Malware Browser Redirect: Help!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by pars6nip, Jul 27, 2008.

  1. pars6nip

    pars6nip Private E-2

    Hi,

    I've gone through the Windows XP cleaning process, and am STILL having problems with browser redirecting. I am also afraid there still might be something dangerous on the computer, since there was so much on it.

    The first threat notice was a "packed.generic.174" notice from Symantec AV. That was followed by notices of downloaders and dialers which the AV was dealing with. I began running my Yahoo Anti-Spy program and then AdAware. Both found Trojans, Downloaders, you name it. I deleted the items, and still had problems.

    I then ran through your PC cleaning procedure with my Windows XP Professional, Svce pack 2 laptop. Got lots of stuff, but browser is still redirecting. Since there was so much garbage, I don't want to treat it lightly. Can you help?

    All this MAY have begun when a web page informed me that I had to download the latest version of Flash Player. Many, if not all, of the bad files seem to have been downloaded on 7/25/08 at 2:48 pm.

    I have attached three files; will attach the 4th in my next message.

    Thanks, Pars
     

    Attached Files:

  2. pars6nip

    pars6nip Private E-2

    Here's the 4th file. Pars
     

    Attached Files:

  3. pars6nip

    pars6nip Private E-2

    Another bit of info. Using my Yahoo Anti-Spy, "Estalive" continues to pop up, even after deletion.

    I've also run the SmitFraudFix and have the logs.

    Pars
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    I see that you have also posted this at another forum:

    http://forums.techguy.org/malware-r...4088-browser-hijack-after-malware-attack.html

    Please do not cross post at multiple forums. There are very few of us helpers out there doing this and the duplicated effort to work the same problems on multiple sites is a waste of these precious resources. Also working on multiple forums at the same time can lead to problems and confusion for the helpers.

    If you have started working on a fix for your problem and are still working at the techguy forum, then you should just continue there. If you have not started working there, you can continue to on with the below fix but I suggest that you post a message in your other thread stating that you are already receiving help and that your thread can be closed.


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
    O21 - SSODL: monappmnt - {59562A1B-4D3F-C71F-9640-0783AE62FF59} - C:\Program Files\myjtoc\monappmnt.dll

    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  5. pars6nip

    pars6nip Private E-2

    Dear Chaslang,

    Thanks for your reply. I tried this forum after receiving no reply at the other. I will message the other forum that we are working the issue here.

    A couple of notes about the procedure:

    --While running Combo Fix, the Trojan PWS Bancos was trying to access a file, probably to interfere with Combo Fix, but Spyware Doctor blocked it. Windows was trying to access a file, but could not, and was asking to associate a program with it. I cancelled it each time it popped up. Combo Fix seemed to run fine both times. I was a bit unsure in your directions about what Combo Fix.exe should be on the Desktop. I had already deleted the original installer program. But I did have the Combo Fix icon on the Desktop.

    --I just checked for browser redirects, on about 10 searches, there were no redirects. However, I am still leery: the Trojan Bancos may still be lurking, and Bifrost (backdoor) and Estalive (adware) were still detected by my Yahoo Antispy. I deleted them with that but, anything I delete with that always comes back.

    --The registry edit trick did not work. The file was not recognized as a registry edit script, even though the icon shows as such. I went ahead and ran CC cleaner.

    Attached are the logs.

    Thanks again, Pars
     

    Attached Files:

  6. pars6nip

    pars6nip Private E-2

    An update: Symantec has quarantined IEDefender. I thought that was a file in one of the Antispy programs I downloaded at MajorGeeks suggestion. Pars
     
  7. pars6nip

    pars6nip Private E-2

    Another update: IE does not want to open. It does only occasionally. Something is trying to disable it. Firefox does open. Pars
     
  8. pars6nip

    pars6nip Private E-2

    False alarm on IE. Seems to be operating fine now. Still no redirects. Pars
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you install WinPcap 3.1 yourself to use with some kind of software to do packet capturing/sniffing? WinPcap is not malware but could be used for malicious purposes so if you did not install it, uninstall it.

    Your logs are clean.

    If you are not having any other malware problems, it is time to do our final steps:
    1. You can uninstall SUPERAntiSpyware now.
    2. We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combo-fix" /u
        • Notes: The space between the combo-fix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combo-fix folder from combofix.
    4. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    5. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    6. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    8. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    9. Go to add/remove programs and uninstall HijackThis.
    10. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    11. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    12. After doing the above, you should work thru the below link:
     
  10. pars6nip

    pars6nip Private E-2

    Dear Chaslang,

    Thanks a mil for your help. Do you have suggestions on what I should do for Estalive, Bifrost, and the Bancos Trojan? Pars
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes finish 100% of my final instructions and then run a scan with whatever program is detecting those issues and attach a log if anything is found.
     
  12. pars6nip

    pars6nip Private E-2

    Hello Chaslang,

    Did as you requested: deleted excess programs, and armed myself as directed against malware.

    Unfortunately, I don't have any logs for Bifrost backdoor or Estalive, because the Yahoo Anti-Spy utility doesn't have any log AFAIK. I did see some info on Estalive at the following URL:

    http://www.ca.com/gb/securityadvisor/pest/pest.aspx?id=453099221#section7

    I can't attach my Spyware Doctor log, because it is invalid for uploading. SD detected about 4 malware, but I guess I am most concerned about Bancos, because I have recent evidence of its activity. Here's the SD log item:

    -----------------
    2008-07-27 16:43:48:46 IntelliGuard: System Event Blocked
    Threat Name - Trojan-PWS.Bancos
    Details - Spyware Doctor has blocked an application attempting to access a file.
    Risk Level - High
    Infection - C:\327882R2FWJFW\PV.CFEXE
    -----------------
    This was blocked probably 100 times.

    Is there a identity theft threat with Bancos? Should I take any action?

    Thanks, Pars
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I cannot help you with something that I cannot see. You need to show me exactly what is being reported and where. Type it up or get a legible snapshot.


    This is not malware. It is a temp file from ComboFix and probably only still exists because Spyware Doctor got in the way of ComboFix properly running. Spyware Doctor should have been terminated each time before ComboFix was run. You can simply delete the C:\327882R2FWJFW folder if it still exists. It is rather poor of Spyware Doctor if it could not fix a problem that it is reporting, and it is even more of a problem that it is falsely reporting this to be a password stealer. All that program does is list running processes. PV stands for Process Viewer.
     
  14. pars6nip

    pars6nip Private E-2

    Dear Chaslang,

    Bifrost hasn't shown up again yet, but Estalive was detected by Yahoo Anti-Spy. Why this lame program is detecting when the others didn't, I don't know. Maybe it's really nothing.

    Here's the data from Yahoo Anti-Spy on Estalive:

    Type: Key
    Object location: hkey_local_machine \software\microsoft\internet explorer\activex compatibility\{a2b7a0f0-b697-4a71-8d91-43443f57d7bb}

    What do you make of this?

    BTW, thanks for all of your help!

    Pars
     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you know how to use the registry editor to navigate to this registry key and look at it. I want to know what the Compatibility Flag is set to.

    These ActiveX Compatibility keys are often used by programs like Spyware Blaster to protect you from malicious activex scripts. Spyware Blaster does not add this particular entry but something else could have. The above CLSID (the long string of numbers and letters) is related to Estalive but it may be only to block it.
     
  16. pars6nip

    pars6nip Private E-2

    Dear Chaslang,

    Here's the info from the registry:

    Compatibility Flags / REG_DWORD / 0x00000400 (1024)
    Pst / REG_DWORD /0x00000002 (2)

    Thanks, Pars
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The Compatibility Flag value is okay but the Pst value is not normally there. Let's just see if this can be removed manually.


    Copy the bold text below to notepad. Save it as fixEST.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    If you received a success message, check to see if the registry key is gone now.
     
  18. pars6nip

    pars6nip Private E-2

    Dear Chaslang,

    The registry edit was successful. I did something different this time than the last time we tried the regedit. So, I also redid the previous registry edit we tried last time unsuccessfully. This time it worked.

    I saw a number of those PST values in registry keys around that one. Should those all be deleted from the registry? Can one do it with the registry search feature?

    Thanks a mil, Pars
     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! Don't touch anything else.

    Is Yahoo AS still detecting the same registry key?
     
  20. pars6nip

    pars6nip Private E-2

    Strangely enough, yes, the very same registry key no. turns up. However, I didn't reboot after the regedit. Pars
     
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    • Please go to this link: http://live.sysinternals.com
    • find the psexec.exe file listed in the list and click on it and download and save it to your Desktop. Doing this properly is critical for other steps below.
    • Now click Start, Run, and enter cmd and click OK. This will open a command prompt window with a prompt that shows the current folder you are in.
    • For you the prompt should show C:\Documents and Settings\local_admin>
    • Now type cd Desktop and hit the enter key. There is a space after the cd. If you do this properly, your prompt will change to C:\Documents and Settings\local_admin\Desktop>
    • Type the below bold text and hit the enter key. This will open the Window Registry Editor. You will have to agree to the SysInternals License Agreement first that pops up.
      • psexec -s -i regedit
    • In the Registry Editor click File, Import and then navigate to the fixEST.reg file on your Desktop from the previous fix and double click on it to import it into your registry. If it works properly you should get a success message.
    • If you get a success message continue on with the below, otherwise stop and explain to me any problems you had.
    Now is the key still detected?
     
  22. pars6nip

    pars6nip Private E-2

    Key is gone. Success! Pars
     
  23. pars6nip

    pars6nip Private E-2

    Chaslang,

    Just a question: I went in a couple of days ago and deleted some references to sites I didn't even know, mostly porn sites, in the registry. Did I do something wrong? Pars
     
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Possibly! I recommend you do not edit the registry on your own. You could have just been deleting things that protection software put there to protect you.

    Now make sure you have done all of what I gave you in message # 9.
     
  25. pars6nip

    pars6nip Private E-2

    Great. I've done all that. So I guess were through?

    Thanks for everything! Pars
     
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Yes we are finished. Surf safely.
     
  27. pars6nip

    pars6nip Private E-2

    Dear Chaslang,

    Sorry, but there was one last thing I forgot to mention. Symantec AV has been hanging up on its full system scans on a thumbs.db: encryptable file. What should I do about this? Pars
     
  28. pars6nip

    pars6nip Private E-2

    Uh oh, Estalive, it appears, is alive and well. The registry key is back in place. I also repeated the fix, disabled system restore, shut down, waited a long time, and booted up: there it is, back on Yahoo AS. Pars
     
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    See if you can delete the file yourself. It is not malware though. You may just have file system corruption or could have bad sectors on your hard disk. You can work this out in the Software Forum.
     
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Then it is not Estalive. It is merely something being added to your registry to protect you. You show none of the other signs that would go along with this. Dump Yahoo AS as you don't need it anyway since you have Spyware Doctor.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds