Discussion:
My MS IE v6.0 browser has been hijacked
(too old to reply)
b***@yahoo.com
2008-11-20 04:18:51 UTC
Permalink
When I visit www.bankofamerica.com, there is an additional field
"Enter ATM card number:"
When I visit www.wellsfargo.com, there is an additional field for "ATM
PIN"

These fields don't appear when I use Mozilla Firefox v3.0

I've reported the problem to the respective banks.

Ad-Aware (free) , Spybot and Windows Defender don't detect this hijack

Can someone here help me identify who/what hijacked my IE 6 browser,
and how I can find out which illegal IP address these 2 fields are
being transmitted to?
Kayman
2008-11-20 07:58:28 UTC
Permalink
Post by b***@yahoo.com
When I visit www.bankofamerica.com, there is an additional field
"Enter ATM card number:"
When I visit www.wellsfargo.com, there is an additional field for "ATM
PIN"
These fields don't appear when I use Mozilla Firefox v3.0
I've reported the problem to the respective banks.
Ad-Aware (free) , Spybot and Windows Defender don't detect this hijack
Can someone here help me identify who/what hijacked my IE 6 browser,
and how I can find out which illegal IP address these 2 fields are
being transmitted to?
1.Clear the (IE) temporary Internet files and the history cache.
Click Start==>Run... then type (or copy/paste) "inetcpl.cpl" (w/out
quotation marks) into the box, then click the 'OK' button.
In Internet Properties panel 'General' tab, under 'Browsing history', click
'Delete...'button, in 'Delete Browsing History' panel, click the 'Delete
all...'button then place a checkmark into the box beside 'Also delete files
and settings stored by add-ons', Click 'Yes' and exit the Internet
Properties panel by clicking the 'OK' button.

2.Clean HDD
Click Start==>Run... then type (or copy/paste) "cleanmgr" (w/out quotation
marks into the box, then click the 'OK' button. Select your drive
(presumably WinXP (C:) and click OK.

3.Download/execute:
Malwarebytes© Corporation - Anti-Malware
http://www.malwarebytes.org/mbam/program/mbam-setup.exe
--and--
SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html

After the software is updated, it is suggested scanning the system in Safe
Mode.

4.Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

Please, do not post HJT logs to this newsgroup.
Fora where you can get expert advice for HiJack This! (HJT) logs.

http://www.thespykiller.co.uk/index.php?board=3.0
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.tomcoyote.org/index.php?showforum=27
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://www.theeldergeek.com/forum/index.php?s=2e9ea4e19d3289dd877ab75a8220bff6&showforum=29

NOTE:
Registration is required in any of the above mentioned fora before posting
a HJT log and read the 'stickies' (instructions/guidelines) for the
respective HJT forum.

5.Routinely practice Safe-Hex.
http://www.claymania.com/safe-hex.html

Good luck :)
Dustin Cook
2008-11-22 04:45:35 UTC
Permalink
Post by Kayman
Post by b***@yahoo.com
When I visit www.bankofamerica.com, there is an additional field
"Enter ATM card number:"
When I visit www.wellsfargo.com, there is an additional field for
"ATM PIN"
These fields don't appear when I use Mozilla Firefox v3.0
I've reported the problem to the respective banks.
Ad-Aware (free) , Spybot and Windows Defender don't detect this hijack
Can someone here help me identify who/what hijacked my IE 6 browser,
and how I can find out which illegal IP address these 2 fields are
being transmitted to?
Malwarebytes© Corporation - Anti-Malware
http://www.malwarebytes.org/mbam/program/mbam-setup.exe
After the software is updated, it is suggested scanning the system in
Safe Mode.
Malwarebytes actually performs better in Normal Mode. :)
--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org
Kayman
2008-11-22 08:50:47 UTC
Permalink
Post by Dustin Cook
Malwarebytes actually performs better in Normal Mode. :)
Thanks, I'll keep that in mind!
PA Bear [MS MVP]
2008-11-22 16:23:53 UTC
Permalink
Post by Kayman
Post by Dustin Cook
Malwarebytes actually performs better in Normal Mode. :)
Thanks, I'll keep that in mind!
You have one? <wink>
Kayman
2008-11-23 01:42:39 UTC
Permalink
Post by PA Bear [MS MVP]
Post by Kayman
Post by Dustin Cook
Malwarebytes actually performs better in Normal Mode. :)
Thanks, I'll keep that in mind!
You have one? <wink>
Definitely.
Rhonda Lea Kirk Fries
2008-11-23 08:05:03 UTC
Permalink
Post by Kayman
Post by PA Bear [MS MVP]
Post by Kayman
Post by Dustin Cook
Malwarebytes actually performs better in Normal Mode. :)
Thanks, I'll keep that in mind!
You have one? <wink>
Definitely.
If you want to be believed, you must immediately post a link to pictures
of what's inside your skull.

<ducks and runs>
--
Rhonda Lea Kirk Fries

"You know you can indict a ham sandwich if you want to."
William J. Martini, Judge, United States District Court
Kayman
2008-11-24 07:58:00 UTC
Permalink
Post by Rhonda Lea Kirk Fries
Post by Kayman
Post by PA Bear [MS MVP]
Post by Kayman
Post by Dustin Cook
Malwarebytes actually performs better in Normal Mode. :)
Thanks, I'll keep that in mind!
You have one? <wink>
Definitely.
If you want to be believed, you must immediately post a link to pictures
of what's inside your skull.
Boasting is not my thing (refer to my signature :-))
b***@yahoo.com
2008-11-29 07:47:32 UTC
Permalink
Post by Dustin Cook
Post by Kayman
When I visitwww.bankofamerica.com, there is an additional field
"Enter ATM card number:"
When I visitwww.wellsfargo.com, there is an additional field for
"ATM PIN"
These fields don't appear when I use Mozilla Firefox v3.0
I've reported the problem to the respective banks.
Ad-Aware (free) , Spybot and Windows Defender don't detect this hijack
Can someone here help me identify who/what hijacked my IE 6 browser,
and how I can find out which illegal IP address these 2 fields are
being transmitted to?
Malwarebytes© Corporation - Anti-Malware
http://www.malwarebytes.org/mbam/program/mbam-setup.exe
After the software is updated, it is suggested scanning the system in
Safe Mode.
Malwarebytes actually performs better in Normal Mode. :)
I thought it was preferable to do these thing (e.g. anti virus scans)
in Safe Mode to prevent stealth virii from going into stealth mode.
The only thing safer than the Safe Mode is to boot up from a WIN PE or
BART PE CD ?
David H. Lipman
2008-11-29 11:26:13 UTC
Permalink
From: <***@yahoo.com>

| I thought it was preferable to do these thing (e.g. anti virus scans)
| in Safe Mode to prevent stealth virii from going into stealth mode.
| The only thing safer than the Safe Mode is to boot up from a WIN PE or
| BART PE CD ?

There are no computer viri or virii. They are computer viruses.

MBAM does not target viruses. It targets non-viral malware.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Dustin Cook
2008-12-02 03:14:09 UTC
Permalink
Post by b***@yahoo.com
Post by Dustin Cook
On Wed, 19 Nov 2008 20:18:51 -0800 (PST),
When I visitwww.bankofamerica.com, there is an additional field
"Enter ATM card number:"
When I visitwww.wellsfargo.com, there is an additional field for
"ATM PIN"
These fields don't appear when I use Mozilla Firefox v3.0
I've reported the problem to the respective banks.
Ad-Aware (free) , Spybot and Windows Defender don't detect this hijack
Can someone here help me identify who/what hijacked my IE 6
browser, and how I can find out which illegal IP address these 2
fields are being transmitted to?
Malwarebytes© Corporation - Anti-Malware
http://www.malwarebytes.org/mbam/program/mbam-setup.exe
After the software is updated, it is suggested scanning the system
in Safe Mode.
Malwarebytes actually performs better in Normal Mode. :)
I thought it was preferable to do these thing (e.g. anti virus scans)
in Safe Mode to prevent stealth virii from going into stealth mode.
The only thing safer than the Safe Mode is to boot up from a WIN PE or
BART PE CD ?
In most cases, very sound advice. In the case of Malwarebytes, no. It's
actually designed to run best in normal Mode. The reason being, in safe
mode, some registry keys and programs fail to be initialized/run.
Malwarebytes hueristic engine actually looks for some of these things, so
when it's run in safemode, they won't be present and it can't deal with
them.
--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org
b***@yahoo.com
2008-11-26 03:06:19 UTC
Permalink
Post by Kayman
When I visitwww.bankofamerica.com, there is an additional field
"Enter ATM card number:"
When I visitwww.wellsfargo.com, there is an additional field for "ATM
PIN"
These fields don't appear when I use Mozilla Firefox v3.0
I've reported the problem to the respective banks.
Ad-Aware (free) , Spybot and Windows Defender don't detect this hijack
Can someone here help me identify who/what hijacked my IE 6 browser,
and how I can find out which illegal IP address these 2 fields are
being transmitted to?
1.Clear the (IE) temporary Internet files and the history cache.
Click Start==>Run... then type (or copy/paste) "inetcpl.cpl" (w/out
quotation marks) into the box, then click the 'OK' button.
In Internet Properties panel 'General' tab, under 'Browsing history', click
'Delete...'button, in 'Delete Browsing History' panel, click the 'Delete
all...'button then place a checkmark into the box beside 'Also delete files
and settings stored by add-ons', Click 'Yes' and exit the Internet
Properties panel by clicking the 'OK' button.
2.Clean HDD
Click Start==>Run... then type (or copy/paste) "cleanmgr" (w/out quotation
marks into the box, then click the 'OK' button. Select your drive
(presumably WinXP (C:) and click OK.
Malwarebytes© Corporation - Anti-Malwarehttp://www.malwarebytes.org/mbam/program/mbam-setup.exe
--and--
SuperAntispyware - Freehttp://www.superantispyware.com/superantispywarefreevspro.html
After the software is updated, it is suggested scanning the system in Safe
Mode.
4.Download and execute HiJack This! (HJT)http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis
Please, do not post HJT logs to this newsgroup.
Fora where you can get expert advice for HiJack This! (HJT) logs.
http://www.thespykiller.co.uk/index.php?board=3.0http://www.spywarewarrior.com/viewforum.php?f=5http://forums.tomcoyote.org/index.php?showforum=27http://www.bleepingcomputer.com/forums/forum22.htmlhttp://www.malwarebytes.org/forums/index.php?showforum=7http://www.5starsupport.com/ipboard/index.php?showforum=18http://www.theeldergeek.com/forum/index.php?s=2e9ea4e19d3289dd877ab75...
Registration is required in any of the above mentioned fora before posting
a HJT log and read the 'stickies' (instructions/guidelines) for the
respective HJT forum.
5.Routinely practice Safe-Hex.http://www.claymania.com/safe-hex.html
Good luck :)
Thanks!

Malwarebytes found 6 backdoor bots and some infected files:
svchost.exe, twext.exe
that the other spyware tools missed.
My IE 6 browser is back to normal now.
David H. Lipman
2008-11-26 03:09:53 UTC
Permalink
From: <***@yahoo.com>



| Thanks!

| Malwarebytes found 6 backdoor bots and some infected files:
| svchost.exe, twext.exe
| that the other spyware tools missed.
| My IE 6 browser is back to normal now.

You had a Zbot infection.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
PA Bear [MS MVP]
2008-11-26 18:39:21 UTC
Permalink
***@yahoo.com wrote:
<snip>
Post by b***@yahoo.com
svchost.exe, twext.exe
that the other spyware tools missed.
My IE 6 browser is back to normal now.
But is the computer free of any/all hijackware?
b***@yahoo.com
2008-11-29 07:49:46 UTC
Permalink
Post by PA Bear [MS MVP]
<snip>
Post by b***@yahoo.com
svchost.exe, twext.exe
that the other spyware tools missed.
My IE 6 browser is back to normal now.
But is the computer free of any/all hijackware?
The saga continues.

After the initial cleanup using Malwarebytes Anti-Malware and
SUPERAntiSpyware,
MBAM found an additional Trojan.Downloader in a system restore point.
Next day, it found
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
\iepinit_dlls (Spyware.Agent.H) -> Quarantined and deleted
successfully.
and C:\WINDOWS\system32\nvaux32.dll (Spyware.Agent.H)

Next day,
my Computer Associates AntiVirus v8 reported a couple of instances of:
Win32/Pruserinf.Y
on the infected laptop, and now also on a Desktop PC that was shared
via a network share!

I Installed avast! on the laptop, and during the initial boot up scan,
it found:
Win32:Zbot-ASN [Trj]
Win32:Invo [Cryp]

But now, CA anti-virus on the laptop crashes (conflict with avast! ?)

My laptop Firewall (ZoneAlarm free) reports outbound requests in the
middle of the night from strangely named .exe file from the Windows
\temp folder.

I've also upgrade the MSIE on the laptop to v7, but use Firefox v3 as
the default.

Is there something still hiding in the laptop, and generating all
these other trojans?
David H. Lipman
2008-11-29 11:39:41 UTC
Permalink
From: <***@yahoo.com>


| The saga continues.

| After the initial cleanup using Malwarebytes Anti-Malware and
| SUPERAntiSpyware,
| MBAM found an additional Trojan.Downloader in a system restore point.
| Next day, it found
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
| \iepinit_dlls (Spyware.Agent.H) -> Quarantined and deleted
| successfully.
| and C:\WINDOWS\system32\nvaux32.dll (Spyware.Agent.H)

| Next day,
| my Computer Associates AntiVirus v8 reported a couple of instances of:
| Win32/Pruserinf.Y
| on the infected laptop, and now also on a Desktop PC that was shared
| via a network share!

| I Installed avast! on the laptop, and during the initial boot up scan,
| it found:
Win32::Zbot-ASN [Trj]
Win32::Invo [Cryp]

| But now, CA anti-virus on the laptop crashes (conflict with avast! ?)

| My laptop Firewall (ZoneAlarm free) reports outbound requests in the
| middle of the night from strangely named .exe file from the Windows
| \temp folder.

| I've also upgrade the MSIE on the laptop to v7, but use Firefox v3 as
| the default.

| Is there something still hiding in the laptop, and generating all
| these other trojans?

You can have only one fully installed anti virus application performing both "On Demand"
and "On Access" scanning. You can't have two.

You can however supplement that one fully installed anti virus application with additional
"On Demand" anti virus scanners. These can be online scanners or command line scanners
than run locally.

You are still infected. There should be NO applications running from the TEMP folder. So
if ZA is indicating there is "...outbound requests in the
middle of the night from strangely named .exe file from the Windows .\temp folder..." you
still have a problem.

Start by uninstalling Avast and see if that corrects CA anti-virus. Then perform the
following...


Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Then post the contents of the HJT log in your post in one of the below expert forums...

{ Please - Do NOT post the HJT Log here ! }

Forums where you can get expert advice for HiJack This! (HJT) Logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.malwarebytes.org/forums/index.php?showforum=7

Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Buffalo
2008-11-29 16:00:18 UTC
Permalink
Post by David H. Lipman
Post by b***@yahoo.com
The saga continues.
After the initial cleanup using Malwarebytes Anti-Malware and
SUPERAntiSpyware,
MBAM found an additional Trojan.Downloader in a system restore point.
Next day, it found
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows \iepinit_dlls (Spyware.Agent.H) ->
Quarantined and deleted successfully.
and C:\WINDOWS\system32\nvaux32.dll (Spyware.Agent.H)
Next day,
my Computer Associates AntiVirus v8 reported a couple of instances
of: Win32/Pruserinf.Y
on the infected laptop, and now also on a Desktop PC that was shared
via a network share!
I Installed avast! on the laptop, and during the initial boot up
Win32::Zbot-ASN [Trj]
Win32::Invo [Cryp]
Post by b***@yahoo.com
But now, CA anti-virus on the laptop crashes (conflict with avast! ?)
My laptop Firewall (ZoneAlarm free) reports outbound requests in the
middle of the night from strangely named .exe file from the Windows
\temp folder.
I've also upgrade the MSIE on the laptop to v7, but use Firefox v3 as
the default.
Is there something still hiding in the laptop, and generating all
these other trojans?
You can have only one fully installed anti virus application
performing both "On Demand" and "On Access" scanning. You can't have
two.
You can however supplement that one fully installed anti virus
application with additional "On Demand" anti virus scanners. These
can be online scanners or command line scanners than run locally.
You are still infected. There should be NO applications running from
the TEMP folder. So if ZA is indicating there is "...outbound
requests in the
middle of the night from strangely named .exe file from the Windows
.\temp folder..." you still have a problem.
Start by uninstalling Avast and see if that corrects CA anti-virus.
[snip]

Shouldn't he shut off his System Restore since the virus(s) seem to be in
there and empty out his temp and TIF files?
Then shouldn't he run the detection programs again? Just curious, since I do
not have XP or Vista.
Thanks.
David H. Lipman
2008-11-29 19:16:16 UTC
Permalink
From: "Buffalo" <***@nada.com.invalid>


| [snip]

| Shouldn't he shut off his System Restore since the virus(s) seem to be in
| there and empty out his temp and TIF files?
| Then shouldn't he run the detection programs again? Just curious, since I do
| not have XP or Vista.
| Thanks.

As for the System Restore cache, No. Not until after the PC is deemed to be clean. This
way there is a fall back position if the process of cleaning the PC goes bad. As for the
TIF, changces are the file handle is in use and it can't be manually deleted. The only
advantage is that when you dump the TIF and TEMP folders, you have less files to scan and
thus should be a little quicker.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Buffalo
2008-11-29 20:02:27 UTC
Permalink
Post by David H. Lipman
Post by Buffalo
[snip]
Shouldn't he shut off his System Restore since the virus(s) seem to
be in there and empty out his temp and TIF files?
Then shouldn't he run the detection programs again? Just curious,
since I do not have XP or Vista.
Thanks.
As for the System Restore cache, No. Not until after the PC is
deemed to be clean. This way there is a fall back position if the
process of cleaning the PC goes bad. As for the TIF, changces are
the file handle is in use and it can't be manually deleted. The only
advantage is that when you dump the TIF and TEMP folders, you have
less files to scan and thus should be a little quicker.
Thanks for that info. I always wondered about that.
Buffalo
PS: I use Win98SE and Win2000Pro on a dual boot.
PA Bear [MS MVP]
2008-11-29 20:30:37 UTC
Permalink
[Scares me!]

Buffalo wrote:
<snip>
Post by Buffalo
PS: I use Win98SE and Win2000Pro on a dual boot.
Buffalo
2008-11-29 21:16:22 UTC
Permalink
Post by PA Bear [MS MVP]
[Scares me!]
<snip>
Post by Buffalo
PS: I use Win98SE and Win2000Pro on a dual boot.
Works like a charm.
No viruses or major adware or malware problems for over 2yrs.
Almost never a BSOD, if fact, I can't remember the last one.
ECS K7S5a rev 3.1 mb, AMD Palomino2100,1GB DDR ram,8500LE Radeon, CD Player
and DVD Burner,Realtec sound card,450W PSU
120BG Maxtor HDD with a 160GB Buffalo External HDD for backup
I'm looking into upgrading to XP for better online game playing. Any
suggestions for a do it yourself setup?
ie: mb,cpu,vid card etc
Dustin Cook
2008-12-02 03:16:02 UTC
Permalink
Post by PA Bear [MS MVP]
[Scares me!]
<snip>
Post by Buffalo
PS: I use Win98SE and Win2000Pro on a dual boot.
Why? Not too shabby for OSes... Vista on the other hand... ewww
--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org
Dustin Cook
2008-12-02 03:15:26 UTC
Permalink
Post by Buffalo
Post by David H. Lipman
Post by b***@yahoo.com
The saga continues.
After the initial cleanup using Malwarebytes Anti-Malware and
SUPERAntiSpyware,
MBAM found an additional Trojan.Downloader in a system restore
point. Next day, it found
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows \iepinit_dlls (Spyware.Agent.H) ->
Quarantined and deleted successfully.
and C:\WINDOWS\system32\nvaux32.dll (Spyware.Agent.H)
Next day,
my Computer Associates AntiVirus v8 reported a couple of instances
of: Win32/Pruserinf.Y
on the infected laptop, and now also on a Desktop PC that was shared
via a network share!
I Installed avast! on the laptop, and during the initial boot up
Win32::Zbot-ASN [Trj]
Win32::Invo [Cryp]
Post by b***@yahoo.com
But now, CA anti-virus on the laptop crashes (conflict with avast! ?)
My laptop Firewall (ZoneAlarm free) reports outbound requests in the
middle of the night from strangely named .exe file from the Windows
\temp folder.
I've also upgrade the MSIE on the laptop to v7, but use Firefox v3
as the default.
Is there something still hiding in the laptop, and generating all
these other trojans?
You can have only one fully installed anti virus application
performing both "On Demand" and "On Access" scanning. You can't have
two.
You can however supplement that one fully installed anti virus
application with additional "On Demand" anti virus scanners. These
can be online scanners or command line scanners than run locally.
You are still infected. There should be NO applications running from
the TEMP folder. So if ZA is indicating there is "...outbound
requests in the
middle of the night from strangely named .exe file from the Windows
.\temp folder..." you still have a problem.
Start by uninstalling Avast and see if that corrects CA anti-virus.
[snip]
Shouldn't he shut off his System Restore since the virus(s) seem to be
in there and empty out his temp and TIF files?
Not right away. One could lose useful registry data and/or potentially
good files.
--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org
Buffalo
2008-12-02 14:52:45 UTC
Permalink
Post by Dustin Cook
Post by Buffalo
Post by David H. Lipman
Post by b***@yahoo.com
The saga continues.
After the initial cleanup using Malwarebytes Anti-Malware and
SUPERAntiSpyware,
MBAM found an additional Trojan.Downloader in a system restore
point. Next day, it found
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows \iepinit_dlls (Spyware.Agent.H) ->
Quarantined and deleted successfully.
and C:\WINDOWS\system32\nvaux32.dll (Spyware.Agent.H)
Next day,
my Computer Associates AntiVirus v8 reported a couple of instances
of: Win32/Pruserinf.Y
on the infected laptop, and now also on a Desktop PC that was
shared via a network share!
I Installed avast! on the laptop, and during the initial boot up
Win32::Zbot-ASN [Trj]
Win32::Invo [Cryp]
Post by b***@yahoo.com
But now, CA anti-virus on the laptop crashes (conflict with avast! ?)
My laptop Firewall (ZoneAlarm free) reports outbound requests in
the middle of the night from strangely named .exe file from the
Windows \temp folder.
I've also upgrade the MSIE on the laptop to v7, but use Firefox v3
as the default.
Is there something still hiding in the laptop, and generating all
these other trojans?
You can have only one fully installed anti virus application
performing both "On Demand" and "On Access" scanning. You can't
have two.
You can however supplement that one fully installed anti virus
application with additional "On Demand" anti virus scanners. These
can be online scanners or command line scanners than run locally.
You are still infected. There should be NO applications running
from the TEMP folder. So if ZA is indicating there is "...outbound
requests in the
middle of the night from strangely named .exe file from the Windows
.\temp folder..." you still have a problem.
Start by uninstalling Avast and see if that corrects CA anti-virus.
[snip]
Shouldn't he shut off his System Restore since the virus(s) seem to
be in there and empty out his temp and TIF files?
Not right away. One could lose useful registry data and/or potentially
good files.
Thanks.

b***@yahoo.com
2008-11-29 18:20:26 UTC
Permalink
You are still infected.  There should be NO applications running from the TEMP folder.  So
if ZA is indicating there is "...outbound requests in the
middle of the night from strangely named .exe file from the Windows .\temp folder..."  you
still have a problem.
I use CCleaner on a very frequent basis.
Can't say the same for the other users of that laptop in the
household.

I am quite sure the temp folder(s) were empty.
I guess the default behavior for CC is not to remove temp files less
than 48 hours old.
Download and execute HiJack This! (HJT)http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe
Then post the contents of the HJT log in your post in one of the below expert forums...
I'll post the HiJack logs to one of those forums.

Thanks for your help.
PA Bear [MS MVP]
2008-11-29 16:07:12 UTC
Permalink
Post by b***@yahoo.com
Post by PA Bear [MS MVP]
<snip>
Post by b***@yahoo.com
svchost.exe, twext.exe
that the other spyware tools missed.
My IE 6 browser is back to normal now.
But is the computer free of any/all hijackware?
The saga continues.
After the initial cleanup using Malwarebytes Anti-Malware and
SUPERAntiSpyware,
MBAM found an additional Trojan.Downloader in a system restore point.
Next day, it found
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
\iepinit_dlls (Spyware.Agent.H) -> Quarantined and deleted
successfully.
and C:\WINDOWS\system32\nvaux32.dll (Spyware.Agent.H)
Next day,
Win32/Pruserinf.Y
on the infected laptop, and now also on a Desktop PC that was shared
via a network share!
I Installed avast! on the laptop, and during the initial boot up scan,
Win32:Zbot-ASN [Trj]
Win32:Invo [Cryp]
But now, CA anti-virus on the laptop crashes (conflict with avast! ?)
My laptop Firewall (ZoneAlarm free) reports outbound requests in the
middle of the night from strangely named .exe file from the Windows
\temp folder.
I've also upgrade the MSIE on the laptop to v7, but use Firefox v3 as
the default.
Is there something still hiding in the laptop, and generating all
these other trojans?
Yes.
PA Bear [MS MVP]
2008-11-20 08:06:32 UTC
Permalink
Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in
conjunction with some other utilities). HijackThis will NOT fix anything on
its own, but it will help you to both identify and remove any
hijackware/spyware with assistance from an expert. **Post your log to
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://forums.spybot.info/forumdisplay.php?f=22,
http://aumha.net/viewforum.php?f=30, or another appropriate forum for review
by an expert in such matters, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/
Post by b***@yahoo.com
When I visit www.bankofamerica.com, there is an additional field
"Enter ATM card number:"
When I visit www.wellsfargo.com, there is an additional field for "ATM
PIN"
These fields don't appear when I use Mozilla Firefox v3.0
I've reported the problem to the respective banks.
Ad-Aware (free) , Spybot and Windows Defender don't detect this hijack
Can someone here help me identify who/what hijacked my IE 6 browser,
and how I can find out which illegal IP address these 2 fields are
being transmitted to?
The Real Truth MVP
2008-11-20 15:39:16 UTC
Permalink
Use my Remove-it software, it will remove that malware from your system.
Choose yes for all options when prompted. Download it here
http://pcbutts1.com/downloads/tools/tools.htm
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
Post by b***@yahoo.com
When I visit www.bankofamerica.com, there is an additional field
"Enter ATM card number:"
When I visit www.wellsfargo.com, there is an additional field for "ATM
PIN"
These fields don't appear when I use Mozilla Firefox v3.0
I've reported the problem to the respective banks.
Ad-Aware (free) , Spybot and Windows Defender don't detect this hijack
Can someone here help me identify who/what hijacked my IE 6 browser,
and how I can find out which illegal IP address these 2 fields are
being transmitted to?
PA Bear [MS MVP]
2008-11-20 17:09:03 UTC
Permalink
Ignore this MVP imposter!

For some background on this well-known thief, see David Lippman's posts in
this thread:
http://groups.google.com/group/microsoft.public.security.homeusers/browse_frm/thread/5172ca5571f3e54f/656904085932c872

Specifically
http://groups.google.com/group/microsoft.public.security.homeusers/msg/213247814fb4d61e
and
http://groups.google.com/group/microsoft.public.security.homeusers/msg/e19fce884897662f
--
~Robear Dyer
MS MVP-IE, Mail, Security, Windows Desktop Experience
https://mvp.support.microsoft.com/default.aspx/profile/robear.d
Post by The Real Truth MVP
Use my Remove-it software, it will remove that malware from your system.
Choose yes for all options when prompted. Download it here
XXX.pcbutthole.com/downloads/tools/tools.htm
Gaz
2008-11-20 21:30:26 UTC
Permalink
Post by b***@yahoo.com
When I visit www.bankofamerica.com, there is an additional field
"Enter ATM card number:"
When I visit www.wellsfargo.com, there is an additional field for "ATM
PIN"
These fields don't appear when I use Mozilla Firefox v3.0
I've reported the problem to the respective banks.
Ad-Aware (free) , Spybot and Windows Defender don't detect this hijack
Can someone here help me identify who/what hijacked my IE 6 browser,
and how I can find out which illegal IP address these 2 fields are
being transmitted to?
If you use IE6 you deserve to have your legs cut off, not only hijacked.

Gaz
Loading...