PDA

View Full Version : HiJacker infected all computers on our local network!


elmodud
2010-08-27, 06:42
I found a hijacker that would re-direct search requests from Yahoo and Google on one computer in our house and a few hours later found it had spread to all seven computers in our house. These computers were all on the same local area network. I've run spybot and Avira which both pick up nothing. I've also turned off all computers but one and tried a restore to no avail.

Below is a the dds log for one of the computers that is infected:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 21:00:47.95 on Thu 08/26/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.490 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1282745290687
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1282845805640
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-08-27 03:41:48 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-08-27 03:41:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-08-26 17:57:44 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-08-26 17:57:38 0 d-----w- c:\program files\Windows Media Connect 2
2010-08-26 17:56:23 0 d-----w- c:\windows\system32\LogFiles
2010-08-26 17:52:04 0 d-sh--w- c:\documents and settings\administrator\IECompatCache
2010-08-26 04:40:22 163840 ----a-w- c:\windows\system32\igfxres.dll
2010-08-26 01:20:23 376 ----a-w- c:\windows\ODBC.INI
2010-08-26 01:19:53 0 d-----w- c:\program files\Microsoft ActiveSync
2010-08-26 01:19:10 0 d-----w- c:\windows\ShellNew
2010-08-25 19:23:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-08-25 19:23:46 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-25 17:56:26 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-08-25 17:56:06 354304 -c----w- c:\windows\system32\dllcache\srv.sys
2010-08-25 17:55:27 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-08-25 17:53:18 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-08-25 17:51:56 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-08-25 17:51:56 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-08-25 17:51:47 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-08-25 17:49:34 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-08-25 17:47:14 0 d-sh--w- c:\documents and settings\administrator\PrivacIE
2010-08-25 17:46:26 0 d-sh--w- c:\documents and settings\administrator\IETldCache
2010-08-25 17:44:51 16896 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-08-25 17:44:35 0 d-----w- c:\windows\ie8updates
2010-08-25 17:44:18 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-08-25 17:44:18 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-08-25 17:44:18 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-08-25 17:44:18 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-08-25 17:44:18 1986560 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-08-25 17:44:18 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-08-25 17:44:18 11077120 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-08-25 17:43:07 0 dc-h--w- c:\windows\ie8
2010-08-25 17:06:23 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx
2010-08-25 17:03:49 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-08-25 17:03:45 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-08-25 17:02:54 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-08-25 17:02:50 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-08-25 15:15:11 0 d-----w- c:\windows\system32\scripting
2010-08-25 15:15:10 0 d-----w- c:\windows\system32\en
2010-08-25 15:15:10 0 d-----w- c:\windows\system32\bits
2010-08-25 15:15:10 0 d-----w- c:\windows\l2schemas
2010-08-25 15:13:27 0 d-----w- c:\windows\ServicePackFiles
2010-08-25 15:11:38 0 d-----w- c:\windows\network diagnostic
2010-08-25 14:31:56 9585 -c----w- c:\windows\system32\dllcache\controls.css
2010-08-25 14:11:16 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-08-25 14:11:16 0 d-----w- c:\windows\system32\PreInstall
2010-08-25 14:08:36 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2010-08-25 14:08:36 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2010-08-25 14:08:36 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2010-08-25 14:08:35 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-08-25 14:08:35 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-08-25 14:07:55 0 d-sh--w- c:\documents and settings\administrator\UserData
2010-08-25 04:13:32 43136 ----a-r- c:\windows\system32\drivers\bcm4sbxp.sys
2010-08-25 04:13:27 0 d-----w- c:\program files\Broadcom
2010-08-25 04:11:42 0 d-----w- c:\program files\UIU
2010-08-25 04:08:28 0 d-----w- c:\program files\Analog Devices
2010-08-25 04:03:29 94208 ----a-w- c:\windows\system32\igfxcpl.cpl
2010-08-25 03:59:37 0 d-----w- c:\windows\system32\ReinstallBackups
2010-08-25 02:21:56 0 d-sh--w- c:\documents and settings\all users\DRM
2010-08-25 02:21:31 0 d--h--w- c:\program files\WindowsUpdate
2010-08-25 02:20:41 0 d-----w- c:\program files\common files\MSSoap
2010-08-25 02:19:17 0 d-----w- c:\program files\Online Services
2010-08-25 02:19:11 0 d-----w- c:\program files\Messenger
2010-08-25 02:19:08 0 d-----w- c:\program files\MSN Gaming Zone
2010-08-25 02:18:34 0 d-----w- c:\program files\Windows NT
2010-08-24 19:10:13 0 d-----w- c:\program files\common files\ODBC
2010-08-24 19:10:10 0 d-----w- c:\program files\common files\SpeechEngines
2010-08-24 19:09:44 0 d-----r- c:\documents and settings\all users\Documents

==================== Find3M ====================

2010-08-25 02:19:38 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll

============= FINISH: 21:01:54.39 ===============

Is it possible for a hijacker to spread on a local area network like this? Please help - this is blowing my mind.....
elmodud
2010-08-27, 23:49
I researched this problem further and found the exploit. The virus got into my router (standard netgear with factory password) and changed the dns servers to their infected servers. They could then look at and redirect any internet link request they wanted on any computer that was using my network.

I was able to change the dns settings to the correct values and the hijacking stopped on all computers on the network!

A word to the wise: Change the password on your router from the factory default!!!!

I still need to determine which computer is infected with the bug that modifies the router settings. I will repost if I need help with it....

Thanks,

elmodud