Jump to content


Photo

Unbelievable, system hijacked even using Mozilla


  • Please log in to reply
6 replies to this topic

#1 bluefox

bluefox

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 17 July 2004 - 06:04 PM

Can't get rid of this hijack which redirects IE to "www.nubela.net" and installs a search bar. Can someone have a look at my log and give me some pointers?

This happened while using Mozilla - although admittedly the system was unpatched and not yet updated to SP1 after a reinstall.

Thanks so much in advance.






Logfile of HijackThis v1.97.7
Scan saved at 00:53:27, on 18/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NAVSCAN32.exe
C:\WINDOWS\System32\alfbnn.exe
C:\docume~1\user1\locals~1\temp\msbb.exe
C:\Documents and Settings\user1\Application Data\reew.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\user1\Desktop\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\bridge.dll
O4 - HKLM\..\Run: [NAVSCAN32.EXE] NAVSCAN32.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\bridge.dll",Load
O4 - HKLM\..\Run: [qkfqzwsrqku] C:\WINDOWS\System32\alfbnn.exe
O4 - HKLM\..\Run: [msbb] c:\docume~1\user1\locals~1\temp\msbb.exe
O4 - HKLM\..\Run: [yher] C:\WINDOWS\yher.exe
O4 - HKLM\..\RunServices: [NAVSCAN32.EXE] NAVSCAN32.exe
O4 - HKCU\..\Run: [NAVSCAN32.EXE] NAVSCAN32.exe
O4 - HKCU\..\Run: [Omrh] C:\Documents and Settings\user1\Application Data\reew.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flings...TInc/bridge.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.../20/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 bluefox

bluefox

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 20 July 2004 - 12:50 AM

Sorry, I forgot to add "Emergency! Please help!!" in the title.

I would really appreciate it if someone could give me a hand on getting rid of this trojan.

Thanks


To add some information, a Command Prompt window is now regularly popping up trying to run a program called "hah.exe" with the intention of making some mischief or other... To minimise risk I have turned IE's security settings up to max and switched to Mozilla.

#3 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 20 July 2004 - 07:30 AM

Hi,
NAVSCAN32.exe = WORM_SDBOT.RH :alarm:
Note: make sure you have installed all the Critical Updates.

O15 - Trusted Zone: http://*.windowsupdate.com
Incorrect entry, should be *.microsoft.com
[or]
http://*.windowsupdate.microsoft.com


First thing to do is ...

Download Posted Image Ad-Aware

After installing Ad-Aware, and before running the program.

Update Ad-aware's Reference File: instructions Posted Image here

Required Step: Posted Image Reconfigure Ad-Aware for Full Scan

Note: do not run Ad-Aware yet, just update and reconfigure.

Next:

Reconfigure Windows Explorer to show Hidden Files: [required step]
Open the Windows Explorer | Tools | Folder Options - View [tab]:

Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders".

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

Click the "Apply to all Folders" button. Close Windows Explorer.

Next:

Close all open windows, rescan with HijackThis
Place a check in each of the following then click "Fix checked".

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\bridge.dll
O4 - HKLM\..\Run: [NAVSCAN32.EXE] NAVSCAN32.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\bridge.dll",Load
O4 - HKLM\..\Run: [qkfqzwsrqku] C:\WINDOWS\System32\alfbnn.exe
O4 - HKLM\..\Run: [msbb] c:\docume~1\user1\locals~1\temp\msbb.exe
O4 - HKLM\..\Run: [yher] C:\WINDOWS\yher.exe
O4 - HKLM\..\RunServices: [NAVSCAN32.EXE] NAVSCAN32.exe
O4 - HKCU\..\Run: [NAVSCAN32.EXE] NAVSCAN32.exe
O4 - HKCU\..\Run: [Omrh] C:\Documents and Settings\user1\Application Data\reew.exe
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flings...TInc/bridge.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab


Then reboot, on restart, restart in Safe Mode [required step - see "How To" below]

Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.

Open Windows Explorer locate and delete the following:

C:\WINDOWS\System32\alfbnn.exe <--this file
C:\Documents and Settings\user1\Application Data\reew.exe <--this file
C:\WINDOWS\twaintec.dll <--this file
C:\WINDOWS\twaintec.ini <--this file
C:\WINDOWS\yher.exe <--this file
NAVSCAN32.exe <--this file
Locate "NAVSCAN32.exe" via Posted Image Start > Search > Advanced Options

The below requires special attention:
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\bridge.dll

Start | Run (type) cmd
(type) cd\WINDOWS\Downloaded Program Files\CONFLICT.1
(type) del bridge.dll (Close the Command Prompt)

While still in Safe Mode, run Ad-Aware and fix everything it finds.

Restart normally and then ... Download Posted Image HijackThis! 1.98

After the above, reboot, rescan with HijackThis and post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#4 bluefox

bluefox

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 21 July 2004 - 08:07 AM

All done as per instructions. Here's the log:

Logfile of HijackThis v1.98.0
Scan saved at 15:01:52, on 21/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\Documents and Settings\user1\Desktop\hijackthis\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NAVSCAN32.EXE] NAVSCAN32.exe
O4 - HKLM\..\Run: [ontyisoovbfyg] C:\WINDOWS\System32\alfbnn.exe
O4 - HKLM\..\RunServices: [NAVSCAN32.EXE] NAVSCAN32.exe
O4 - HKCU\..\Run: [NAVSCAN32.EXE] NAVSCAN32.exe




Hope that works! Thank you very much, I really really appreciate your help.

I have one more question. If I use Mozilla to browse (with IE security settings on max) and allow Windows to download Critical Updates automatically, and keep the XP Firewall turned on, will that prevent this kind of thing from happening again?

#5 bluefox

bluefox

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 21 July 2004 - 08:17 AM

Looking at this more closely... I see that NAVSCAN still shows up in the changed HotKeys section of the HijackThis scan.

I've checked that navscan32.exe no longer exists, and it's definitely gone. What's this all about?

#6 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 21 July 2004 - 09:02 AM

Hi,
Your log is incomplete? ... but from what I can see ...

Close all open windows, rescan with HijackThis
Place a check in each of the following then click "Fix checked".

O4 - HKLM\..\Run: [NAVSCAN32.EXE] NAVSCAN32.exe
O4 - HKLM\..\Run: [ontyisoovbfyg] C:\WINDOWS\System32\alfbnn.exe
O4 - HKLM\..\RunServices: [NAVSCAN32.EXE] NAVSCAN32.exe
O4 - HKCU\..\Run: [NAVSCAN32.EXE] NAVSCAN32.exe


Then reboot, on restart, restart in Safe Mode [required step - see "How To" below]

Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.

Open Windows Explorer locate and delete the following:

C:\WINDOWS\System32\alfbnn.exe <--this file
NAVSCAN32.exe <--this file
Note: locate via Start > Search > Advanced Options

After the above, reboot, rescan with HijackThis and post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#7 bluefox

bluefox

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 21 July 2004 - 02:47 PM

All gone now.

(I must have somehow overlooked the HijackThis deletion phase the first time, because all the files had otherwise been correctly deleted.)

Just one more thing - the question I asked above about whether avoiding IE and keeping right up to date with patches will make trojans go away for good.

Thanks in advance.





Logfile of HijackThis v1.98.0
Scan saved at 21:40:36, on 21/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\user1\Desktop\hijackthis\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button