Random Internet Audio & Hijacked Browser

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by ChaosArc, Feb 3, 2011.

  1. ChaosArc

    ChaosArc Private E-2

    Hello, my computer has started playing random internet audio, such as red bull ads, lysol ads, and tv show or something randomly, on and off. This occurs without any internet browsers open. Also, when trying to use an internet browser, microsoft internet explorer or firefox, I get redirected to sites other than the ones I entered.

    I have downloaded and run CC Cleaner with no results. I have downloaded and run Super Anti Spyware which found and deleted two items. I have downloaded and installed De Fogger. I have downloaded and run Malwarebytes which found no infections, the log is attached. I downloaded and ran Combofix which does not run as explained on the site. It generated "catchme.log" file on the desktop which said the file c:\windows\system32\drivers\volsnap.sys added successfully. I downloaded and ran RootRepeal and MG Tools, the logs are attached.

    None of these tools have had any affect on the above audio and redirect problems I am having above. I greatly appreciate any assistance.
     

    Attached Files:

  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hello. Our next steps will be the below.

    1. Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

    • Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
    • Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor.
    • Allow the application to run and a window will open showing that it is TDSSkiller from Kaspersky
    • Click Start scan
    • It will run rather quickly and will notify you of whether anything is found or not.
    • Follow the instructions to delete/quarantine if asks you what to do when if finds something.
    Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )


    2.
    • Download bootkit_remover.rar
    • Click the underlined DOWNLOAD text to download the file and save it to your Desktop.
    • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use7-Zip
    • After extracing remover.exe to your Desktop, double click the remover.exe file to run the program.
    • Attach or post inline here, the output from remover.exe

    Please also download MBRCheck to your desktop

    3.
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some data on it
    • Right click on the screen and select > Select All
    • Press Control+C
    • Open a notepad and press Control+V
    • now please ATTACH that report to this thread
     
  3. ChaosArc

    ChaosArc Private E-2

    TDSSkiller will not run. tried several times.

    Ran Bootkit remover with the following log:
    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    76 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...

    Ran MBRcheck. I could not copy the text, but got the attached screen shot of the results.

    thanks for looking through all of this.
     

    Attached Files:

  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    What is your physical drive 2 (931GB) from looking at the MBRCheck log? It needs to be fixed.
     
  5. ChaosArc

    ChaosArc Private E-2

    I have three hard drives on the computer

    C: Operating system and programs
    D: Data and work files
    E: Audio Video files

    What do you want me to do?
     
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You are going to have to boot into the recovery console. If it is not installed, then you will need to use your xp cd to get to the recovery console.

    Now boot to the Recovery Console and run the fixmbr to clear a Master Boot Record infection that you have.

    You can read the below to help you do this:

    http://support.microsoft.com/kb/307654


    After running the fixmbr command and boot back to normal mode, continue with the below.

    Re run MBRCheck and attach the log.
     
  7. ChaosArc

    ChaosArc Private E-2

    Ran windows recovery console.

    Ran MBRcheck and the log is attached.
     

    Attached Files:

  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hang in there I will post back soon, I need to verify something.
     
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    • Click Start, Run and copy and paste the below into the Run box and click OK.
    • Now reboot your PC and after reboot continue with the below instructions.
    • Re run MBRCheck and attach the log
    • Run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    • C:\MGlogs.zip
    • MBRCheck log
    Make sure you tell me how things are working now!
     
  10. ChaosArc

    ChaosArc Private E-2

    Ran mbrcheck and mgtools and have attached the logs.

    I keep getting a "systems settings change. windows has finished installing new devices. the software that supported your device requires that you restart your computer. you must restart your computer before the new settings will take effect. do you want to restart your computer now? Yes. No.

    restarted twice and it keeps coming up.

    tried going online with firefox, and it gets grabbed trying to go to onlineprostats.com
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not attach anything.
     
  12. ChaosArc

    ChaosArc Private E-2

    Oops. Here they are.
     

    Attached Files:

  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now the MBRCheck log shows as normal, as it should. :) How are things running? Let me know whilst we are both online, and I will review the last MGlogs.zip.
     
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now that we have done that successfully, I would like to see if you are now able to run Combofix. If so attach the C:\combofix.txt
     
  15. ChaosArc

    ChaosArc Private E-2

    Ran combofix. it generated the attached on the desktop and the computer reboots.

    Still getting the "windows has finished installing new devices..." message.

    Internet browsers still getting redirected.
     

    Attached Files:

  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Still being redirected in both Internet Explorer and Mozilla Firefox?
    Does this behaviour occur in safe mode?
    Do you run through a router? If so then you will need to reset it to factory defaults, usually by a recessed button at the back or on the side.

    You can test this theory by connecting directly to your modem and if the redirects stop, then you know it is the router that is infected.

    What happened with TDSSKiller when you tried to run it? I want you to try again following my instructions in post #2. Did you actually download it because I see no signs of it in your logs now.
     
  17. ChaosArc

    ChaosArc Private E-2

    The PC that is messed up is in my office, and connects to the internet wirelessly. I am communicating with you via a mac mini which is connected directly to the wireless router.

    The redirects happen in the Microsoft browser and firefox, and in safe mode. But, I found a pattern, bookmarked sites work okay, but if I google something and click the result I get redirected. Tried the same with Bing.com and no redirects on the results.

    I re downloaded TDSSKiller and put it on the desktop. It does nothing when clicked.
     
  18. ChaosArc

    ChaosArc Private E-2

    Hello! On your suggestion regarding the router: I actually had a newer router that I have not had the time to install, so I chucked the old one and put the new one in place. The PC was not seeing it, so I had to go out and get a new wireless card, which is working now.

    Unfortunately, all the same problems remain, Google browser redirect, and repeating hardware installation boot message.
     
  19. ChaosArc

    ChaosArc Private E-2

    I was re looking at this thread, and I think you were wanting me to run all the programs in your post #2? I had tried only to run TDSSkiller, which does nothing when clicked.

    I ran bootkitremover again, log is attached, and mbrcheck and that log is attached too.

    The random audio continues. Looking in my C:\Documents and Settings\Richard\Local Settings\Temporary Internet Files folder it looks like it is running amuck on the internet going to web sites all over the place. Its like there is an internet browser open somewhere, but nothing to be seen running.

    thx
     

    Attached Files:

  20. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hmm. Let's continue on.

    1. Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode

    2. GMER - running with a random name

    Attach the log to your next message.

    3. Run this and attach the results.

    Using ESET's Online Scanner

    4. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
  21. ChaosArc

    ChaosArc Private E-2

    I hope something works soon, the computer is getting worse and worse....

    1. I don't know what you mean about normal mode, more info please.

    2. Gmer log attached

    I'm working on #3 & 4...sending this while i can
     

    Attached Files:

  22. ChaosArc

    ChaosArc Private E-2

    Eset found nothing.

    MGlogs zip attached.

    thx
     

    Attached Files:

  23. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes. Try following instructions properly though othewise this delays things further. :(
    You missed step 4 of the R&R. That explains everything about MSCONFIG. Please take a look now because the next set of logs I want to see in nomal mode.

    Use MSconfig to setup for Normal Startup Mode



    Luckily for you the malware has finally started to show itself. But because you are having trouble with Combofix we are going to have to use a different tool to tackle the malware.

    Uninstall outdated Java.

    • Java(TM) 6 Update 22
    • Java(TM) 6 Update 6

    Follow instructions carefully from now on.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix exit HJT.


    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.
    Code:
    
    :reg
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "CE8SIIFGSU"=-
    
    :files
    C:\WINDOWS\Ndudaa.exe
    C:\Documents and Settings\Richard\Local Settings\Application Data\doqrahxue.exe
    C:\Documents and Settings\Richard\Local Settings\Application Data\ficyob.exe
    C:\Documents and Settings\Richard\Local Settings\Application Data\gundljc.exe
    C:\Documents and Settings\Richard\Local Settings\Application Data\mikomz.exe
    C:\Documents and Settings\Richard\Local Settings\Application Data\ntzegvqem.exe
    C:\Documents and Settings\Richard\Local Settings\Application Data\xxsobseeg.exe
    C:\Documents and Settings\Richard\Local Settings\Application Data\ynayvmjkwr.exe
    C:\Documents and Settings\Richard\Local Settings\Application Data\yqdjntlfg.exe
    C:\WINDOWS\Tasks\INZL.job
    C:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
    C:\WINDOWS\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
    C:\WINDOWS\Tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job
    C:\DOCUME~1\Richard\LOCALS~1\Temp\Nc1.exe
    
    :Commands
    [emptytemp]
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

    Run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Last edited: Feb 6, 2011
  24. ChaosArc

    ChaosArc Private E-2

    Went through all the steps, and the log files are attached.

    thanks
     

    Attached Files:

  25. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Soluto <--- Uninstall this.

    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.
    Code:
    :reg
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "vuewgrwy"=-
    "ojbpfdwq"=-
    
    :files
    C:\DOCUME~1\Richard\LOCALS~1\Temp\fhyamofem
    C:\DOCUME~1\Richard\LOCALS~1\Temp\qavwnhvwu
    
    :Commands
    [emptytemp]
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
  26. ChaosArc

    ChaosArc Private E-2

    Solutu uninstalled. Logs attached.
     

    Attached Files:

  27. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    So how are thing running for you now?
     
  28. ChaosArc

    ChaosArc Private E-2

    Google searches are getting nabbed and redirected.

    There are a lot of ~DFE04.tmp, etc. files piling up in the C:\Documents and Settings\Richard\Local Settings\Temp folder, does that mean anything?

    I have not heard random audio for awhile.
     
  29. ChaosArc

    ChaosArc Private E-2

    The random audio came back.
     
  30. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    So as you have told me, this is happening in both browsers in both safe mode and normal mode.

    Uninstall Firefox reboot, run Ccleaner and reinstall. Same thing occurring?

    Run this anyway:

    Download OTL to your desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    Attach both of these logs into your next reply.
     
  31. ChaosArc

    ChaosArc Private E-2

    Uninstalled Firefox, rebooted, ran ccleaner, and reinstalled Firefox.

    Both Internet Explorer and Firefox still getting Google redirects. Tried running the same in safe mode but no internet connection.

    Ran OTL and the logs are attached.
     

    Attached Files:

  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Back in message # 20, Kestrel13 requested the below
    I do not see where you have completed this yet.
     
  33. ChaosArc

    ChaosArc Private E-2

    ESET log is attached.
     

    Attached Files:

  34. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I should have told you to leave Firefox uninstalled. My bad. Please uninstall it again. Remove any leftover Mozilla Firefox folders that may be left behind.

    Now we want you to run Internet explorer with no add-ons.

    Click Start -> All Programs -> Accessories -> System Tools, and then click Internet Explorer (No Add-ons).

    Describe to us how things are, if you get redirected or not.
     
  35. ChaosArc

    ChaosArc Private E-2

    I uninstalled Firefox, then went to explorer to delete the program file folders. I can delete everything except scriptff.dll in the C:\program files\Mozilla Firefox|components folder. Could this be the culprit? I get a "cannot delete access is denied" when trying to delete it.
     
  36. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    It is a mcafee file I believe. Ignore it.
     
    Last edited: Feb 7, 2011
  37. ChaosArc

    ChaosArc Private E-2

    ran internet explorer per your directions. Still getting google redirects and random audio commercials.
     
  38. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    What happens when you run TDSSKiller in SAFE mode? Are you able to do that? Please try and then let us know how it went.
     
  39. ChaosArc

    ChaosArc Private E-2

    in safe mode i click on it and get a window "open file security warning' do you want to run this file? Yes. Cancel.

    I select Yes and nothing happens.
     
  40. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I want you to uninstall Mcafee at this point. (Just until we are finished)

    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    Try running Combofix now
    Try running TDSSKiller again.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Last edited by a moderator: Feb 8, 2011
  41. ChaosArc

    ChaosArc Private E-2

    Ran avenger, log is attached

    Combo fix ran, made a catchme.log, message: The driver volsnap.sys is patched with a rootkit - attempting disinfection. It rebooted the computer and finished running. Log file attached.

    TDSSkiller ran, and the log file is attached.

    Ran MG Tools, and that log is attached.
     

    Attached Files:

  42. ChaosArc

    ChaosArc Private E-2

    no google redirects, no background random audio, computer is running good. Do you think it is all clear?
     
  43. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes it certainly looks like we are in the clear however... combofix was ran in reduced functionality mode. (I know it still found and addressed a problem, but I am thinking there may be more problems, which if Combofix is run from fresh again it may well find. If not, then yes! Definately in the clear) So, that being said:

    Download a fresh copy of Combofix let it over write the old copy, and again, from your desktop, simply double click the Combofix.exe file to run it, and attach the C:\Combofix.txt into your next reply.
     
  44. ChaosArc

    ChaosArc Private E-2

    ComboFix log is attached.
     

    Attached Files:

  45. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Just confirm for me that all is still well. :) Then I can give you final steps. That last CF log looks just fine to me.
     
  46. ChaosArc

    ChaosArc Private E-2

    Surfing delicately at known sites, done some googling tests and it looks good. No crazy audio. Much better!!!
     
  47. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hehe, that's great!! :) Surf safely!

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  48. ChaosArc

    ChaosArc Private E-2

    I've been running it through its paces. reinstalled Firefox and nothing fishy is occurring. Thank you for your all of your help walking through the repair and recovery process. I greatly appreciate all of your time and providing so much of your experience and help. I'll stop back in some time to pickup some major geek swag to support the site.

    thx!!!
     
  49. ChaosArc

    ChaosArc Private E-2

    Does think look normal to you? (see attached screen shot) I installed McAfee back on, could this have something to do with that?
     

    Attached Files:

  50. ChaosArc

    ChaosArc Private E-2

    Never mind. It seems they are Quicken and Adobe Acrobat temp files. I'm freaking paranoid now!

    thx!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds