I am having problems with IE and Firefox being hijacked. The threads I have read here on this refer users to run malwarebytes, superantispyware, and other freeware (which I have done in safe mode and they haven't fixed the problem). Why am I paying for Norton if they can't find and fix these browser hijacking issues any better than freeware? I seem to have been able to keep Firefox from misbehaving by disabling all of the plugins. But, shouldn't Norton be able to scan for rogue plugins??? Is anybody at Symantec working on this? Thanks.
WillieHi UncleWillie:
Different programs do different things, which makes them helpful. The programs that we ask for provide logs, which is one of the most useful things they do.
Your antivirus, whether Norton or someone els's software act as blockers, more than removers, but they can't protect you from everything. Nothing is 100% and it will never be. Malware writers are constantly busy looking for ways in, and they also buy all the known software so that they can beat it.
Other programs like Adobe and the browsers, have vulnerabilities that let malware in. P2P and torrents are very popular sites for malware insertions. Things that are allowed into your computer are difficult for the antivirus to stop.
Redirects can frequently be seen and therefore dealt with by using Hijackthis, and some serious infections that require manual removal can be identified in Malwarebytes. HJT will not act as a blocker, and Malwarebytes does not take the place of an antivirus program.
Also runing more than one antivirus engine allows conflicts which give malware an opening.
We request these programs as much to find out what is happening as to fix things.
Security is a complicated procedure.
Still dissapointing. Anyway, here is a log from Hijackthis. ANy help would be appreciated. Thanks.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:49:46 PM, on 12/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
C:\Program Files\Norton PC Checkup\Engine\2.0.1.246\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
C:\Program Files\Norton PC Checkup\Engine\2.0.1.246\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton Utilities 14\nu.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRAM FILES\NORTON INTERNET SECURITY\ENGINE\17.1.0.19\cltLMH.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.1.0.19\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.1.0.19\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.1.0.19\coIEPlg.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NortonUtilities] C:\Program Files\Norton Utilities 14\nu.exe /H
O4 - HKUS\S-1-5-21-1516350078-377577214-2716412152-1009\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1516350078-377577214-2716412152-1009\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (User '?')
O4 - HKUS\S-1-5-21-1516350078-377577214-2716412152-1009\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1516350078-377577214-2716412152-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162772332838
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
O23 - Service: Common Client Job Manager Service (PCCUJobMgr) - Symantec Corporation - C:\Program Files\Norton PC Checkup\Engine\2.0.1.246\ccSvcHst.exe
--
End of file - 6532 bytes
The latest generation of spware are very aggressive, nasty, and have great ability to hide themselves. Because they are being spawned so rapidly, they can't be detected until they've been discovered and "fingerprinted". That window of time may be fairly neglible in some cases, but it's large enough for a lot of computers to get infected.
Even worse is removal. How they embed themselves and where and what is necessary to unattach them is not a simple thing; and the lag time here can be serious.
One suggestion: Find a clean computer and download the Norton Recovery Tool from NRT. This is an ISO image to be translated and burned to a CD - read the instructions on the site carefully. If you own the NIS 2010 or NAV 2010 CD, it is already included on your CD and you can boot from it. You will need the Activation Key. The program will update the signature automatically and hopefully it will by this time be able to find and clean out the active part of the malware.
Good luck.
Hi UncleWillie:
We are just waiting for an analyst to have a look at your log. This is a user to user help forum, scattered throughout several time zones. Have you already dumped your browser caches, temp files, and prefetch folder?
mijcar, I have NIS 2010 and I tried booting from the CD over the weekend. It didn't find anything.
Bill
Oracle of delphinium, I have not "dumped" the browser cache, temp files and prefetch folder. When you say dump, do you mean clear them out? Thanks.
Bill
Hi UncleWillie
One thing I can tell you is that you are running a very old version of Java. Java is updated all the time for security reasons. Keeping java and adobe products up to date helps to keep your computer clean also.
Good point about old java. I usually disable java in Firefox, but it was enabled on my wife's laptop that I am trying to debug.
Willie
Hi Uncle Willie
I think even if the program is disabled, it should still be kept up to date.
Of course, floplot. Not sure why auto update for Java wasn’t on.
Hi UncleWillie:
Let me chime in a bit about Java, since floplot has a good point.
Go into add/remove programs and check for multiple instances of different versions of Java.
Uninstall the old ones.
Sometimes the Sun Java Updater fails to do that.
Just my two cents.
Hi Uncle Willie
I have found over the years that I can't always trust these auto update programs all the time. I think most of the time I just have to go to the Java site to check out if there is an update and the same thing with Adobe Reader, flash, shockwave player etc. Usually, by the time you have to wait till they get around to you, the newer version has been out for quite some time. They don't put the updates on the servers for everyone at the same time, so someone is always having to wait for their newer product unless they go to the website and check themselves. I find it a good habit to go and check like once a week these sites and programs and doesn't really take much time either if you do make a stop at these sites.
Hi
I think the newer versions of java do delete the previous version now, but if you have really old java's, then yes they have to be deleted also even if not in use.
I think we are veering slightly off track. It is likely that Java is the least of his problems.
We are suspecting that UncleWillie has a Gen 3 rootkit. The only real symptoms of this, unfortunately, are the redirects. It will not show on HJT or MBAM. I am just hoping that clearing the browsers, temp files, and prefetch might get rid of the redirects. If so, we started small enough not to harm the machine, and get the job done.
If that doesn't solve the problem, we must assume more serious malware is on the machine and get him to where he can get assistance.
Hi delphinium:
What about using GMER?
Hi
Unfortunately, some of the newer rootkits can even hide from Gmer also, although it may work . These new rootkits are getting sneakier and sneakier.
Sorry if this is a stupid question, but is the way to "dump your browser caches, temp files, and prefetch folder" is to go toe Tools-> Options->Advanced->Offline Storage -> Clear Now. Is there more to it than that? Thanks.
Willie
Is the Trend Micro RootkitBuster useful?
Well, hI ran Trend Micro RootkitBuster version 2.80.0.1077 and it found nothing. No hidden files, no hidden registry entries, no hidden processes, no hidden drivers.