Disinfecting browser redirection to i.nuseek.com

arisme · May 30, 2010

amateur said:
We want all our members to perform the steps outlined in the link given below, before posting for assistance.

As requested, DDS.txt is pasted at the end of this post, after my signature.

Gmer.exe (latest copy downloaded from your link) threw up a problem.
It seemed to finish the scan OK. It was possible to use the scroll bars to inspect the text. However, the moment that the Save button was clicked the application froze. The freeze was severe enough to freeze the system. No response to Ctrl+Alt+Del. Power off was required.

So Attach.zip contains Attach.txt, but no ark.txt.

When time permits, I will run Gmer again, and see if I can copy the text out before the application freezes.

My original post:-
Is there a known tool or technique to detect and remove a piece of malware that redirects browsers to parking pages or link farms generated at i.nuseek.com?

The reason for this unusual question is that my computer has been infected twice by this malware, and it has been neutralised twice, And I have no idea whether the malware has been crippled, removed, or it has only hibernated.

After the first infection, I was taken through a series of diagnostic steps by the Detection people at an anti-spyware software vendor.

At the end of the exercise my logs were reported as clean, and there was no more redirection activity. However, there was no point in the diagnostic steps where it was indicated that malware had been identified, or that files had been deleted or uninstalled, or that settings had been changed.

Two of the diagnostic tools did terminate abnormally - and this may have impacted on the malware in some way so as to inhibit its activities.

At the second infection, nine months after the first, I repeated the diagnostic steps of the first infection - and miraculously that seems to have cured the problem. Again, I have had no indication about what happened or where. I have no knowledge about the malware status - has it been crppled, removed, or just hibernated?

The malware symptoms
One day, firing up your browser and entering your favourite URL gets you redirected to the parking page at i.nuseek.com.

The redirection lasts for a period of time - maybe 30 minutes or an hour, and then switches off. For a while, you get through to your favourite page again.

The pattern repeats - periodically your favourite URL is redirected for a while, and then everything works normally for a while. No other URLs except your favourite are affected.

A representative sample of the parking page can be seen at:

http://www.bottrax.com/?p=35

The photograph used can be seen at:

http://i.nuseek.com/images/template/360x318/ist2_746781_female_student.jpg

When the redirection is active, it redirects in all three browsers I have installed - IE7, Firefox 3.0 and SeaMonkey.

Although the payload of this malware appears to be more of a nuisance than anything dangerous, that could be an illusion. For this reason, I am seeking a tool that will positively detect and disinfect, and inform me of that.

I have no problem at the moment, but want to be ready for the next infection.

I am pretty sure that the last infection occurred when a URL selected from a Google search results list started to display, but was then redirected to a totally irrelevant document. Although I clicked on STOP and Back as quickly as I could, the infection had probably already occurred. This may well happen again in the future.

Gmer.exe postscript. In both cases of infection, a run with gmer ended with a STOP error and BSOD (the last one is actually reported in the Events viewer segment in Attach.txt). Both runs were in Safe Mode.

Aris

========================================================
DDS (Ver_10-03-17.01) - NTFSx86
Run by Home user 1 at 6:06:17.32 on 30/05/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2272 [GMT 1:00]

FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
D:\Program Files\BridgerTech\GP Studio\GPServer.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
D:\Program Files\Comodo\Firewall\cfp.exe
D:\Program Files\LogMeIn\x86\LogMeInSystray.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\ATnotes\ATnotes.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
G:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ntvdm.exe
J:\Sources\TechSupportForum Tools\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
uDefault_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=6080611
uSearch Bar = hxxp://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.tiscali.co.uk/broadband
mSearchAssistant = hxxp://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - d:\program files\flashget\jccatch.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - d:\program files\free download manager\iefdm2.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - d:\program files\flashget\getflash.dll
uRun: [TClockEx] j:\sources\tclockex\unzipped\TCLOCKEX.EXE
uRun: [ATnotes.exe] d:\program files\atnotes\ATnotes.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [adiras] adiras.exe
mRun: [BillMinder] c:\qwse\BILLMIND.EXE
mRun: [COMODO Firewall Pro] "d:\program files\comodo\firewall\cfp.exe" -h
mRun: [LogMeIn GUI] "d:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Windows Defender] "d:\program files\windows defender\MSASCui.exe" -hide
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\homeus~1.del\startm~1\programs\startup\office~1.lnk - g:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dslmon.lnk - c:\program files\sagem\sagem f@st 800-840\dslmon.exe
IE: &Download All with FlashGet - d:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - d:\program files\flashget\jc_link.htm
IE: Download all with Free Download Manager - file://d:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://d:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://d:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://d:\program files\free download manager\dllink.htm
IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "d:\program files\fiddler2\Fiddler.exe"
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - d:\program files\flashget\FlashGet.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {A2BC7947-F05C-40AF-81F1-5C81FBCAB148} = 212.139.132.36 212.74.114.213
Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - c:\program files\tiscali\tiscali internet\dlls\tiscalifilter.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - d:\progra~1\window~1\MpShHook.dll
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 192.168.0.2 athlon

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\homeus~1.del\applic~1\mozilla\firefox\profiles\h00cs2k9.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\home user 1.dell\application data\mozilla\firefox\profiles\h00cs2k9.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - component: d:\program files\free download manager\firefox\extension\components\vmsfdmff.dll

============= SERVICES / DRIVERS ===============

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-7-26 87312]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-7-26 23824]
R2 cmdAgent;COMODO Firewall Pro Helper Service;d:\program files\comodo\firewall\cmdagent.exe [2008-7-26 507648]
R2 GPServer;GPServer;d:\program files\bridgertech\gp studio\GPServer.exe [2007-12-31 107008]
R2 LMIInfo;LogMeIn Kernel Information Provider;d:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-1-7 47640]
R2 WinDefend;Windows Defender;d:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 legume_1;legume_1;c:\windows\system32\drivers\legume_1.sys [2009-8-6 34816]
S3 legume_111;legume_111;\??\c:\windows\system32\drivers\legume_111.sys --> c:\windows\system32\drivers\legume_111.sys [?]
S3 PORTMON;PORTMON;\??\d:\program files\sysinternals\portmsys.sys --> d:\program files\sysinternals\PORTMSYS.SYS [?]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

==================== Find3M ====================

============= FINISH: 6:06:34.64 ===============

arisme · May 31, 2010

Ran Gmer.exe again. Amazingly, it behaved faultlessly (must have been the forced cold reboot following the previous freeze up).

I have added ark.txt to the original Attach.zip, which now contains 'attach.txt' and 'ark.txt'.

Aris

arisme · Jun 7, 2010

I have waited patiently for a week for a response to my original question:-

Is there a known tool or technique to detect and remove a piece of malware that redirects browsers to parking pages or link farms generated at i.nuseek.com?

I was hoping for at least one of the following responses:-

(A) Yes, we can remove the malware.
(B) Yes, here is a link to a solution...
(C) No, there is no known technique for this one.
(D) No established technique, each infection must be hunted individually.
(E) This is recent and new, and none of our helpers has any experience of it.
(F) This is recent and new, and none of our helpers has any experience of it - but we are willing to try.
(G) This is recent and new, and none of our helpers has any experience of it. Unfortunately, we do not have the capacity to explore new territory.
(H) The payload of this malware is nuisance only (i.e. nothing aimed at identity theft, or financial data detail).

Any response similar to one of the above would have been fine. As a systems analyst/programmer, I am used to making things happen on a computer and resolving any problems. In this case, I think I will have to accept that this topic will gradually drift into oblivion.

I will just have to wait until this malware has grown into a common and frequent infection...and solutions start to appear.

So be it.

Aris

Ried · Jun 7, 2010

Hello Aris,

What you're asking for, is not realistic. Unlike the programming world, the world of malware recognition and removal is not 'black and white'. It is fluid - ever changing. Take a look around this forum and you'll see we deal with it all the time, and in various ways.

There are many infections that can cause this problem, and depending on which one it is, there are commercial apps such as Malwarebyte's Anti-Malware that can handle it. But lately, for most of them, specialty tools are required - and sometimes in conjunction with MBAM. Again, this requires knowledge of what infection(s) are present - they rarely come alone. The initial logs we ask for, usually provide what we need in order to determine the tool of choice.

arisme · Jun 7, 2010

Thank you for your reply.

Ried said:
It is fluid - ever changing. Take a look around this forum and you'll see we deal with it all the time, and in various ways.

I appreciate that. I spent a considerable while browsing before deciding to join and post my problem. What I saw was a truly remarkable set of skills and experience in action.

I am an active helper in a technical forum for a C/C++ development tool, so am familiar with the steps from diagnosis to a solution. You guys are altogether on another level.

I even considered applying to join the TSF Academy, but that is full at the moment.

Back to my infections. Thanks to some blind luck events, I do not have active redirection at present, so presumably, there was insufficient evidence in the preliminary logs to provide a lead for the next diagnostic step.

If that is the case, it will be quite in order to erase or archive this topic, and I will post afresh if I get infected again.

If there were leads to follow in the preliminary logs, or you consider it worthwhile to pursue this case further, I will be happy to cooperate at whatever pace it proceeds.

Thanks again,
Aris

Ried · Jun 8, 2010

You're welcome.

No, I see nothing in your logs to suggest any problems at all. I do find it odd though, that you have absolutely no files or folders that have been modified in the last 90 days. Did you edit the report?

arisme · Jun 8, 2010

Ried said:
Did you edit the report?

Nope. You got all the logs as they came straight off the press.

However, I have no auto updates permitted for any package on my system, including Windows. There are occasions when I am forced into an update - Spybot definitions at the second malware infection, and from IE6 to IE7 by a frequently used website (but that was more than 90 days ago).

Everything works as I want it, and I am a firm believer in the well established principle "If it ain't broke, don't fix it.".

Mine is a working machine, and most of my time is spent in a development environment, creating, testing and debugging C/C++ packages.

Now, a shocking confession with a decades long history - I have no active antivirus packages. In fact, there are none installed (there may be remnants of bundled packages in the logs)..There are reasons for this, but I will not bore you with the details (another time maybe).

I do have a firewall, and have had one since they first became available.

Finally, my hard drive is partitioned. C:\ has nothing on it but Windows (and the odd package where the programmers did not allow choice of drive for installation).

Ried said:
No, I see nothing in your logs to suggest any problems at all.

Thanks for the inspection. So, the redirection malware is either very craftily hidden, or outside the inspection scope of DDS and Gmer.

In either case, I think that this thread is terminated, and I will have to return with an active infection.

We cannot mark it Solved - 'False Alarm' might be more appropriate. I will leave the disposition of the thread in your good hands.

Incidentally, the steps taken to get from an active malware redirection status to a normal behaviour status are pretty straightforward, even if they do not indicate how it was done or what actually happened. If you are interested, I can list the steps for your future reference.

Let me kniow, and I will send you a PM with the details.

Thanks again for your time and effort - very much appreciated.
Aris

Ried · Jun 8, 2010

Once again, you're welcome.

Everything works as I want it, and I am a firm believer in the well established principle "If it ain't broke, don't fix it.".

For the most part, this is a very good philosophy, but critical updates are just that - critical. As vulnerabilities are found in the OS, MS patches them and it's a good idea to download and install them. That could also be considered part of the 'tools' out there that protect the system. :wink:

I would very much like to know the steps you took. Often times, steps that are taken, or commercial apps that have been run are enough to knock down the infection for a bit which of course, keeps it from showing up in scanning tools that we use until it rears its ugly head again.

arisme · Jun 8, 2010

...but critical updates are just that - critical. As vulnerabilities are found in the OS, MS patches them and it's a good idea to download and install them. That could also be considered part of the 'tools' out there that protect the system.

I cannot argue with the logic of that. As a freelance software contractor, my clients all get an unmerciful and continuous nagging about backups, security, updates, caution with e-mail attachments, Office macros, ActiveX docs, etc., etc.

I would very much like to know the steps you took.

On the way to you in the next couple of days - I need to gather the precise details from the exchange of private e-mails that took place after the first infection in 2009.

Aris

Ried · Jun 8, 2010

Thanks, I appreciate the effort and time. :smile:

Disinfecting browser redirection to i.nuseek.com

Attachments

Attachments

Top Contributors this Month

Recommended Communities