PDA

View Full Version : Hijacked Browser, Possibly Smitfraud



alistair_craven
2005-12-07, 21:49
Hello!

I don't know what i did yesterday, but i infected my PC for the first time in 6 months with some malware that hijacks IE. The start page is modified to http://www.yoursystemupdate.com where i am agressively invited to download antispyware programs, because my computer is infected. The only infection is this pest. Related sites are http://onlinesecuritytest.net/ and http://securityindex.net/ The pest also places two shortcuts on my desktop that lead to the above sites and imitate Windows XP icons related to security updates. There are also entries in the start-menu and in the favorites tab. Each time i am redirected, or Y!msg notifies me that i have new mail and i open the window, i get an error page and the message that my adware program prevents the access and i should download their crap.

Except spybot SD with TeaTimer, i also use Avast Home Edition and ZoneLabs Personal Firewall. Yesterday i updated both of them and after that i noticed the occurence. Another strange thing is that the firewall asks me if i want to grant persmission to Winlogon.. and i said yes. Every now and then IE & Winlogon ask permission to connect to the net and i say no. There is also a processes being launched in the background, called "mssearchnet.exe". Every time i end it, it turns on again.

Yesterday i found 2 entries in the registries under the name smitfraud, but spybot failed to fix one of them... so i went to delete the keys myself, but i don't know if that was a smart thing.

Firefox is not affected. My HJT log follows.

alistair_craven
2005-12-07, 21:51
<<there is also a process called nvctrl.exe running>>

Logfile of HijackThis v1.99.1
Scan saved at 21:38:15, on 07.12.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\StartupMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\nvctrl.exe
C:\WINDOWS\System32\mssearchnet.exe
C:\Program Files\Winamp\winamp.exe
C:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ro/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ro
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Navigatorul de internet
R3 - Default URLSearchHook is missing
O1 - Hosts: www.meetic.com
O1 - Hosts: meetic.com
O1 - Hosts: www.lovehappenes.com
O1 - Hosts: lovehappeness.com
O1 - Hosts: lovehappenes.com
O1 - Hosts: http://www.updateyoursystem.com/
O1 - Hosts: www.updateyoursystem.com
O1 - Hosts: http://www.updateyoursystem.com/
O1 - Hosts: www.onlinesecurity.com
O2 - BHO: HomepageBHO - {724510c3-f3c8-4fb7-879a-d99f29008a2f} - C:\WINDOWS\System32\hpBB4E.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Find - {8D029AEC-E412-4948-84B5-699A740946AE} - %SystemRoot%\System32\iefind.dll (file missing)
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [PowerMenu] "%systemroot%\system32\powermenu.exe" -hideself on
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Descarcă folosind FlashGet - C:\PROGRA~1\FLASHGET\jc_link.htm
O8 - Extra context menu item: Descarcă toate folosind FlashGet - C:\PROGRA~1\FLASHGET\jc_all.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Zoom In - C:\WINDOWS\web\zoomin.htm
O8 - Extra context menu item: Zoom Out - C:\WINDOWS\web\zoomout.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O15 - Trusted Zone: www.myx.net
O15 - Trusted Zone: mymobile.sunrise.ch
O16 - DPF: Yahoo! Fleet -
O16 - DPF: Yahoo! Literati -
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/5be9b0be/enter.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) -
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

LonnyRJones
2005-12-12, 03:23
Hello
Thanks for your patience, if your still in need of assistance and are not recieving it at another forum, Post a fresh hijackthis log please

tashi
2005-12-15, 03:32
alistair_craven are you still needing assistance?

tashi
2005-12-17, 22:46
This topic will be archived.
If you need the thread reopened please pm me.