nasty infection

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by kdogg, Oct 22, 2009.

  1. kdogg

    kdogg Private E-2

    My computer has come down with a nasty infection that has disabled access to ad aware and spybot, and disables mcafee on access scanning every time I log on. My internet searches are also redirected to ad pages. I have followed the preliminary clean up methods and Malwarebytes (which wouldn't load at all in the beginning) for instance is turning up no threats now. However, RootRepeal will not run a scan without sending me to the blue screen of death (it initializes then dies), and the other symptoms persist. Please help.
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Let's see if we can get some info so that we can determine which system file has been corrupted. That way we can try to replace it.

    Download and save the below to your PC (save it anywhere you can find it. The Desktop is fine). Then doube click on it to run it.

    AVPFind.bat

    It should take a couple minutes to run. You will see a black command prompt window while it is running and it should close when it is finished. Once it finishes, attach the c:\avplog.txt file that is will hopefully create as long as the malware does not block the batch file from running. (See: HOW TO: Attach Items To Your Post)


    Now download and Run exeHelper
    • Please download exeHelper to your desktop.
    • Double-click on exeHelper.com to run the fix.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file named log.txt will be created in the directory where you ran exeHelper.com
    • Attach the log.txt file to your next message.
    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


    Also please try running the below online scan:

    http://www.superantispyware.com/onlinescan.html

    Reboot immediately after scanning if it finds and removes anything. Let me know if anything was found. See if you can save a log with it.


    Then try running these instructions: Using MGtools

    Attach the below logs when finished with all of the above:
    • C:\avplog.txt - from AVPfind
    • a log from online SAS scan if you could make one
    • log.txt - from exeHelper
    • C:\MGlogs.zip - from MGtools
    The C:\ assumes that drive C is you Windows boot drive. If you boot from another drive, then use the correct drive letter above.
     
  3. kdogg

    kdogg Private E-2

    I followed your directions and have attached the corresponding files. The online SuperAntiSpyware scan wouldn't let me save a log, but only turned up and removed some tracking cookies.

    Just in case this helps, in the time between my original post and your reply I had run some programs (like superantispyware) that the system would allow and did some general snooping myself and found that the beep.sys file in the device manager had been hijacked and there was a file added to the device manager, something like tdss.sys or similiar. I deleted those. My system has loosened up a little from its initial state, but is still in need of help.

    Thanks so much for your help.
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not tell us you were able to run ComboFix before. Please attach the below log from Oct 21st.
    Code:
    "C:\
    combofix.txt  Oct 21 2009       19488  "ComboFix.txt"
    
    Goto Add/Remove Programs and uninstall all of the below. If any do not uninstall, jjust continue and tell me which you had problems with later.
    Ad-Aware SE Personal
    Ad-Aware
    J2SE Runtime Environment 5.0 Update 1
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 2
    J2SE Runtime Environment 5.0 Update 4
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 8
    J2SE Runtime Environment 5.0 Update 9

    Now see step 4 of the READ & RUN ME and run MSconfig and put your PC into normal startup mode.

    Now reboot your PC!!!!


    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Now install and run SUPERAntiSpyware and Malwarebytes per the instructions in the READ & RUN ME and see if you can run scans. If so, attach the logs.

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

    Now attach the below log:
    • the SUPERAntiSpyware & Malwarebytes logs if they ran
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  5. kdogg

    kdogg Private E-2

    Sorry, I had forgotten about Combofix because the log didn't save on the desktop where I would notice it. I ran that on the first night of the infection

    Removed the requested programs. Ad-Aware SE Personal wouldn't uninstall. Couldn't open the INSTALL.LOG file. I also get this message when trying to uninstall AOL instant messenger.
    SUPERAntiSpyware wouldn't install. "Error 1321 Windows installer has insufficient priveledges to modify this file C:\ProgramFiles\SuperAntiSpyware\SuperAntiSpyware.exe". I had installed this program earlier, but don't remember ever getting it to run, so now the .exe file is there but will not give me access.
    I did try the procedure from this link http://www.superantispyware.com/supportfaqdisplay.html?faq=50
    but my screen on the group policy settings didn't include the "Windows Installer" item. Simply wasn't there.

    Upon initial restart (after removing programs in step 1) McAfee didn't immediately disable on access scan, which it had been doing at every startup before. Other than that, I can't tell much difference yet. I am still denied access to some files and web searches are sometimes redirected
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please download and run Win32kDiag per the below instructions:
    • Download this Win32kDiag and save to C:\Win32kDiag.exe. You must save it here!!!!
    • Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log
    C:\win32kdiag.exe -f -r


    Now download Junction,zip to your Windows folder
    • Please download Junction.zip and save it to your Windows folder (i.e, C:\Windows\Junction.zip This assumes C:\ is your Windows boot drive.)
    • Now unzip it and put junction.exeinto the Windows folder (i.e., C:\Windows\junction.exe)
    • Do not try to run it right now. We will run something that uses it later.

    Now we need to reset the permissions altered by the malware on some files.
    • Download and save inhertit.exe to your Desktop: Inherit.exe
    • It must be in your Desktop or the below fix will not work!
    Now run the C:\MGtools\FixPerm.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).
    • A command prompt window opens and also a license agreement from SysInternals will appear for Junction.
    • Accept the license agreement and the scan will begin.
    • Wait until it finishes we can take a while to run since it scans your whole harddisk. e patient and don't do anything else while it is scanning.
    • The command prompt window should close when it finishes.
    • While this is running, you will get several/many popups that have a title Finish and say OK. Just click the OK button each time. This is an indication that it has found a file and has attempted to fix permissions. Depending on how many files that need to be fixed, you could get only a few or many of these popups.
    Now try running SUPERAntiSpyware as instructed in the READ & RUN ME.


    Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\temp
    C:\Documents and Settings\KD\Local Settings\TEMP
    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the log from Win32kDiag
    • the SUPERAntiSpyware log if it ran
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  7. kdogg

    kdogg Private E-2

    I may be imagining things, but it seems like my system is running a little faster now than before. I have run a couple of random web searches and they don't seem to be hijacked as often, but they still get redirected about every 5 searches.
    I attempted to uninstall Ad-Aware SE Personal again and am still given the Cannot Find Install.log message. I also noticed upon restart that McAfee was once again disabling the On-Access scan automatically.
    I cannot find a newer or different version of the combofix log than the one I attached in my last post. All other logs are attached. Thanks again.
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Give examples of what you are searching for, what links you click on, and where you go. Your logs appear to be clean.


    See if you can uninstall it using the below:

    Your Uninstaller! 2009

    Apparently your infection broke McAfee. I suggest that you run the below uninstaller and then after a reboot reinstall McAfee.

    McAfee Consumer Product Removal Tool



    Also run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -

    After clicking Fix, exit HJT.

    How are things working now?
     
  9. kdogg

    kdogg Private E-2

    My test searches are just random words or phrases. For instance, if I search the word airplane in google and click on the wikipedia entry in the results I get redirected to : http://sme365.com/search.php which then immediately redirects to http://www.yellowpages.com/?from=amp_nw_branding.

    Another example: google "apple tree" and I click on the link for growing apple trees, www.ces.ncsu.edu/depts/hort/hil/hil-8301.html which redirects to http://trovacinema.com/search.php, which then immediately redirects to http://www.theclickcheck.com/?sub=1...Y2gvRmxv cmlzdHM/ZnJvbT1hbXBfbndfZmxvcmlzdHM=

    I have never seen any consistency in the sites I am being sent to, only that the original redirect always sends me somewhere else immediately.

    The good news is that Your Uninstaller did the trick on Ad Aware. Unfortunately the McAfee tool wouldn't uninstall that program so I used Your Uninstaller to get rid of it as well.

    Instead of reinstalling McAfee I went with the less resource hungry Avast! to see how I liked it. Not long after installing it alerted me that I had a rootkit in C:\WINDOWS\SYSTEM32 named tdlwsp.dll (described as Win32:Alureon-DR [Rtk]). I asked that it be deleted and within 15 minutes I received the same message. I deleted it again. I shut the comp down and did some other things and a few hours later came back booted up and received the message one more time. This time I asked that the file be moved to the Virus Chest I just received another message, so it seems that this thing replicates every thirty minutes or so.

    Other than what I have described everything seems to be functioning normally, but I am trying to limit use.
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Next time this comes up, do not do anything with it. Just shutdown Avast and download the new version of combofix.exe to your Desktop (yes overwrite the previous copy) and run it. Then attach the new ComboFix log.


    [EDIT] I forgot something! Also download and run the new version of MGtools and then attach the new MGlogs.zip file.
     
    Last edited: Nov 4, 2009
  11. kdogg

    kdogg Private E-2

    Logs attached. Combo Fix said it found a rootkit and restarted before the majority of the scan. I had also run a boot-time virus scan before I saw your reply and it turned up a few things. I have attached a jpg of the virus chest from avast.
     

    Attached Files:

  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run this: Running GMER to detect rootkits

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • the log from GMER
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  13. kdogg

    kdogg Private E-2

    New logs are attached. For now everything seems to be running like it is supposed to, but I'll update if anything comes up as I complete a few tasks.
     

    Attached Files:

  14. kdogg

    kdogg Private E-2

    Everything seems to be functioning normally almost two weeks later. Did the last set of logs look ok? If so I just wanted to clean up the tools we used but wanted to go about it the right way. What should be removed and are there any special instructions? Thanks for all your help.
     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry but some how you slipped by unnoticed. Your logs are clean.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds