Internet Explorer Hijacked---Fixed?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by WildBamaBoy, Aug 17, 2008.

  1. WildBamaBoy

    WildBamaBoy Private E-2

    Hi.:wave

    Prepare for a long story. ;)

    About two weeks ago McAfee alerted me that a file called MSUDF.exe, which Google told me was a trojan downloader, was attempting to connect to the internet. Since it was unfamiliar to me it was blocked and manually deleted. I've had nothing but problems afterwards. :banghead

    A few days after the infection was cleared "iexplore.exe" was popping up out of nowhere in the task manager. It used between 15-35MB of memory and after about a minute it terminated itself. There was no window, and the username it opened under was SYSTEM.

    I CAN terminate the program myself without it immediately returning. But it DOES return after 30mins-2 hours.

    Up until now I just had McAfee block it from connecting. I don't use IE anyways. After doing a little housecleaning myself, I decided today to unblock Internet Explorer to see if the threat was gone. All was well until it finally popped up yet again, but this time here comes McAfee with guns-a-blazin'.

    It told me that it had blocked a script. The threat name was "JS/Wonka" and the process was iexplore.exe. If I remember correctly, it said the script was located in C:\WINDOWS\SYSTEM 32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\*insert random letters here*
    I took a screenshot of that exact moment, I don't know why, but I've included it in the attachments. I navigated to that folder and it was full of what I can only describe as CRAP! :crap

    There were tons of 1x1 images, images of ads, FireFox documents, and the list continues. I did not dare open any of them but I did click some of the images to see what they were. You know, the little preview it gives you on the left? :p

    SUPERAntiSpyware detected some nasties in there. The only one I remember was Trojan.Agent. Sadly, I accidentally deleted that particular scanning log. After reading through your READ & RUN ME FIRST topic and doing all of the scans, SAS detected a few more nasties, which you'll see in the attached log.

    And this is strange...prior to running ComboFix there were 7 Content.IE7 folders on my system. Now there are three; all empty. The one that was full of crap is GONE and iexplore.exe hasn't come up yet. :confused

    ComboFix may have fixed it, but can you guys have a look at the logs just to give me peace of mind?

    Also, in My Computer, under Devices with Removable Storage, it lists that I have a 3 1/2 floppy drive...but I DON'T. Side effects of Combofix? Or what?

    P.S. I love these smileys...:) Nice little hint about Spybot S&D's Immunization, too. I didn't know about that.
     

    Attached Files:

    WildBamaBoy, Aug 17, 2008
    #1
  2. WildBamaBoy

    WildBamaBoy Private E-2

    More Logs
     

    Attached Files:

    WildBamaBoy, Aug 17, 2008
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -

    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\Dusty Alexander\Local Settings\Temp

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Aug 18, 2008
    #3
  4. WildBamaBoy

    WildBamaBoy Private E-2

    Done and done! Everything ran successfully. :cool

    Here are the logs.
     

    Attached Files:

    WildBamaBoy, Aug 18, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're logs are clean.


    If you are not having any other malware problems, it is time to do our final steps:
    1. You can uninstall SUPERAntiSpyware now.
    2. We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.
    4. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    5. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    8. Go to add/remove programs and uninstall HijackThis.
    9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    10. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    11. After doing the above, you should work thru the below link:
     
    chaslang, Aug 19, 2008
    #5
  6. WildBamaBoy

    WildBamaBoy Private E-2

    Best thing I've heard in awhile when it comes to this old thing.

    I had a couple strange things start happening after doing what your first post said. The error reporting window would come up fairly often saying "McAfee Firewall" and sometimes "McAfee Services" had to close. Restarting resulted in a stop error in "win32k.sys." Uninstalling those other antivirus programs seems to have fixed it, though.

    I wish I could say more than just thanks but I just can't think of nothin'.
     
    WildBamaBoy, Aug 20, 2008
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Aug 21, 2008
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds