My MS IE v6.0 browser has been hijacked

[PA Bear [MS MVP]]

browserquestions@yahoo.com wrote:
> On Nov 26, 10:39 am, "PA Bear [MS MVP]" <PABear...@gmail.com> wrote:
>> browserquesti...@yahoo.com wrote:
>>
>> <snip>
>>
>>> Malwarebytes found 6 backdoor bots and some infected files:
>>> svchost.exe, twext.exe
>>> that the other spyware tools missed.
>>> My IE 6 browser is back to normal now.
>>
>> But is the computer free of any/all hijackware?
>
> The saga continues.
>
> After the initial cleanup using Malwarebytes Anti-Malware and
> SUPERAntiSpyware,
> MBAM found an additional Trojan.Downloader in a system restore point.
> Next day, it found
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
> \iepinit_dlls (Spyware.Agent.H) -> Quarantined and deleted
> successfully.
> and C:\WINDOWS\system32\nvaux32.dll (Spyware.Agent.H)
>
> Next day,
> my Computer Associates AntiVirus v8 reported a couple of instances of:
> Win32/Pruserinf.Y
> on the infected laptop, and now also on a Desktop PC that was shared
> via a network share!
>
> I Installed avast! on the laptop, and during the initial boot up scan,
> it found:
> Win32:Zbot-ASN [Trj]
> Win32:Invo [Cryp]
>
> But now, CA anti-virus on the laptop crashes (conflict with avast! ?)
>
> My laptop Firewall (ZoneAlarm free) reports outbound requests in the
> middle of the night from strangely named .exe file from the Windows
> \temp folder.
>
> I've also upgrade the MSIE on the laptop to v7, but use Firefox v3 as
> the default.
>
> Is there something still hiding in the laptop, and generating all
> these other trojans?

Yes.

[browserquestions@yahoo.com]

On Nov 29, 3:39*am, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
wrote:
> You are still infected. *There should be NO applications running from the TEMP folder. *So
> if ZA is indicating there is "...outbound requests in the
> middle of the night from strangely named .exe file from the Windows .\temp folder..." *you
> still have a problem.

I use CCleaner on a very frequent basis.
Can't say the same for the other users of that laptop in the
household.

I am quite sure the temp folder(s) were empty.
I guess the default behavior for CC is not to remove temp files less
than 48 hours old.

> Download and execute HiJack This! (HJT)http://www.trendsecure.com/portal/en...HJTInstall.exe
>
> Then post the contents of the HJT log in your post in one of the below expert forums...

I'll post the HiJack logs to one of those forums.

Thanks for your help.

[David H. Lipman]

From: "Buffalo" <Eric@nada.com.invalid>


| [snip]

| Shouldn't he shut off his System Restore since the virus(s) seem to be in
| there and empty out his temp and TIF files?
| Then shouldn't he run the detection programs again? Just curious, since I do
| not have XP or Vista.
| Thanks.

As for the System Restore cache, No. Not until after the PC is deemed to be clean. This
way there is a fall back position if the process of cleaning the PC goes bad. As for the
TIF, changces are the file handle is in use and it can't be manually deleted. The only
advantage is that when you dump the TIF and TEMP folders, you have less files to scan and
thus should be a little quicker.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Buffalo]

David H. Lipman wrote:
> From: "Buffalo" <Eric@nada.com.invalid>
>
>
>> [snip]
>
>> Shouldn't he shut off his System Restore since the virus(s) seem to
>> be in there and empty out his temp and TIF files?
>> Then shouldn't he run the detection programs again? Just curious,
>> since I do not have XP or Vista.
>> Thanks.
>
> As for the System Restore cache, No. Not until after the PC is
> deemed to be clean. This way there is a fall back position if the
> process of cleaning the PC goes bad. As for the TIF, changces are
> the file handle is in use and it can't be manually deleted. The only
> advantage is that when you dump the TIF and TEMP folders, you have
> less files to scan and thus should be a little quicker.

Thanks for that info. I always wondered about that.
Buffalo
PS: I use Win98SE and Win2000Pro on a dual boot.

[PA Bear [MS MVP]]

[Scares me!]

Buffalo wrote:
<snip>
> PS: I use Win98SE and Win2000Pro on a dual boot.

[Buffalo]

PA Bear [MS MVP] wrote:
> [Scares me!]
>
> Buffalo wrote:
> <snip>
>> PS: I use Win98SE and Win2000Pro on a dual boot.
Works like a charm.
No viruses or major adware or malware problems for over 2yrs.
Almost never a BSOD, if fact, I can't remember the last one.
ECS K7S5a rev 3.1 mb, AMD Palomino2100,1GB DDR ram,8500LE Radeon, CD Player
and DVD Burner,Realtec sound card,450W PSU
120BG Maxtor HDD with a 160GB Buffalo External HDD for backup
I'm looking into upgrading to XP for better online game playing. Any
suggestions for a do it yourself setup?
ie: mb,cpu,vid card etc

[Dustin Cook]

browserquestions@yahoo.com wrote in
news:7d0e030e-d408-4af1-a0fe-66a30264c990@q26g2000prq.googlegroups.com:

> On Nov 21, 8:45 pm, Dustin Cook <bughunter.dus...@gmail.com> wrote:
>> Kayman <kaymanDeleteT...@operamail.com> wrote
>> innews:gg35b6$nbi$1@news.mo
> tzarella.org:
>>
>>
>>
>> > On Wed, 19 Nov 2008 20:18:51 -0800 (PST),
>> > browserquesti...@yahoo.com wrote:
>>
>> >> When I visitwww.bankofamerica.com, there is an additional field
>> >> "Enter ATM card number:"
>> >> When I visitwww.wellsfargo.com, there is an additional field for
>> >> "ATM PIN"
>>
>> >> These fields don't appear when I use Mozilla Firefox v3.0
>>
>> >> I've reported the problem to the respective banks.
>>
>> >> Ad-Aware (free) , Spybot and Windows Defender don't detect this
>> >> hijack
>>
>> >> Can someone here help me identify who/what hijacked my IE 6
>> >> browser, and how I can find out which illegal IP address these 2
>> >> fields are being transmitted to?
>> > 3.Download/execute:
>> > Malwarebytes© Corporation - Anti-Malware
>> >http://www.malwarebytes.org/mbam/program/mbam-setup.exe
>> > After the software is updated, it is suggested scanning the system
>> > in Safe Mode.
>>
>> Malwarebytes actually performs better in Normal Mode.
>
> I thought it was preferable to do these thing (e.g. anti virus scans)
> in Safe Mode to prevent stealth virii from going into stealth mode.
> The only thing safer than the Safe Mode is to boot up from a WIN PE or
> BART PE CD ?

In most cases, very sound advice. In the case of Malwarebytes, no. It's
actually designed to run best in normal Mode. The reason being, in safe
mode, some registry keys and programs fail to be initialized/run.
Malwarebytes hueristic engine actually looks for some of these things, so
when it's run in safemode, they won't be present and it can't deal with
them.




--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org

[Dustin Cook]

"Buffalo" <Eric@nada.com.invalid> wrote in
news:ggrou2$5b3$1@news.motzarella.org:

> David H. Lipman wrote:
>> From: <browserquestions@yahoo.com>
>>
>>
>>> The saga continues.
>>
>>> After the initial cleanup using Malwarebytes Anti-Malware and
>>> SUPERAntiSpyware,
>>> MBAM found an additional Trojan.Downloader in a system restore
>>> point. Next day, it found
>>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
>>> NT\CurrentVersion\Windows \iepinit_dlls (Spyware.Agent.H) ->
>>> Quarantined and deleted successfully.
>>> and C:\WINDOWS\system32\nvaux32.dll (Spyware.Agent.H)
>>
>>> Next day,
>>> my Computer Associates AntiVirus v8 reported a couple of instances
>>> of: Win32/Pruserinf.Y
>>> on the infected laptop, and now also on a Desktop PC that was shared
>>> via a network share!
>>
>>> I Installed avast! on the laptop, and during the initial boot up
>>> scan, it found:
>> Win32::Zbot-ASN [Trj]
>> Win32::Invo [Cryp]
>>
>>> But now, CA anti-virus on the laptop crashes (conflict with avast!
>>> ?)
>>
>>> My laptop Firewall (ZoneAlarm free) reports outbound requests in the
>>> middle of the night from strangely named .exe file from the Windows
>>> \temp folder.
>>
>>> I've also upgrade the MSIE on the laptop to v7, but use Firefox v3
>>> as the default.
>>
>>> Is there something still hiding in the laptop, and generating all
>>> these other trojans?
>>
>> You can have only one fully installed anti virus application
>> performing both "On Demand" and "On Access" scanning. You can't have
>> two.
>>
>> You can however supplement that one fully installed anti virus
>> application with additional "On Demand" anti virus scanners. These
>> can be online scanners or command line scanners than run locally.
>>
>> You are still infected. There should be NO applications running from
>> the TEMP folder. So if ZA is indicating there is "...outbound
>> requests in the
>> middle of the night from strangely named .exe file from the Windows
>> .\temp folder..." you still have a problem.
>>
>> Start by uninstalling Avast and see if that corrects CA anti-virus.
> [snip]
>
> Shouldn't he shut off his System Restore since the virus(s) seem to be
> in there and empty out his temp and TIF files?

Not right away. One could lose useful registry data and/or potentially
good files.



--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org

[Dustin Cook]

"PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in news:uUo4IJmUJHA.1160
@TK2MSFTNGP02.phx.gbl:

> [Scares me!]
>
> Buffalo wrote:
> <snip>
>> PS: I use Win98SE and Win2000Pro on a dual boot.
>

Why? Not too shabby for OSes... Vista on the other hand... ewww


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org

[Buffalo]

Dustin Cook wrote:
> "Buffalo" <Eric@nada.com.invalid> wrote in
> news:ggrou2$5b3$1@news.motzarella.org:
>
>> David H. Lipman wrote:
>>> From: <browserquestions@yahoo.com>
>>>
>>>
>>>> The saga continues.
>>>
>>>> After the initial cleanup using Malwarebytes Anti-Malware and
>>>> SUPERAntiSpyware,
>>>> MBAM found an additional Trojan.Downloader in a system restore
>>>> point. Next day, it found
>>>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
>>>> NT\CurrentVersion\Windows \iepinit_dlls (Spyware.Agent.H) ->
>>>> Quarantined and deleted successfully.
>>>> and C:\WINDOWS\system32\nvaux32.dll (Spyware.Agent.H)
>>>
>>>> Next day,
>>>> my Computer Associates AntiVirus v8 reported a couple of instances
>>>> of: Win32/Pruserinf.Y
>>>> on the infected laptop, and now also on a Desktop PC that was
>>>> shared via a network share!
>>>
>>>> I Installed avast! on the laptop, and during the initial boot up
>>>> scan, it found:
>>> Win32::Zbot-ASN [Trj]
>>> Win32::Invo [Cryp]
>>>
>>>> But now, CA anti-virus on the laptop crashes (conflict with avast!
>>>> ?)
>>>
>>>> My laptop Firewall (ZoneAlarm free) reports outbound requests in
>>>> the middle of the night from strangely named .exe file from the
>>>> Windows \temp folder.
>>>
>>>> I've also upgrade the MSIE on the laptop to v7, but use Firefox v3
>>>> as the default.
>>>
>>>> Is there something still hiding in the laptop, and generating all
>>>> these other trojans?
>>>
>>> You can have only one fully installed anti virus application
>>> performing both "On Demand" and "On Access" scanning. You can't
>>> have two.
>>>
>>> You can however supplement that one fully installed anti virus
>>> application with additional "On Demand" anti virus scanners. These
>>> can be online scanners or command line scanners than run locally.
>>>
>>> You are still infected. There should be NO applications running
>>> from the TEMP folder. So if ZA is indicating there is "...outbound
>>> requests in the
>>> middle of the night from strangely named .exe file from the Windows
>>> .\temp folder..." you still have a problem.
>>>
>>> Start by uninstalling Avast and see if that corrects CA anti-virus.
>>> [snip]
>>
>> Shouldn't he shut off his System Restore since the virus(s) seem to
>> be in there and empty out his temp and TIF files?
>
> Not right away. One could lose useful registry data and/or potentially
> good files.

Thanks.