Jump to content


Photo

Browser re-direct and data uploading


  • Please log in to reply
10 replies to this topic

#1 Ripcord

Ripcord

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 03 June 2004 - 05:53 PM

Hello all. I used to think I could cure browser problems but...

Symptoms:
Dial-up for net connection and then waiting results in IE Browser auto-loading.
At first it tries to go to the proper home page (Yahoo) but in a few seconds gets hi-jacked to somewhere else. The resulting page changes every day or so, but in each case eventually askes to download "MediaTickets" or something similarly named.

When I say "no" it prompts me with "...you must accept in order to load this page..."

If I try to stop the page loading or go to another page, I get that same message.

I can get it all to stop, by hitting the "stop" button, going to a specific page, killing the "error" windows, etc.

But then for the rest of the time that the PC is on-line, there is a constent flow of data uploading to...somewhere. I can shut down IE Browser and any/all other on-line programs that I've opened, but the net-connection shows data still being transmitted.

I've installed an run HJT, Ad-Aware and Spybot, each of which were helpful in some ways but none have touched this particular problem.

So, IE Browser is getting hi-jacked and I've continuous data uploading.

Suggestions?

#2 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 03 June 2004 - 07:44 PM

Hi,
Create a folder via Windows Explorer for HijackThis, unzip, then move the file (HijackThis.exe) to that folder. This way any backups created are saved in a legit folder.

Double-click "HijackThis.exe" and Press "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Click: "Save Log" (generates: "hijackthis.log")

Copy and Paste the entire log into your next post.

Note: do not attempt to "Fix" anything, as we need to see the entire log.
Also if you have any Startup items unchecked in Msconfig, uncheck those items, reboot, then post a fresh log. HijackThis can not "see" disabled items in Startup.

Hint: after posting your log click "Track this topic" at the top of the page, this way you will be notified (email) when a response is made to your post.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#3 Ripcord

Ripcord

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 03 June 2004 - 07:58 PM

Rebooted, without changes, and made a few more notes:

The re-direct takes me here: http://www.harro.3x.ro/hi.txt
And the file that attemps to download is: MediaTicketsInstaller.cab
Viewing the web page source code reveals "hidden" attributes and java script loads. I can post the source, if requested.

HJT Log:

Logfile of HijackThis v1.97.7
Scan saved at 8:52:51 PM, on 6/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\wserv32.exe
C:\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\AAA\Ray\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Microsoft Update] wserv32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wserv32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Microsoft Update] wserv32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: Ali Baba Slots TM by pogo - http://slots.pogo.co...a-ob-assets.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.c...k-ob-assets.cab
O16 - DPF: Euchre by pogo - http://euchre.pogo.c...e-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.po...o-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://mahjong2.pogo...g-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://flinger.pogo....r-ob-assets.cab
O16 - DPF: Pirate's Gold by pogo - http://solitaire15.p...d-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://solitaire25.p...h-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.co...s-ob-assets.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F37F6C15-75CC-413B-B2D8-EDCF8416573E}: NameServer = 207.251.201.10 207.251.201.11

#4 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 03 June 2004 - 08:38 PM

Hi,
Go to:
http://www.kaspersky...teviruschk.html
Click Browse and navigate to:
C:\WINDOWS\System32\wserv32.exe
Highlight then click the Submit button, report back with the results.

Note: it may be a hidden file ...

Reconfigure Windows Explorer to Enable Hidden Files:
Open the Windows Explorer Folder Options - View [tab]:

Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders".

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

Click the "Apply to all Folders" button.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#5 Ripcord

Ripcord

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 03 June 2004 - 10:22 PM

Hidden files, no problem, already set that way.

Kaspersky report, ah-ha!

wserv32.exe - packed with ASPack
wserv32.exe - packed with ASPack
wserv32.exe - packed with ASPack
wserv32.exe - packed with PE_Patch
wserv32.exe - packed with UPX
wserv32.exe - infected by Backdoor.Rbot.gen

I suspect more than a simple *del* will cure this, so I'm open to suggestions. In the meantime, I'll look up "Backdoor.Rbot.gen" and see what I can find.

Note: This current boot-up had a different redirect page, one that has shown before. That being "http://www.angelfire...kk/danjef.html"

If I find something that seems to fix the problem, I'll advise here, otherwise a new HJT log.

#6 Ripcord

Ripcord

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 04 June 2004 - 12:46 AM

After various contortions, I ended up doing an on-line virus scan at Micro-Trend. That found 2 buggies, both un-cleanable. I couldn't find anything that indicated either file was legit, so I've deleted both. I've also found numerous references, although nothing solid, to the Sasser worm. Norton's Sasser tool detects nothing though. Mmmm....

Here is what Micro-Trend found:
ADW RULEDOR.C (Found in C:\Documents and Settings\user\Local Settings\Temp\clrschp010.exe)
BAT SASSER.A (Found in C:\WINDOWS\system32\cmd.ftp)

So now I'll re-boot, see what happens and post a HJT log.

#7 Ripcord

Ripcord

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 04 June 2004 - 01:00 AM

*sigh* Much as I feared, deleting those 2 files didn't solve the problem, but at least they didn't re-appear. Before deleting either one, I looked at "cmd.ftp" in DOS-edit. I found about a dozen quadpoints, each with a file name to download. The file names appeared to be randomly generated, but were all numbers. Sorry, forgot to copy them off for reference, nor the quadpoints.

Current HJT log:
Logfile of HijackThis v1.97.7
Scan saved at 1:54:55 AM, on 6/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\wserv32.exe
C:\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\AAA\Ray\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Microsoft Update] wserv32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wserv32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Microsoft Update] wserv32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: Ali Baba Slots TM by pogo - http://slots.pogo.co...a-ob-assets.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.c...k-ob-assets.cab
O16 - DPF: Euchre by pogo - http://euchre.pogo.c...e-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.po...o-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://mahjong2.pogo...g-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://flinger.pogo....r-ob-assets.cab
O16 - DPF: Pirate's Gold by pogo - http://solitaire15.p...d-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://solitaire25.p...h-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.co...s-ob-assets.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F37F6C15-75CC-413B-B2D8-EDCF8416573E}: NameServer = 207.251.201.10 207.251.201.11


I'm beginning to suspect that this particular problem is new enough that there isn't a lot to be found about it. Anybody care to tell me differently?
(Translation: HELP!)

#8 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 04 June 2004 - 04:00 AM

Ripcord,

Kaspersky report: wserv32.exe - infected by Backdoor.Rbot.gen

I figured that but wanted to double-check ... wserv32.exe = W32/Rbot-W :alarm:
Just make sure to check for any Registry changes mentioned in that article.

First thing is to "Flush System Restore" (see How To" below)
Basically turn off System Restore (now) select the items below in HijackThis, reboot into Safe Mode, follow the below. Restart normally, run a full system NAV scan, reboot, rescan with HijackThis and post a fresh log. Once your system is clean, turn System Restore back on and create a new Restore Point.

Close all open windows, except for HijackThis place a check in each of the following:
Then click "Fix checked".

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Microsoft Update] wserv32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wserv32.exe
O4 - HKCU\..\Run: [Microsoft Update] wserv32.exe


Then reboot, on restart, restart in Safe Mode (see "How To" below)

Locate and delete the following:

C:\WINDOWS\System32\wserv32.exe <--this file

While still in Safe Mode:

Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.

ADW RULEDOR.C - Found in:
C:\Documents and Settings\user\Local Settings\Temp\clrschp010.exe


Note: if "user" is not your normal "profile" navigate to that folder:
C:\Documents and Settings\user\Local Settings\Temp

And delete the entire contents (in Safe Mode)

After the above restart normally scan with NAV (see below) and post a fresh log.

How to configure Norton AntiVirus to scan all files

:!: You might as well empty the Recycle Bin for all users, before you scan with NAV, otherwise NAV will just pick it there.

Edited by WinHelp2002, 04 June 2004 - 04:08 AM.

Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#9 Ripcord

Ripcord

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 04 June 2004 - 04:01 AM

Yes! I think I've finally got the little bugger! Only time will tell for certain, but currently everything is behaving as expected.

It would appear the problem was the W32.Spybot.Worm.

So, disabled System Resotre, booted up in Safe mode, ran the Norton AV scan to identify infected files and perform various circus stunts (manual Registry and file deletions) to clear the bugger out. Re-boot (I loved that show.) and all seems well.

Since this was all for the wifes PC, I'm especially glad.

Thanks for the help all!

#10 Arm4

Arm4

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 11 June 2004 - 08:54 PM

Arg, Thank god I've found this forum. Please Help!

I have the exact same problem with the "Media Tickets". It keeps opening up my browser and going to some random webpage every few minutes and Media Ticket install pops up.

I've posted a new topic with my Log File...

Has Media Tickets Returned for you???

I've tried everything that was mentioned in this post, but I still can't get rid of it!

Is there a true solution??

Edited by Arm4, 11 June 2004 - 09:09 PM.


#11 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 12 June 2004 - 04:32 AM

Arm4,
I replied to your post:
http://www.spywarein...=ST&f=18&t=6223
Note: Media Tickets should be the least of your worries!
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button