Jump to content

It all started with web page "alerts"


leif
 Share

Recommended Posts

...Then IE started opening spontaneously with a "Firefox" header. Zone Alarm persistently scanned as clean, but newly installed MBAM, SAS, Adaware, and WD found trojans and backdoors... Lots of cleaning, anti-exe malware found and system restore helped. But browsers still misbehaving. A2-AntiMalware is at least stopping the browser hijacks, but the cause of them remains.

Cannot update/repair Windows .Net framework. Windows Update stalls. Removed .Net, downloaded the entire .Net install package and came to end of lengthy repair and some part of the process sucks all system resources and it never finishes. Before reading your support FAQs I quarantined everything found in the A2 scan below. I have tried to stop System restore since most of the malware was in the _restore files. It seemed to hang and I ended it, but System Properties indicates it is off now.

A2 alerts now tell me various software is trying stealthy installs. Have run CCleaner and have all other software downloaded and ready to go.

~ INLINE LOG REMOVED ~

Edited by ShadowPuterDude
Removed inline logs
Link to comment
Share on other sites

OK. Sorry about that log. I was following the "Let's get started" part of the START HERE.

Ran the CCleaner; Ran the A-Squared AntiMalware scan [again] and got much better results [attached]; it does not seem to indicate a need for the Win32kDiag tool (instructions seemed to indicate I wait for instructions at this point, but reading the rest it seems I should continue): . . ran the ISeeYouXP.bat [report attached] just after starting A2 popped up an alert of a suspicious file NTVDM.EXE that tried to run 35 times during ISeeYouXP.bat I did not know if it was ok so I ran a rule to stop it. Ran A2-HJF [attached].

I did eventually get Windows updated with the .Net3.5 and following KB fixes, however I had to monitor Task Mngr and terminate modules of the .Net framework that repeatedly hung [serviceModelReg.exe, ComSvcConfig.exe, PresentationFontCache.exe, RegAsm.exe, RegSvcs.exe]. I have no idea if that was ok but the install picked up again and in the end it says .Net is repaired now. Java and Adobe are current.

I am too verbose, but I just want to get this bugger RIGHT! and don't want any clues lost. Oh and I've deselected IE as a browser option for windows cuz it is so majorly HJ-d!! Firefox pluggins with A2 rules control the symptoms for now.

Thank you alot for your consideration . . . ..-L

Link to comment
Share on other sites

Download Avenger from HERE and unzip to your desktop.

  • Run Avenger
  • Read the prompt that appears, and press OK
  • Copy & paste the following text in Input script Box:
    Files to delete:
    C:\WINDOWS\Temp\av1.tmp
    C:\WINDOWS\Temp\av3E.tmp
    C:\WINDOWS\Temp\fb_1404.lck
    C:\WINDOWS\Temp\fb_1752.lck


    Then click "Execute".

  • You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  • Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please Attach that log here in your next post.

Link to comment
Share on other sites

Still problems with browser redirects [Firefox] if I click on a link directly. If I open in a new tab it is ok. I still get tabs opening spontaneously, but I have blocked most of the sites with A2 or their scripts with with the NoScript pluggin and have denied all redirects with Firefox preferences. Scans with ZA, A2, MBAM, SAS, AA, SpybotSD come up clean except for tracking cookies. Sooo I guess the bugger is still there somewhere. I just wonder what it is doing that I can't see. .

thanks for your time,

-L

Link to comment
Share on other sites

OK, let's use a different tool.

Download -->> OTL <<-- to your desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
      Note: These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
    • Attach both logs with your next reply.

Link to comment
Share on other sites

Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) 
    SRV - (WUSB54Gv42SVC) --  File not found
    SRV - (gusvc) --  File not found
    SRV - (Apple Mobile Device) --  File not found
    O3 - HKLM\..\Toolbar: (no name) - {6E6E744E-4D20-4ce3-9A7A-26DFFFE22F68} - No CLSID value found.
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {1392B8D2-5C05-419F-A8F6-B9F15A596612} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
    O4 - HKLM..\Run: [KernelFaultCheck]  File not found
    O24 - Desktop Components:0 () - file:///C:/DOCUME~1/Owner/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
    O32 - AutoRun File - [2008/01/11 15:27:00 | 00,000,132 | ---- | M] () - G:\autorun.inf -- [ NTFS ]
    
    :Files
    C:\80314432be3c58b21f
    C:\f85a393a58dd2a506a
    C:\8a03f0d26a7f6e47a982bd
    C:\59b7a0e2c746ff86c1c2
    C:\440ae6f231a7cb909cbc64b194
    C:\WINDOWS\*.tmp
    C:\Documents and Settings\Owner\My Documents\*.tmp
    @C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
    @C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
    
    :Commands
    [purity]
    [emptytemp]
    [resethosts]
    [start explorer]
    [Reboot]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new OTL log ( don't check the boxes beside LOP Check or Purity this time )

Link to comment
Share on other sites

OK. OTL log attached. No problem running this. Firefox still opens tabs to HJ sites spontaneously and with clicked links, and Session Manager still claims that the last closed session was crashed and opens to a HJ site. My home pages are unchanged. Thanks for your persistence.

-L

Link to comment
Share on other sites

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

Link 3

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

-----------------------------------------------------------

Attach fresh logs for:

  • ComboFix (C:\combofix.txt)
  • a-squared Free/Anti-Malware
  • ISeeYouXP

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to comment
Share on other sites

YESsss. . . I think. Browsers seem to be behaving now. ComboFix found a rootkit after a couple of reboots which everyone else had missed: infected atapi.sys driver. Problem with all my AV pgms starting up after the second reboot getting in the way, but I seem to have held them all back enough to let ComboFix finish its thing.

thanks ALOT! !

give me a day to make sure. It seems that A2 keeps giving me warnings about blocked redirect attempts. But no bogus tabs opening...

-L

Link to comment
Share on other sites

Using Add or Remove Programs in the Control Panel; uninstall the following:

Java 6 Update 7

Java SE Runtime Environment 6 Update 1

-----------------------------------------------------------

Now we need to use ComboFix to remove some stuff.

  • Make sure that the copy of combofix.exe that you downloaded earlier is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
  • Open Notepad and copy/paste the text in the below code box into it

(make sure you scroll all the way down in the code box to get all lines selected ):

KILLALL::

Driver::
ooyog
MEMSWEEP2

File::
c:\windows\Internet Logs\xDB3F.tmp
c:\windows\Internet Logs\xDB3E.tmp
c:\windows\Internet Logs\xDB3D.tmp
c:\windows\Internet Logs\xDB3C.tmp
c:\windows\Internet Logs\xDB3B.tmp
c:\windows\Internet Logs\xDB3A.tmp
c:\windows\Internet Logs\xDB39.tmp
c:\windows\Internet Logs\xDB38.tmp
c:\windows\Internet Logs\xDB37.tmp
c:\windows\Internet Logs\xDB36.tmp
c:\windows\Internet Logs\xDB35.tmp
c:\windows\Internet Logs\xDB34.tmp
c:\windows\Internet Logs\xDB32.tmp
c:\windows\Internet Logs\xDB33.tmp
c:\windows\Internet Logs\xDB31.tmp
c:\windows\Internet Logs\xDB30.tmp
c:\windows\Internet Logs\xDB2F.tmp
c:\windows\Internet Logs\xDB2E.tmp
c:\windows\Internet Logs\xDB2D.tmp
c:\windows\Internet Logs\xDB2C.tmp
c:\windows\Internet Logs\xDB2B.tmp
c:\windows\Internet Logs\xDB2A.tmp
c:\windows\system32\8.tmp
c:\windows\system32\drivers\mkkhpugzijzyd.sys
C:\WINDOWS\Temp\fb_464.lck
C:\WINDOWS\Temp\GUR9.tmp

Folder::
c:\windows\Internet Logs

  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    th_CFScript.gif
  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • I will ask for this log below

Note: DO NOT mouseclick combofix's window while it is running. That may cause it to stall.

The ComboFix folder should not be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name.

-----------------------------------------------------------

Attach fresh logs for:

  • ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to comment
Share on other sites

Unrecycled Combo-Fix.exe and renamed. Uninstalled the Java update and the Runtime Environment. When ComboFix started after dropping the script txtfile on it every piece of anti-malware on the computer woke up. Shut them down and CF continued and downloaded a new version of itself and everything seemed to go ok. Had to switch primary browser back to Firefox. So far so good.

One weird thing before all of this was that SpyBot SD TeaTimer opened a popup I could not see [offscreen] and stopped responding to right-clicks in the system tray and ProcessViewer and TaskMgr both crashed when trying to kill the process. I noticed some new registry entries for "spybot SnD" not "SpyBot SD." Uninstalled and reinstalled SpyBot without incident prior to reading your new reply.

This may have all been a problem with SpyBotSD, at any rate this last ComboFix fix was run afterwards. and so far no strange behavior after a restart and all anti-malware resumed operation. No new scans run yet. So far so good with the browser. give me a day to play before I reduce my paranoia.

Thanks for everything.

-L

Link to comment
Share on other sites

Your logs look fine.

Unless you are having problems from Malware it is time to do the final steps.

If you used ComboFix, uninstall ComboFix:

  • Click START then RUN and enter the below into the run box and then click OK. (Use only the command of the same name as your copy of combofix.)
  • AvoidTDSS /uninstall or combofix /uninstall or Combo-Fix /uninstall
    Note: The space before /uninstall, must be there. Which command you use depends on if I had you rename ComboFix during download.
    This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete everything in C:\!KillBox (If I didn't have you use KillBox, then this won't be present)

Delete the following from your Desktop (If they exist)

Avenger.exe

Avenger.txt

Avenger.zip

CFscript.txt

dds.scr

dds.pif

DisableAutoRuns.reg

fixes.bat

FixMe.reg

FixReg.reg

ISeeYouXP.exe

ISeeYouXP.lnk

ISeeYouXP.txt

Win32kDiag.exe

Win32kDiag.txt

Anything else I had you use

Delete the following files: (If they exist)

C:\Avenger.txt

C:\ComboFix.txt

Delete the following folders: (If they exist)

C:\Avenger

C:\AvoidTDSSS

C:\ComboFix

C:\SDFix

C:\Qoobox

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

Empty the Recycle Bin

Run CCleaner

Turn off System restore to flush all your restore points then turn system restore back on.

To manually turn off System Restore, follow these steps:

1. Click Start, right-click My Computer, and then click Properties.

2. Click the System Restore tab.

3. Click to select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

4. Click Yes when you receive the prompt to the turn off System Restore.

To turn on System Restore, follow these steps:

1. Click Start, right-click My Computer, and then click Properties.

2. Click the System Restore tab.

3. Click to clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

Delete C:\ISeeYouXP

Run Windows Update and update your Windows Operating System.

Run the Secunia Online Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated.

That should take care of everything.

Safe Surfing!

Link to comment
Share on other sites

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...