Welcome to Smokey's Security Forums.
As a guest you only have limited access to the board and it's features, please consider registering to gain full access!
Registration is free and it only takes a few moments to complete.

Smokey's Security Forums

Please login or register.

Login with username, password and session length
Advanced search  

News:

Fileless attacks surge in 2017, security solutions are not stopping them

Fileless attacks are on the rise and are predicted to comprise 35 percent of all attacks next year, according to the Ponemon Institute.

Fileless attacks surge in 2017, security solutions are not stopping them

Malware Log Analysis & Removal Help * Ransomware Encryption & Decrytion Techniques * Official Jetico Inc. Support Forums

Share this topic on FacebookShare this topic on MySpaceShare this topic on RedditShare this topic on TwitterAuthorTopic: [INACTIVE] Searchnu.com home page takeover  (Read 3204 times)

0 Members and 1 Guest are viewing this topic.

Starbuck

  • Site Owner
  • *
  • Online Online
  • location: Midlands. UK
  • Posts: 3421
  • .: Leader Malware Analysis & Removal Team
  • -: Site Help Desk - Support Department
    • WWW
Re: Searchnu.com home page takeover
« Reply #9 on: November 22, 2012, 08:47:22 PM »
Due to the lack of feedback, this Topic will now be closed.

If you need this topic reopened, please request this by sending one of the Moderating team or an Administrator
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Starbuck

  • Site Owner
  • *
  • Online Online
  • location: Midlands. UK
  • Posts: 3421
  • .: Leader Malware Analysis & Removal Team
  • -: Site Help Desk - Support Department
    • WWW
Re: Searchnu.com home page takeover
« Reply #8 on: November 20, 2012, 08:59:41 PM »
Hi lefthooklacey,

Do you still require help?

Starbuck

  • Site Owner
  • *
  • Online Online
  • location: Midlands. UK
  • Posts: 3421
  • .: Leader Malware Analysis & Removal Team
  • -: Site Help Desk - Support Department
    • WWW
Re: Searchnu.com home page takeover
« Reply #7 on: November 16, 2012, 10:47:11 PM »
Hi  lefthooklacey and welcome to Smokeys.

Unfortunately, not only are the OTL reports missing a lot of data....
The version of OTL you are using is very out of date..... we can't work with that.
This is yours:
OTL by OldTimer - Version 3.2.36.3     

The most current version is:
3.2.69.0

Let's get that sorted, there's also another scan i'd like you to do.
Please follow the steps in order.

Step 1
Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.



Step 2
Please remove your copy of OTL. (right click on the icon and select delete)
Now let's get a fresh copy:

  • Download OTL to your desktop.
    right click on the link and select 'Save Link/Target As'.

    if you have problems, try this download link:
    OTL
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check
  • Under the Extra Registry section, select Use SafeList.
.

.

    Now copy the lines in bold below.

netsvcs
msconfig
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\system32\*.exe /lockedfiles
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\*
%USERPROFILE%\..|smtmp;true;true;true /FP
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT



  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.


    .
  • Click the Run Scan button.



  • Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply.
.
In your next reply, please submit:
ADWCleaner report
Both reports from OTL.

Please make sure that the complete reports are posted.
If for any reason the reports are too big, you can either post them one at a time (several posts) or add them as attachments.

Thanks

lefthooklaceyTopic starter

  • Member
  • *
  • Offline Offline
  • Posts: 6
Re: Searchnu.com home page takeover
« Reply #6 on: November 16, 2012, 07:19:52 PM »
I hope I got everything in as needed.  I ran TDSSKiller but it found nothing.

Let me know what else is needed.

Thanks.

--lefthook

lefthooklaceyTopic starter

  • Member
  • *
  • Offline Offline
  • Posts: 6
Re: Searchnu.com home page takeover
« Reply #5 on: November 16, 2012, 07:18:41 PM »
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-11-16 13:12:48
-----------------------------
13:12:48.341    OS Version: Windows x64 6.0.6002 Service Pack 2
13:12:48.341    Number of processors: 3 586 0x203
13:12:48.342    ComputerName: OWNER-PC  UserName: owner
13:12:50.438    Initialize success
13:13:47.041    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005a
13:13:47.043    Disk 0 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 6
13:13:47.055    Disk 0 MBR read successfully
13:13:47.057    Disk 0 MBR scan
13:13:47.059    Disk 0 unknown MBR code
13:13:47.062    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       599040 MB offset 63
13:13:47.091    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS        11436 MB offset 1226835855
13:13:47.130    Disk 0 scanning C:\Windows\system32\drivers
13:13:53.348    Service scanning
13:14:05.024    Modules scanning
13:14:05.030    Disk 0 trace - called modules:
13:14:05.054    ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys storport.sys hal.dll nvstor64.sys
13:14:05.057    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004755790]
13:14:05.060    3 CLASSPNP.SYS[fffffa6000979c33] -> nt!IofCallDriver -> [0xfffffa80045fbde0]
13:14:05.065    5 acpi.sys[fffffa600080dfde] -> nt!IofCallDriver -> \Device\0000005a[0xfffffa8004643910]
13:14:05.069    Scan finished successfully
13:14:26.814    Disk 0 MBR has been saved successfully to "C:\Program Files (x86)\Mozilla Firefox\MBR.dat"
13:14:26.864    The log file has been saved successfully to "C:\Program Files (x86)\Mozilla Firefox\aswMBR.txt"
 

lefthooklaceyTopic starter

  • Member
  • *
  • Offline Offline
  • Posts: 6
Re: Searchnu.com home page takeover
« Reply #4 on: November 16, 2012, 07:18:24 PM »
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-13 15:53:45
-----------------------------
15:53:45.742    OS Version: Windows x64 6.0.6002 Service Pack 2
15:53:45.742    Number of processors: 3 586 0x203
15:53:45.743    ComputerName: OWNER-PC  UserName: owner
15:53:49.577    Initialize success
15:54:09.268    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005a
15:54:09.270    Disk 0 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 6
15:54:09.277    Disk 0 MBR read successfully
15:54:09.280    Disk 0 MBR scan
15:54:09.282    Disk 0 unknown MBR code
15:54:09.284    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       599040 MB offset 63
15:54:09.314    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS        11436 MB offset 1226835855
15:54:09.352    Disk 0 scanning C:\Windows\system32\drivers
15:54:16.414    Service scanning
15:54:31.022    Modules scanning
15:54:31.028    Disk 0 trace - called modules:
15:54:31.043    ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys storport.sys hal.dll nvstor64.sys
15:54:31.047    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004778280]
15:54:31.050    3 CLASSPNP.SYS[fffffa6000985c33] -> nt!IofCallDriver -> [0xfffffa8003654770]
15:54:31.055    5 acpi.sys[fffffa6000819fde] -> nt!IofCallDriver -> \Device\0000005a[0xfffffa800371f270]
15:54:31.060    Scan finished successfully
15:54:43.436    Disk 0 MBR has been saved successfully to "C:\Program Files (x86)\Mozilla Firefox\MBR.dat"
15:54:43.455    The log file has been saved successfully to "C:\Program Files (x86)\Mozilla Firefox\aswMBR.txt"
 

lefthooklaceyTopic starter

  • Member
  • *
  • Offline Offline
  • Posts: 6
Re: Searchnu.com home page takeover
« Reply #3 on: November 16, 2012, 07:11:37 PM »
OTL Extras logfile created on: 11/16/2012 12:44:44 PM - Run 3
OTL by OldTimer - Version 3.2.36.3     Folder = C:\Users\owner\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
3.87 Gb Total Physical Memory | 2.03 Gb Available Physical Memory | 52.42% Memory free
7.94 Gb Paging File | 5.63 Gb Available in Paging File | 70.95% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 585.00 Gb Total Space | 250.08 Gb Free Space | 42.75% Space Free | Partition Type: NTFS
Drive D: | 11.17 Gb Total Space | 1.06 Gb Free Space | 9.47% Space Free | Partition Type: NTFS
Drive J: | 931.28 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: FAT32
 
Computer Name: OWNER-PC | User Name: owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
 
========== Shell Spawning ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\SysWow64\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.

lefthooklaceyTopic starter

  • Member
  • *
  • Offline Offline
  • Posts: 6
Re: Searchnu.com home page takeover
« Reply #2 on: November 16, 2012, 07:10:41 PM »
MOD - C:\Program Files (x86)\Lexmark Pro800-Pro900 Series\iptk.dll ()
MOD - C:\Program Files (x86)\Lexmark Pro800-Pro900 Series\lxeccaps.dll ()
MOD - C:\Program Files (x86)\Lexmark Pro800-Pro900 Series\lxecptp.dll ()
MOD - C:\WINDOWS\SysWOW64\LXECsmr.dll ()
MOD - C:\WINDOWS\SysWOW64\LXECsm.dll ()
 ========== Win32 Services (SafeList) ==========

lefthooklaceyTopic starter

  • Member
  • *
  • Offline Offline
  • Posts: 6
[INACTIVE] Searchnu.com home page takeover
« Reply #1 on: November 16, 2012, 07:10:05 PM »
I'm having some issues with my home page being taking over by this website.  My computer has also began running slow, freezing, etc.

OTL logfile created on: 11/16/2012 12:44:44 PM - Run 3
OTL by OldTimer - Version 3.2.36.3     Folder = C:\Users\owner\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
3.87 Gb Total Physical Memory | 2.03 Gb Available Physical Memory | 52.42% Memory free
7.94 Gb Paging File | 5.63 Gb Available in Paging File | 70.95% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 585.00 Gb Total Space | 250.08 Gb Free Space | 42.75% Space Free | Partition Type: NTFS
Drive D: | 11.17 Gb Total Space | 1.06 Gb Free Space | 9.47% Space Free | Partition Type: NTFS
Drive J: | 931.28 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: FAT32
 
Computer Name: OWNER-PC | User Name: owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files (x86)\Search Results Toolbar\Datamngr\datamngrUI.exe (Bandoo Media Inc)
PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Program Files (x86)\Garmin\Lifetime Updater\GarminLifetime.exe (Garmin)
PRC - C:\Users\owner\Desktop\OTL.scr (OldTimer Tools)
PRC - C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe (Trusteer Ltd.)
PRC - C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe (Trusteer Ltd.)
PRC - C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe (Research In Motion Limited)
PRC - C:\Program Files (x86)\Lexmark Pro800-Pro900 Series\ezprint.exe ()
PRC - C:\Program Files (x86)\Lexmark Pro800-Pro900 Series\lxecmon.exe ()
PRC - C:\Program Files (x86)\Windows Media Player\wmplayer.exe (Microsoft Corporation)
PRC - C:\Program Files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe (McAfee, Inc.)
PRC - C:\hp\support\hpsysdrv.exe (Hewlett-Packard Company)
PRC - C:\Users\owner\AppData\Roaming\Google\Google Talk\googletalk.exe (Google)
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\Program Files (x86)\Mozilla Firefox\mozjs.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq\d6dc54d6b4aadbc921d00c3b76647e61\System.Xml.Linq.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\5e3ccfdf88ccd6a9ff4e6ddae7e3fec6\System.Xaml.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationFramewo#\c881e2d2ec912499834feb85c4c2e483\PresentationFramework.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\58f50a891bafb8fd7149e6eebc2b7b52\PresentationCore.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\05ebffcb5aac31412fea8c38cbac8df8\WindowsBase.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationFramewo#\cbb227c0a77a5b15a1255220984239f2\PresentationFramework.Aero.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\caffbced23ee85b40b919ad4a122b7aa\System.Windows.Forms.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Security\e450f586600c27379b52c1058292cfd9\System.Security.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\752225ca2585aa8f1c46b489e172e920\System.Core.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\cb0c00757e89f0b1fe282913ed667212\System.Xml.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\9422d0c052186760a4645e10995487f5\System.Drawing.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System\811a7bc79f8f0a5be8065292a320819e\System.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\16126cae96ea2422253ae06eeb672abc\mscorlib.ni.dll ()
MOD - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\ProgramData\Trusteer\Rapport\store\exts\RapportMS\39624\RapportMS.dll ()
MOD - C:\Program Files (x86)\Trusteer\Rapport\bin\js32.dll ()
MOD - C:\Program Files (x86)\Lexmark Pro800-Pro900 Series\ezprint.exe ()
MOD - C:\Program Files (x86)\Lexmark Pro800-Pro900 Series\lxecmon.exe ()
MOD - C:\Program Files (x86)\Lexmark Pro800-Pro900 Series\epoemdll.dll ()
MOD - C:\Program Files (x86)\Lexmark Pro800-Pro900 Series\epstring.dll ()
MOD - C:\Program Files (x86)\Lexmark Pro800-Pro900 Series\epwizres.dll ()
MOD - C:\Program Files (x86)\Lexmark Pro800-Pro900 Series\epwizard.dll ()
MOD - C:\Program Files (x86)\Lexmark Pro800-Pro900 Series\customui.dll ()
MOD - C:\Program Files (x86)\Lexmark Pro800-Pro900 Series\epfunct.dll ()
MOD - C:\Program Files (x86)\Lexmark Pro800-Pro900 Series\eputil.dll ()
MOD - C:\Program Files (x86)\Lexmark Pro800-Pro900 Series\imagutil.dll ()
MOD - C:\Program Files (x86)\Lexmark Pro800-Pro900 Series\lxecdrs.dll ()
MOD - C:\Program Files (x86)\Lexmark Pro800-Pro900 Series\lxecscw.dll ()
MOD - C:\Program Files (x86)\Lexmark Pro800-Pro900 Series\lxecdatr.dll ()

 
 

* Permissions
You can't post new topics.
You can't post replies.
You can't post attachments.
You can't modify your posts.
BBCode Enabled
Smilies Enabled
[img] Enabled
HTML Disabled


Except where otherwise stated, all content, graphics, banners and images included © 2006 - 2017 Smokey Services™ -- All rights reserved
Design board graphics, banners and images by Meg&Millie - Emma aka Tinker

This site does not store profiling-, tracking-, third-party and/or any other non-essential cookie(s) on client computers and is fully compliant with the EU ePrivacy Directive
Smokey's does not use any Web Analytics/Analysis Service, and also does not use any browser fingerprinting techniques

    

  

Smokey's also provides free fully qualified FRST (Farbar Recovery Scan Tool) Log / Malware Analysis & Removal Help and System Health Checks
rifle
rifle
rifle
rifle