Browser Redirected and Fake Security Center Warning

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by pbmax, Feb 11, 2009.

  1. pbmax

    pbmax Private E-2

    Am supporting machine operated by another user, so details of initial infection are vague. Suffice to say that in either IE 6 or Firefox 2.x, virtually no web browsing could be done without an alert opening in browser window indicating that connection had been suspended due to suspected suspicious software activity. At this point could close browser or click on links, user clicked once on link.

    Also had fake Security Center warning about a "trojan worm" that needed special software to remove. Wasn't the window from virtumonde infections that I recall, but similar. Popped up every 10 or 15 minutes, easy to cancel, but was in front of every other window when open.

    Ran READ & RUN ME FIRST and did suggested cleaning. Seems to have eliminated the two obvious problems. Hoping for firmer confirmation that all affected files/keys are gone. Logs attached in this and next post.

    Thank you.
     

    Attached Files:

    pbmax, Feb 11, 2009
    #1
  2. pbmax

    pbmax Private E-2

    Here is the MGLogs.
     

    Attached Files:

    pbmax, Feb 11, 2009
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Just a few questions as it appears as though the scans took care of most of it.

    Did your friend set these:
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

    Do you know what these are:
    Code:
    C:\Documents and Settings\temp\Application Data\"
awrl2p~1.gif  Feb  9 2009        2119  "awRL2pFxtt.gif"
awrl2p~2.gif  Feb  9 2009         598  "awRL2pFxyy.gif"
awrl2p~3.gif  Feb  9 2009         607  "awRL2pFxnn.gif
    Please remove all files ( other than those created today) from:
    C:\WINDOWS\Temp\

    Tell me what issues you still have.
     
    TimW, Feb 12, 2009
    #3
  4. pbmax

    pbmax Private E-2

    The GIFs are a green checkmark, a red x and a large yellow shield with an exclamation point according to their preview in irfanview. Otherwise, I have no idea. They have the finished appearance of application icons, but unsure of why they are there or what they are from. I cannot reach the user by phone currently.

    The about:blank default webpage is an unknown as well. Previously, IE was used as the browser and it was set for Google as the default webpage, I believe. I have installed Firefox for current use.

    To reach your site while infected, I used Opera-USB burned onto a CD so I could navigate the web and avoid getting my flash drive infected. Its possible the icons are Opera related, but I don't remember them. Temp was the user name we were logged in under.

    One additional point, to check MSCONFIG for normal startup for READ AND RUN FIRST, I had to restart in Safe Mode. Any regular attempt to launch MSCONFIG resulted in a restart of the computer. The Safe Mode revealed a normal startup was checked.
     
    pbmax, Feb 12, 2009
    #4
  5. pbmax

    pbmax Private E-2

    All temp files deleted as requested except:

    C:\WINDOWS\Temp\ib4
    C:\WINDOWS\Temp\ib3
    C:\WINDOWS\Temp\ib2
    C:\WINDOWS\Temp\Perflib_Perfdata_68c

    give an in use error

    C:\WINDOWS\Temp\CGA01E
    C:\WINDOWS\Temp\hsperfdata_SYSTEM\1552

    Respond that access is denied
     
    pbmax, Feb 12, 2009
    #5
  6. pbmax

    pbmax Private E-2

    Neither original issue seems to be happening. No browser redirects or "hold" messages and there are not Security Center web popups.
     
    pbmax, Feb 12, 2009
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Then lets just reset your IE browser:

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Tell me if you get a success message.

    Then run CCLeaner ...both the cleaner and the registry ( make sure you do the backup when prompted).

    Let me know how things are running.
     
    TimW, Feb 14, 2009
    #7
  8. pbmax

    pbmax Private E-2

    Reg Edit done and it reported a success. Ran it as a local administrator, I assume that will not be a problem for other users?

    Behavior is normal, even for IE browsing except that in trying to save search settings for IE, the application freezes. Can kill it in Task Manager and restart, but odd nonetheless.

    After the initial clearing, I allowed Windows Update to download IE 7. So its a new install and it wants to save the new browser defaults. Search engine is the only one it gets stuck on, although I can browse to all search sites and anti-virus sites with both IE and Firefox.

    Tested IE as another user (this user had Power User rights, the initial user had limited User rights), and search default saved fine.
     
    pbmax, Feb 16, 2009
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let me know what other issues you still have.....If you are not having any other malware problems, it is time to do our final steps:

    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

      • Delete the C:\combofix folder from combofix (if it exists)

    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    8. After doing the above, you should work thru the below link:

     
    TimW, Feb 17, 2009
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds