IE Hijacked, denies access to selected sites

Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.

Thanks for the response.  First of all, I CAN'T update the virus definitions, as Live Update is blocked from working.  I cannot even access the Symantec website.  I keep getting redirected to some nonsensical ad page.  (BTW, I have to use my other computer at home or the one at work to even post on this site.  The affected computer will not allow me to access)  Again, this is odd behavior because I can access certain sites fine.  Anything that is remotely related to virus removal, fixes etc. from Symantec, SmitFraudFix, Spybot, etc. I cannot access; the browser just redirects to random ad pages.  Cnn.com, weather.com, etc. work just fine. 

 

Second, I did a full system scan and it detected nothing.  I also performed a deep scan with Spybot and turned up a few of the usual suspects, but nothing that fixed the problem.

 

I did download SmitFraudFix on another computer and put in on CD.  I then copied it to the affected computer and when I tried to execute it, it would simply terminate.  On a hunch, I changed to file name from SmitFraudFix to just X, and then it would execute.  However, SmitFraudFix would then try to open Notepad, and the Data Execution Prevention dialog box would pop up and terminate Notepad before it could open.  I can even use Notepad to edit anything on the system now. 

 

Like I said, this is one SERIOUS bit of malware and the person(s) who came up with it must be some kind of evil genius.  I'm hoping someone can identify and fix it, otherwise I'm going to have to just flatten the hard drive and start over from scratch. 

 

Regard,

Mike

 

Have you checked the Activity Log/View History to see if Norton does/did Detect already but cannot Remove it; this should give you what Malware it is and thus you can go to the symantec Web Site to see the Removal, whether it be on your work or other home computer?  You never mentioned this in your Reply, so just wondering if you have.

 

You have got one serious Malware on your computer! 

 

Hopefully someone from symantec will be able to assist you.  In the meantime, why not access Technical Support?

Message Edited by Floating_Red on 06-16-2008 07:49 PM

<< This all began today after visting a website called [synth mania dot com], as nearly as I can tell. >>

 

This is really weird. I wanted to look up that website, as I usually do when someone reports a problem, using google and I pasted in the .com as well.

 

Although I'm sure I set Google not to connect from searches it actually went to the website so I hurriedly backed out.

 

Believe it or not none of the shortcuts to open NIS2008 worked -- noot my normal desktop icon; not the system bar icon with right mouse click / Open Protection Center; not even START ... Progams / Norton Internet Security .....

 

However IE worked normally and I had no problem getting to the Symantec site or any of the other things you mentioned like Notepad.

 

Opened up my Windows Explorer substitute (PowerDesk 7) and started looking for Norton .exe files and none of them would start up the UI.

 

Did some more digging and found:

 

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks

 

and in that folder are the .sca files that bring up the Start Scan "profiles" and Full Scan ran OK although I aborted it for the moment and ran QuickScan to see if it detected anything hostile -- only the usual cookies .....

 

Any way I rebooted and I'm back able to start up NIS .....

 

I don't believe in coincidences ..... but in your case I suspect a system failure of some kind either in Windows or in hardware.

 

<< rebooting gave me a "system has recovered from a serious error" message. >>

 

Did you explore that and look in Windows Event VIewer for error messages, which often pinpoint the cause and even sometimes a remedy.

 

 

[edit: i've left the website name for discussion puposes, but I have broken the name before the casual user cuts and pastes it.]


Message Edited by Allen_K on 06-17-2008 05:08 PM

easttenndoc wrote:

Thanks for the response.  First of all, I CAN'T update the virus definitions, as Live Update is blocked from working...Second, I did a full system scan and it detected nothing.  I also performed a deep scan with Spybot and turned up a few of the usual suspects, but nothing that fixed the problem. 


Since you're posting to the forums, I assume you're using a different computer that the infected one. On the "clean" system, go to the following site and download the latest definitions:

 

http://www.symantec.com/avcenter/defs.download.html

 

Copy the .exe file to the infected system and run it. This will update your malware definitions. Then, boot your system in safe mode and run a Full System Scan. If you find out any more information about the malware on your system, please let us know. There are many tools on http://www.symantec.com for removing specific malware. Thanks!


easttenndoc wrote:

Thanks for the response.  First of all, I CAN'T update the virus definitions, as Live Update is blocked from working.  I cannot even access the Symantec website.  I keep getting redirected to some nonsensical ad page.  (BTW, I have to use my other computer at home or the one at work to even post on this site.  The affected computer will not allow me to access)  Again, this is odd behavior because I can access certain sites fine.  Anything that is remotely related to virus removal, fixes etc. from Symantec, SmitFraudFix, Spybot, etc. I cannot access; the browser just redirects to random ad pages.  Cnn.com, weather.com, etc. work just fine. 

 

Second, I did a full system scan and it detected nothing.  I also performed a deep scan with Spybot and turned up a few of the usual suspects, but nothing that fixed the problem.

 

I did download SmitFraudFix on another computer and put in on CD.  I then copied it to the affected computer and when I tried to execute it, it would simply terminate.  On a hunch, I changed to file name from SmitFraudFix to just X, and then it would execute.  However, SmitFraudFix would then try to open Notepad, and the Data Execution Prevention dialog box would pop up and terminate Notepad before it could open.  I can even use Notepad to edit anything on the system now. 

 

Like I said, this is one SERIOUS bit of malware and the person(s) who came up with it must be some kind of evil genius.  I'm hoping someone can identify and fix it, otherwise I'm going to have to just flatten the hard drive and start over from scratch. 

 

Regard,

Mike

 


Tony: Have Highlighted the bits you mentioned in your Post.

 

Mike does not mention if he did try to Download Virus Definitions on to a C.D. and then try to Update V.D.s via the C.D. on the Infected computer.

I am truly desperate. I have acquired some sort of virus/malware that I don't even know the name for. As best I can tell, it exhibits the following behavior:

 

1. IE hijacked to various advert sites when I try to access symantec.com, or any other antivirus site. Other sites such as google.com, cnn.com, etc. seem to work fine.

 

2. Live update in Norton IS 2008 runs fine, but fails to connect. I used another computer to download the latest virus definitions and burned to a CD. When I run the program, it executes, and then gives me the message that it failed to install.

 

3. I cannot uninstall IE. When I do, it appears to uninstall fine, but the folder and all of the associated programs are still in c:\program files/internet explorer. The computer will not allow me to manually delete, stating that the files are in use, despite the fact that I have no other programs running.

 

4. Notepad will not execute. It keeps giving me a "data execution prevention" dialog box and shutting down.

 

This all began today after visting a website called [synth mania dot com], as nearly as I can tell. Shortly thereafter, the computer flashed a blue screen with some error message that I could not read before the system suddenly rebooted. About 15 minutes later after what appeared to be a normal startup, it did it again, and this time after rebooting gave me a "system has recovered from a serious error" message. At this point is when all the bizarre behavior began. I have run Spybot, One Button cleanup, NIS quick scan, none of which corrected the problem.

 

I am at the point of no return. If I can't get this fixed, I will have to nuke the hard drive and do a complete ground up reinstall. Any ideas?

 

BTW, running NIS 2008, Antibot, Windows XP Media Center SP2.

 

Thanks for any help!

 

[edit: i've left the website name for discussion puposes, but I have broken the name before the casual user cuts and pastes it.  It's reported later in the thread this is a particulaly viscious page.]

Message Edited by Allen_K on 06-17-2008 05:06 PM

Well the good news is that I got the problem solved, and it was malware of some sort, not any system problems.

 

Per your question, Floating_Red, the activity log did not pick up anything. On another note, running SmitFraudFix in the safe mode allowed Notepad to open ok, but it did not fix the problem. Also, running full system scan (in safe mode, too) with NIS last night did not detect the problem.

 

Regarding updating virus definitions by downloading to another computer to a CD and then updating the affected machine manually, as I mentioned the updater would give me an error message saying it failed to install any new definitions. I did not try to install it in the safe mode, though, so that might have worked...don't know.

 

Now the good news. I noticed frequently that when IE would redirect me to random webpages, the address many times started with "as iuoq gusd bak sd dot com" [Edit:broke cut and paste] I Googled this and found some info on it. I tried the SmitFraudFix that some suggested already to no avail, but found mention of Malwarebytes.org. I downloaded that program and like SmitFraudFix, it would not install unless I renamed the install package to something nondescript like "test" or "x" Once I renamed the Malwarebytes setup package to just "setup," I was able to install and run it and it detected 35 or so different issues. Most of them were nothing (e.g. Spywarebot) but a few as you can see below looked troubling. I removed the items and bingo! All is well, I can use IE normally, Live Update works again, etc. Here's the log in case it might help somebody figure out what happened:

 

Malwarebytes' Anti-Malware 1.17
Database version: 862

6:28:45 PM 6/16/2008
mbam-log-6-16-2008 (18-28-45).txt

Scan type: Quick Scan
Objects scanned: 40807
Time elapsed: 5 minute(s), 3 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 9
Files Infected: 23

Memory Processes Infected:
C:\Program Files\SpywareBot\SpywareBot.exe (Rogue.SpywareBot) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\SpywareBot (Rogue.SpywareBot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\SpywareBot (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\SpywareBot (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\SpywareBot\Log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\SpywareBot\Quarantine (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\SpywareBot\Registry Backups (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\SpywareBot\Settings (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\WinBudget (Adware.AdMedia) -> Quarantined and deleted successfully.
C:\Program Files\WinBudget\bin (Adware.AdMedia) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBot (Rogue.SpywareBot) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\SpywareBot\Launcher.exe (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\SpywareBot.exe (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\SpywareBot.url (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\unins000.dat (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\unins000.exe (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\SpywareBot\DataBase.ref (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\SpywareBot\fp.dat (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\SpywareBot\rs.dat (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\SpywareBot\Log\2008 Jun 16 - 06_10_17 PM_484.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\SpywareBot\Log\2008 Jun 16 - 06_10_17 PM_578.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\SpywareBot\Settings\CustomScan.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\SpywareBot\Settings\IgnoreList.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\SpywareBot\Settings\ScanInfo.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\SpywareBot\Settings\SelectedFolders.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\SpywareBot\Settings\Settings.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\WinBudget\bin\matrix.dat (Adware.AdMedia) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBot\SpywareBot on the Web.lnk (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBot\SpywareBot.lnk (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBot\Uninstall SpywareBot.lnk (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clbdll.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\000070.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\000080.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\clbdriver.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

I hope Norton updates coverage to catch this quickly as it appeared to slip right through my NIS 2008 and Antibot. (And BTW, I had just run Live Update and installed the new definitions just 2 days before this appeared on my machine!) Thanks again for everybody's input and help, though! I realize that no one package can get 100% of these infernal things.

 

Cheers!

Mike

 

Message Edited by Allen_K on 06-17-2008 05:14 PM

Have you tried a Full System Scan?  Keep in mind that Norton may be Detect this Virus due to Virus Definitions not being up-to-date.

 

I seems really odd that Suspicious Activity Monitoring did not Detect this and Block this Virus's/Viruses' Actions.

 

I would check your Actvity Log.  To Access this, Open your Norton Program, Click on the Norton Internet Security Tab, Click on the Sub-Heading Reports & Statistics, then Activity Log.  The reason you want to check it is because it might give an indication as to what Virus/Trojan, e.t.c., it is; I would also check the View History.  If you find out what Internet Threat it is, go to the syamtec Web Site, where it be on the Infected computer or on a friend's one, and, in the Search space, type in what Internet Threat it is, Click on the relevant Web Link to see the write-up and then, on the Intetnet Threat write-up, Click on Sub-Heading, Removal. and that should tell you how to Remove this Threat.

Message Edited by Floating_Red on 06-16-2008 04:08 PM
Message Edited by Floating_Red on 06-16-2008 04:11 PM