Browser redirected to casino site when certain words are in address or searched for

[davidmeyer]

Hello,

I have a problem on my WindowsXP machine which runs Norton anti-virus software and Windows firewall. Every time I try to access a website which has the word 'poker' in the name or do a search on Google using 'poker' as the search term my IE browser (version 6.0.2900.2180.xpsp_sp2_rtm.040803-2158) is directed to a casino website. The address bar has the following address in it: h**p://www.caribbeangold.com/index.html?ID=brian222

I have run Ad-Aware SE Personal and SpyBot- Search&Destroy with no success. I have now run HijackThis and here is the logfile.

Code:

Logfile of HijackThis v1.99.0
Scan saved at 20:58:27, on 15/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SOPHOS\Binn\sqlservr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\SYSTEM32\FREECELL.EXE
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\OPScan.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/u...en/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webshots.com/r/internal/start/client/RAND
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/u...en/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {345DA1A9-3229-6C44-542C-C915CD83FFB3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5BF3D3B3-688A-F835-96F0-62CA4632AF29} - C:\WINDOWS\system32\ldwfijlo.dll
O2 - BHO: (no name) - {866C6FC8-527B-5881-2396-70CAAA794EC1} - (no file)
O2 - BHO: (no name) - {A2D04A04-10F6-351E-4AE7-586928FE3258} - C:\WINDOWS\system32\jwxmpqfl.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {CD59CDB0-6B5F-FF3E-9817-402BF483BA31} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D00DFCD-C206-416B-B3AE-A37467BCA4FA}: NameServer = 195.92.195.95 195.92.195.94
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: IAA Event Monitor - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINDOWS\system32\msupd5.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I would be most grateful for any help or advice that is given.

Thanks in advance!

David Meyer

[Ruby]

Hello David,

Since I see you waiting for an answer, I won't let you wait for such a long time without any answer. Your system is compromised: Security Tips. I will try to give you a planning how to clean your system. That lasts a little while. Please be patient. Thank you.

[davidmeyer]

Thank you very much, Ruby

I notice now that I should have posted the logfile in code. I'm sorry about that. I will know better in future. Thanks again!

David Meyer

[Ruby]

Hi David let's go on......... follow the steps 1,2,3, ..

STEP 1
Make sure you set windows to see the hidden files and folders.

STEP 2
Turn off System Restore for whole the period we work on your system.

Code:

STEP 3
Create some new directories (folders)

C:\download
C:\bases
C:\badthings

STEP 4
Data Upload
move (!) these files to the new folder C:\badthings

C:\WINDOWS\SYSTEM32\FREECELL.EXE
C:\WINDOWS\system32\ldwfijlo.dll
C:\WINDOWS\system32\jwxmpqfl.dll
C:\WINDOWS\system32\dla\tfswctrl.exe

zip the Folder and upload it to Upload Data

--> Could you please give a Feedback to this files if you know these files and programs: 

C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
C:\Program Files\Webshots\Launcher.exe

To which programs do this files belong to? What can be done with this programs? 

STEP 5
Download these security software for free to C:\download:

zipgenius (if you have no zip-tool)
DELLATER.ZIP install it to your desktop!
clearprog
escan: mwav.exe
install and update Spybot Search and Destroy
install and update also Ad-Aware SE
RegistryProt

STEP 6
run now first DELLATER.exe on your system.

STEP 7
(MUST!) Turn to safe mode. Close all windows including Internet Explorer. Run Hijackthis, click scan, and put a checkmark next to each of these items. Then click the Fix button: 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.webshots.com/r/internal/start/client/RAND - if you don't know this page.

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {345DA1A9-3229-6C44-542C-C915CD83FFB3} - (no file)
O2 - BHO: (no name) - {866C6FC8-527B-5881-2396-70CAAA794EC1} - (no file)
O2 - BHO: (no name) - {CD59CDB0-6B5F-FF3E-9817-402BF483BA31} - (no file)
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - h**p://www2.incredimail.com/content...er/imloader.cab
O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINDOWS\system32\msupd5.exe (file missing)
Reboot your system into normal mode.

STEP 8
run ClearProg
"Clear all" and "Clear" must be checkmarked: delete all your temporary maps and files

STEP 9
run Ad-Aware, turn all red X to green and 
let the program delete everything it finds.

STEP 10
run Spybot Search and Destroy
let the program delete everything it finds. Make the immunisation of your system.

(MUST!)Turn to safe mode

STEP 11
run escan

(MUST!) Unzip the 'mwav.exe' into the new directory 'c:\bases' (!). Use 'kavupd.exe' to get the latest signatures (MUST!). If you 'hear' that the signatures are more than 30 days old, stay trying. You will get the actual signatures. Keep trying! Then close everything else, close all windows, all browsers, all programs. Remember: you MUST work in SAFE MODE!

Start a full scan (all files!) [Memory, StartUp-Folders, Drives, All Local Drives, Registry and INI Files, System Folders, Services must be checkmarked] by running 'mwavscan.com' (directory c:\bases): Cilck on 'Scan clean' of 'Scan'. eScan takes about one an hour. When it's finished, 'view log' and safe it! Then reboot your system into normal mode. Turn on System Restore. Reboot.

STEP 12
Search the logfile 'mwav.log' in directory 'c:\bases'. Open the logfile with an editor, you can take this one of everyone else. Look for the files which are tagged as "virus". Now you have to copy&paste all these files tagged as "virus" in a new document. Are you ready doing this? Safe it.  

---> post every file eScan flagged as "virus"
---> and the names of the viruses. It looks like this: 

'File C:\WINDOWS\sssasasb32.exe infected by "Trojan-Downloader.Win32.Agent.ig" Virus. Action Taken. File deleted.'

---> Also post the result at the end of the 'mwav.log':

=>Total Number of Files Scanned:
=>Total Number of Virus(es) Found:
=>Total Number of Disinfected Files:
=>Total Number of Files Renamed:
=>Total Number of Deleted Files:
=>Total Number of Errors:
***** Scanning complete. *****