:40:51.75, 07/07/2006
Run from C:\Documents and Settings\Richie\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\ld???.tmp Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\regperf.exe Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\1024\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 18:52:33 07/07/2006

+ Scan result:

HKU\S-1-5-21-117609710-1409082233-839522115-1004\Software\_siq -> Adware.Begin2Search : Cleaned with backup (quarantined).

::Report end

------------------------------------------------------------

ps: I'll post the HJT log on another thread.

R.

Richie_B43

2006-07-08, 02:12

Logfile of HijackThis v1.99.1
Scan saved at 19:11:25, on 07/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTSvcCDA.EXE
E:\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
E:\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\system32\wuauclt.exe
E:\Hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [!ewido] "E:\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SCB
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122636821970
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131621431828
O16 - DPF: {B21A38F1-EC5D-4519-A715-0AD9DC6CC7A3} (SMControl Class) - http://www.jjward.com/FPSMonitor/SMActiveX.dll
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.futuremark.com/global/msc37.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{576A3E4D-842B-4B61-9A0E-7061E07F8B3D}: NameServer = 192.168.0.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - E:\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe

-----------------------------

Hope this is ok,

Richie.

pskelley

2006-07-08, 03:23

Hi Richie and welcome to the forum. Great job:bigthumb: following the instructions, all of your logs look clean. If all is running well, I would say you are good to go.

Once thing I did notice, your Java program needs and update to jre1.5.0_07 See this information:
C:\Program Files\Java\jre1.5.0_05 <<< outdated
http://forums.spybot.info/showpost.php?p=12880&postcount=2

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Safe surfing...tashi:) will be along to close you in a day or so.

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Richie_B43

2006-07-08, 16:20

Hi pskelly, thanks for the quick come-back,

In my first post I forgot to mention that just when I was about to download the cleaning programs to start the process, the syssecurity hijack suddenly seemed to disappear and my Tiscali home page started opening quite normally when IE was launched.

It could be that the particular variant that I had picked up has a limited lifespan, (or perhaps it knew what was coming and just ran away :D), but it is something that perhaps should be checked out, as it seems overly optimistic to think that it simply deletes itself - it may just go into 'invisible mode' and continue to do its dirty work quietly in the background, ready to pop up again at any time.

Rather than assume that the syssecurity hijack problem had somehow cured itself, plus the fact that I still had some apparently bulletproof Trojans on my system, (and God knows what else lurking in the Registry), I downloaded the required programs and went ahead with the cleaning process.

Before booting into Safe Mode to start the cleaning procedure I turned off System Restore, (turned it back on after cleaning was complete), deleted all Cookies via IE Internet Properties and Cookie Editor, deleted all Temporary Internet Files, including Offline, cleared all Histories and cleared the Windows Prefetch folder ... paranoia may sometimes lead to overkill it seems. :)

After cleaning was complete, I found an icon for Pest Trap in the Taskbar Notification Past Items list which I removed manually using a third-party Past Item removal tool.

Thanks again,

Richie.

pskelley

2006-07-08, 17:09

Hey Ritchie, and thanks for that feedback. Are you saying the infection seemed to stop before you ran the SmitfraudFix? Because as you can see infected files were deleted by the fix. If all is running well, I will leave you with this valuable information.

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Safe surfing, if anything should rear it's ugly head once tashi:) closes you in a day or so, just PM one of us and we will address it.

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Richie_B43

2006-07-08, 21:46

Yeah pskelly, that's exactly what happened.

Initially I had tried re-setting my Home Page address through both Control Panel/Internet Options and Internet Explorer Properties, but this of course had no affect, and also by typing Tiscali's URL directly into the IE Address Bar where it, (and any other web address that I tried to access), was immediately overwritten by *ww.syssecutitysite.com.

As a matter of fact, the only way I could access any web page other than *ww.syssecutitysite.com was to use the Google Taskbar to do a search for the site/page I wanted and access it via one of the links that Google found ... which for some reason was accepted into the address bar and not overwritten.

The initial hijack/infection occured on Thursday night and I worked at it for a couple of hours without any success, except for getting rid of a number of the Trojans by running numerous scans with AVG, Kaspersky, Windows Defender, Spybot-S&D, Ad-Aware and CWShredder, (and of course finding and bookmarking your site), with *ww.syssecutitysite.com all the while remaining undetected and repeatedly coming up as my Home Page.

The next day when I booted up my computer and launched IE the situation was still the same - *ww.syssecutitysite.com was still coming up as my Home Page - but I worked around it and printed out tashi's sticky before disconnecting to do some work ... but when I later re-connected and launched IE to download your cleaning programs and start to clean the system, my Tiscali Broadband Home Page came up as normal. (I even exited and re-launched four or five times to make sure it wasn't just a flash-in-the-pan.)

For whatever reason, *ww.syssecutitysite.com simply stopped hikacking my Home Page, (not only before SmitFraudFix was run, but before it was even downloaded), but as I suspected, and as you say the rapport log confirms, it was still there in the system ... whether or not it would have remained dormant and simply sat there undetected and 'apparently' doing nothing, or whether it has been designed to go into 'invisible mode' after a certain period of time and then at some later time to re-activated itself, may warrant some further in-depth investigation.

I hope that this feedback is of some use.

Best regards,

Richie.

Richie_B43

2006-07-09, 15:05

One further bit of information,

During the time my system was infected, a WINDOWS\system32 page with all the text relating to the dllcache folder highlighted in blue started popping up on the desktop screen each and every time the system was fired up.

Since the system was cleaned, the system32 page no longer pops up on startup, but when I navigate to the page with Windows Explorer the dllcache folder text is still highlighted in blue.

Is this a warning of a damaged dll or some other potential problem lurking within the folder ... or am I just being paranoid?

Cheers,

Richie.

pskelley

2006-07-09, 15:30

hanks much for that information, I doubt there is a problem with that file, but you can check it to be sure:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

Actually I should have suggested System File Checker first. If anything is wrong with the file (and it is a valid file) SFC will replace it. You may need to have your installation CD handy in cas Windows need it.

Click Start > Run, type in sfc /scannow hit Enter.
Note: there is a space between sfc and /scannow
This should replace any corrupted/missing system files

validation: http://www.updatexp.com/windows-file-protection.html

http://www.networkclue.com/os/Windows/commands/sfc.aspx

http://www.updatexp.com/scannow-sfc.html

Hope that helps...Phil

Just noticed you are from Belfast. With the last name of Skelley we may be long lost relatives. My great grandparents migrated to the Appalachian plateau of Maryland prior to the war for independance from the > :crowned: