Sign in with
Sign up | Sign in
Your question

Recovering from virus, networking failing, strange "mini web browser"

Last response: in Windows XP
Share
March 15, 2012 11:08:22 PM

I recently had a few viruses on one of my home computers, there were some trojans, and at least one rootkit. I believe I was successfully able to remove them, but I'm not %100 sure. One of the trojans "ate" my network, the firewall is disabled and I can't restart it along with internet connection sharing, and the DHCP service doesn't appear to be working either. to add to it, it boots up slower than usual before the login screen and once the login screen is reached if I let it sit for about 10 minutes a mysterious application appears, the title at the top is "mini web browser" I've never seen anything like that happen before. It doesn't appear very functional, it has 4 buttons that don't really do anything "clear log, Test 1, Test 2, Test 3" a check box that says +
"show links" and a text box below. I searched the registry and couldn't find anything suspicious and I didn't notice anything suspicious on my hijackthis log either. if anybody has experienced this before or has any knowledge pertaining to this, their input would be greatly appreciated. I've included my hijackthis log and I can upload a screenshot of the login screen with the "mini web browser" if it would be useful

MS Windows XP proffessional 32-bit SP3
Intel Pentium 4 northwood 0.13um Technology
1.00 GB Dual-Channel DDR @ 199MHx (3-3-3-8)
Dell Computer Corp. 0DG284 (Microprocessor)
NEC FE771SB (1024x768@75Hz)
256MB RADEON X850 Series (ATI)
256MB RADEON X850 Series (ATI) - Secondary (ATI)
39.1GB Seagate ST340016A (PATA)
488GB Western Digital WDC WD5000AAKS-7STMA0 (SATA)

ogfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:40:23 PM, on 3/15/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\spoolsv.exe
C:\windows\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\windows\System32\svchost.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\windows\system32\PnkBstrA.exe
C:\windows\system32\svchost.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\Explorer.EXE
C:\windows\system32\ctfmon.exe
D:\HBCD\HBCDMenu.exe
C:\windows\System32\svchost.exe
C:\DOCUME~1\User\LOCALS~1\Temp\HBCD\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchqu.com/406
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~1\WI371A~1\Datamngr\ToolBar\searchqudtx.dll
O2 - BHO: DataMngr - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\PROGRA~1\WI371A~1\Datamngr\BROWSE~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ImTranslator Pro - {fae3e6b1-1936-40d6-9acc-59ebcf661ccb} - C:\Program Files\ImTranslator_Pro\prxtbImT1.dll
O2 - BHO: DAPIELoader Class - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~1\DAP\DAPIEL~1.DLL
O3 - Toolbar: ImTranslator Pro Toolbar - {fae3e6b1-1936-40d6-9acc-59ebcf661ccb} - C:\Program Files\ImTranslator_Pro\prxtbImT1.dll
O3 - Toolbar: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~1\WI371A~1\Datamngr\ToolBar\searchqudtx.dll
O4 - HKCU\..\Run: [C:!Documents and Settings!User!Local Settings!Application Data!Google!Chrome!User Data_service_run] "C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --type=service
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023 (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
O8 - Extra context menu item: Translate this web page with Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
O8 - Extra context menu item: Translate with Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Cont...
O17 - HKLM\System\CCS\Services\Tcpip\..\{E0E4618A-CE5F-4EB9-B3BA-889DE6D625C6}: NameServer = 8.8.8.8,8.8.4.4
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\WI371A~1\Datamngr\datamngr.dll C:\PROGRA~1\WI371A~1\Datamngr\IEBHO.dll
O20 - Winlogon Notify: NecUsb3Sevices - USB3Sw32.dll (file missing)
O20 - Winlogon Notify: USB3Sw32 - USB3Sw32.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\windows\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NetworkLog - Unknown owner - C:\windows\svcs.exe (file missing)
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: PnkBstrA - Unknown owner - C:\windows\system32\PnkBstrA.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TunngleService - Tunngle.net GmbH - C:\Program Files\Tunngle\TnglCtrl.exe

--
End of file - 7991 bytes



March 20, 2012 9:36:35 PM

Cf:http://answers.yahoo.com/question/index?qid=20120315023...
and: http://forums.techguy.org/virus-other-malware-removal/1...

READ THIS IT MAY BE BE HELPFUL!

This is pretty new, I couldn't find ANYTHING on these files below on a search engine. This started on March 12. Btw I'm on a laptop and have a hardware kill switch, so when

I got suspicious, wireless was disconnected. I'm operating XP SP3 2005. Here's what happened to me:
1. Internet and downloads slowed considerably
2. Redirected on IE8 and Firefox (hijacked), but NOT on OPERA 9.63 (unaffected)
3. Used hardware kill swich to disconnect internet for analysis
4. Found the following files, directories, and registry entries... nothing on Google:
5. on restart, the "Mini Web Browser" popped up for less than a second

I noted that cursor movement was slowed, like done in the conrol panel applet.

Found:
C:\Documents and Settings\User\Local Settings\Temp\Temporary Internet Files\Content.IE5

HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\...Inhaca SZ
"C:\Documents and Settings\EDSC\Application Data\Evewhe\huvoi.exe"

HKLM\SOFTWARE\MICROSOFT\SHARED TOOLS\MSCONFIG\STARTUPREG\Inhaca
command "C:\Documents and Settings\EDSC\Application Data\Evewhe\huvoi.exe"
hkey HKCU
inimapping 0
item huvoi
key \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\

HK_USERS\S-1-5-21-293786681-522615105-2646880513-1005\Software\Microsoft\Windows\CurrentVersion\Run
Inhaca "C:\Documents and Settings\EDSC\Application Data\Evewhe\huvoi.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*
b C:\Documents and Settings\EDSC\Application Data\Meomo\uhcu.iwe

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\iwe
a C:\Documents and Settings\EDSC\Application Data\Meomo\uhcu.iwe

HK_USERS\S-1-5-21-293786681-522615105-2646880513-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\

HK_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
C:\Documents and Settings\EDSC\Application Data\Evewhe\huvoi.exe huvoi

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Inhaca "C:\Documents and Settings\EDSC\Application Data\Evewhe\huvoi.exe"

The stuff in \Run directory can be stopped using the msconfig tool, and MUI and MRU are what you have touched recently.
Delete ALL files in the \Temp\Temporary Internet Files\Content.IE5 folder
You CAN'T move, rename or copy the suspicious files in the \Application Data folder (\inhaca, \Meomo\uhcu.iwe, \evewhe\huvoi.exe, \xuasn [which has a temporary file that

seems to delete itself]), you will need the freeware Unlocker tool, copy it from an external source like a flash drive. Try sending these in a zip folder to the anti-virus

companies since I was stupid enough to delete them instead. Anyway the internet should work once they are renamed or erased. I had a Norton free trial preinstalled, I had

to install it twice before it updated itself. Here's what it found on a scan:

"Trojan.Zeroaccess!inf" detected by virus scanner; but lists both as "high" and "low" risk???; detection of Bloodhound.CC.Rootkit.
You can download "FixZeroAccess.exe" from their website, it cleaned some contaminated files but didn't stop the Mini Web Browser thingy. However it kept saying it stopped

intrusion attempts from IP's:
76.17.18.170:34354
83.133.119.155:80
83.133.124.196:4966 Amsterdam Registrar: RIPE Network Coordination Centre name: Alex
83.133.124.187:80
83.133.124.195:80
XX.XXX.XXX.XXX:3483 (tcp/https) drpxbbjbvcvcjllyqxsn.com
27.255.64.111:443 over https Seoul, Kyonggi-Do, Korea RIPE-NCC-RIS-AS (RIPE NCC RIS project)
97.85.178.58:34354
24.4.12.12:34354 Livermore, CA c-24-4-12-12.hsd1.ca.comcast.net
192.168.1.3:1205

In TCPView, by just sitting at startup, my computer was connecting to addresses like:
amazonnaws.com
e100.net
a.tribalfusion.com
www-15-05prn1.facebook.com (which I've never visited, by the way)
llnw.net
adconion.com
sedoparking.com
cloudfront.net
adobe.com (whyyy???)
switchnap.com
alien.evip.aol.com

After all this, I can't login to eBay without extra credentials because of suspicious account activity from my IP, but my partner can!

Crazy huh? And this Mini Web Browser still hasn't been fixed.
March 21, 2012 8:18:09 AM

I had been noticing some strange behavior on my Windows XP, SP3 machine (slow cursor, Firefox hijacked at random).

This morning I restarted my PC and went away for a few minutes. After returning later to the Login screen, I saw the "Mini Web Browser" window sitting open there.


After logging in to Windows, ZoneAlarm Security Suite version 7.0.462 detected:

Trojan.Win32.Agent.rrey
Trojan.Win32.Sasfis.ddef

in the following files:

\WINDOWS\system32\NEUSBw32.dll
\WINDOWS\system32\USB3Sw32.dll


I then rebooted into Safe Mode, and ran a full scan using Ad-Aware [Free] version 9.6.0. Ad-Aware found and removed:

Trojan.Win32.Generic!BT
Win32.Trojan.Agent

in the following files:

\WINDOWS\system32\nisum.dll
\WINDOWS\system32\retinaengine.dll
\WINDOWS\system32\dbmang.dll


However, Firefox was still being hijacked (when I click on toolbar links) to: myspace.com & mevio.com via ad-feeds.net.

Also, upon launching Firefox, I saw a ZoneAlarm Security Alert that "Firefox is trying to act as a server." This alert continued to appear until I chose Accept to grant Firefox server privileges. I don't think that this is normal behavior - Firefox should be able to run without server privileges.

Next I ran the Kapersky Antirootkit application: tdsskiller.exe. This program found a rootkit infection, "Virus.Win32.Zaccess.aml" in \WINDOWS\system32\drivers\redbook.sys, and cleaned it.


After a system reboot, Firefox no longer tries to act as a server, and links are no longer hijacked.

Voila! But what a way to spend an afternoon...
!