browser hijack / downloader ruin

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by vasoxfan, Mar 2, 2007.

  1. vasoxfan

    vasoxfan Private E-2

    Hello All -

    I've been dealing with an issue on one of my computers. Specifically, I am redirected anytime I attempt to browse to GoDaddy.com. The problem first started to appear by preventing me from logging in to GoDaddy...then it manifested itself in a complete redirection.

    I've read and followed the instructions titled "READ & RUN ME FIRST".

    Attached are logs from AVG (which didn't find anything), and BitDefender. I also ran Panda Active Scan. It found nothing too - but I didn't see a link to save the log file.

    In another post, I'll upload the runkeys, newfiles and HiJackThis logs.

    Thanks in advance for your help.
     

    Attached Files:

  2. vasoxfan

    vasoxfan Private E-2

    Here are the runkeys, newfiles and HiJackThis logs.

    Thanks...
     

    Attached Files:

  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: (no name) - {1834A552-4F06-EFA9-4561-6279B80ED99C} - sysmon12.dll (file missing)

    After clicking Fix, exit HJT.

    Please download FixWareout by LonnyRJones from one of the two below links and save it to your desktop.

    http://downloads.subratam.org/Fixwareout.exe

    http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

    * Run Fixwareout.
    * Click Next,
    * then Install,
    * make sure Run fixit is checked
    * and click Finish.
    * The fix will begin; follow the prompts.
    * You will be asked to reboot your computer; please do so.
    * Your system may take longer than usual to load; this is normal.

    When you run fixwareout, just follow the prompts, you will need to restart when prompted.

    After rebooting (restart) back into normal boot mode, make sure you have all web browsers closed.

    * Go into Control Panel -->Network Connections.
    * Right click on your connection
    * and click Properties.
    * On the Properties page, highlight Internet Protocol(TCP/IP)
    * Click Properties. This will bring up another page.
    * Select Obtain DNS Server Automatically.
    * Click the ok button. The page will close.
    * Press ok on the page in front of you.
    * Restart the computer.
    * Reconnect to the Internet using Internet Explorer.
    * Now come back here and attach the log from fixwareout. It is located at c:\fixwareout\report.txt

    Also attach new logs for:
    ShowNew
    GetRun
    HJT
     
  4. vasoxfan

    vasoxfan Private E-2

    Thanks for the quick reply. I've followed your instructions...attached is the fixwareout, ShowNew and GetRun files. I'll post a new HJT next.
     

    Attached Files:

  5. vasoxfan

    vasoxfan Private E-2

    Here's the log for HJT I just ran.
     

    Attached Files:

  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please print this before proceeding:
    Disconnect from the internet....

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8l.hpwis.com/
    014 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B1565C47-3F74-461C-8545-67E0B52EA5AE}: NameServer = 85.255.114.108,85.255.112.7
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FADA5BA4-4CDA-4ECE-9D79-BD7D8D905876}: NameServer = 85.255.114.108,85.255.112.7
    O20 - AppInit_DLLs: null

    After clicking Fix, exit HJT.

    Now run FixWare out again.

    Reconnect to the internet and attach a new wareout report and HJT log.
     
  7. vasoxfan

    vasoxfan Private E-2

    Hi again...

    Things seem to be improving...I was able to get to GoDaddy.com after your first set of instructions.

    I ran your second set and have attached the logs. There was one problem though with HiJackThis.

    I appreciate all your efforts - thank you.

    Below is the error message reported from HJT.

    An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: null)
    Error #5 - Invalid procedure call or argument

    Please email me at merijn@spywareinfo.com, reporting the following:
    * What you were trying to fix when the error occurred, if applicable
    * How you can reproduce the error
    * A complete HijackThis scan log, if possible

    Windows version: Windows NT 5.01.2600
    MSIE version: 7.0.5730.11
    HijackThis version: 1.99.1

    This message has been copied to your clipboard.
    Click OK to continue the rest of the scan.
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please read step 3 of the READ & RUN ME again! You have both of the below installed:

    CA eTrust Internet Security Suite
    McAfee SecurityCenter

    You must uninstall one of these now!


    You also have things remaining from Norton: Norton WMI Update
    You should uninstall this too.

    Run the HijackThis fix from message number 6 again. When HJT popups the error about the AppInit_DLLs line, ignore it and click OK to continue.


    Then attach new logs from ShowNew and HJT.

    Is your copy of Spy Sweeper a paid or free trial version?
     
  9. vasoxfan

    vasoxfan Private E-2

    Hi -

    Thanks again for all the help. I sure do recall that point mentioned in the instructions.

    At one time or another I had Norton/Symantc on the machine - but I hadn't used it for over a year. Thought it was uninstalled...maybe the update service was still there? For the past year, I had been using Computer Associates on the machine. I recently (this past week) tried to uninstall CA - but it the auto uninstall failed. I ended up having to manually delete files (yuck). I then just recently installed McAfee - which is still running. Hopefully any references to Norton and CA have been removed. I thought McAfee was the only one I had running (besides the AVG anti-spyware which is in my system tray too).

    As for the Spy Sweeper - it's an unregistered version. When CA and then McAfee couldn't detect anything, I started using some "free scan" versions of products. When SpySweeper found something called "downloader-ruin"...I did a google search...and thankfully found you guys.

    I shutdown the browser and re-ran HJT. I did not see the "exact" lines mentioned anymore (specifically the R1 lines) so I didn't "fix" anything. There are still R1 lines that are similar-but not exact. The other lines 014,017,020 were gone.

    I've attached the HJT and newfiles.txt logs.

    Thanks.
     

    Attached Files:

  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Uninstall it now to avoid having it get in our way. In addition a trial version is of no use to you unless you purchase it. Do not continue with the below until uninstalled.

    Okay now let's cleanup left overs from CA and some other items.
    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to VET Message Service
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Now repeat the above to Stop and Disable the below two Services (if you do not find them or get any errors, just continue):
      • CA Pest Patrol Realtime Protection Service
      • CAISafe
    • Click OK until you get back to Windows.
    • Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    • At the lower right, click on the Config button
    • Then click the Misc tools button
    • Select Delete an NT Service
    • Copy/paste VETMSGNT into the box that opens, and press OK
    • If you receive any error messages just ignore them and continue.
    • Now repeat the above to delete the below two Services (if you do not find them or get any errors, just continue):
      • ITMRTSVC
      • CAISafe
    • Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.
    Now goto Add/Remove programs and uninstall: CA Pest Patrol Realtime Protection
    Now Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
    O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\Program Files\CA <--- the whole folder
    C:\freescan <--- the whole folder
    Also delete the below files (if still present):
    C:\WINDOWS\system32\drivers\vet-filt.sys
    C:\WINDOWS\system32\drivers\vet-rec.sys
    C:\WINDOWS\system32\drivers\veteboot.sys
    C:\WINDOWS\system32\drivers\vetefile.sys
    C:\WINDOWS\system32\drivers\vetfddnt.sys
    C:\WINDOWS\system32\drivers\vetmonnt.sys

    Now run Ccleaner

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
  11. vasoxfan

    vasoxfan Private E-2

    Hi -

    There were several steps, so I've tried to comment along with them - hopefully it's easier to read. I've added Additional Feedback at the very bottom.

    Thank you for all your help.

    ADDITIONAL FEEDBACK:
    I ran Ccleaner, GetRunKey, ShowNew and HJT while still in safe mode. Is that what you wanted? The HJT logfile attached is the one generated while in SafeMode.

    The system has been running better and better - ever since the first set of instructions I received - I was able to browse to godaddy.com. The system certainly boots faster...and I dont' see any browser hijacking behaviors.
     

    Attached Files:

  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Everything looks clean.

    I still see CA Pest Patrol Realtime Protection in your uninstall programs list. Does this still appear in Add/Remove programs? If so, can it be uninstalled? If not, run the below procedure and attach the request log.

    Getting Uninstall Programs List From The Registry
     
  13. vasoxfan

    vasoxfan Private E-2

    Hi again.

    CA Pest Patrol isn't listed in the Add/Remove programs list. When I had previously tried to manually delete the CA folder...the system wouldn't let me delete avshlext.dll. It's the only file remaining in the "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus" folder. The file isn't marked as read-only, so something must still have a hold on it.

    I've attached the GetUnKeys log file as request. The system is running far better than it has in a long time. At what point should I perform the disable / re-enable of system restore?

    Thanks again for the help.



     

    Attached Files:

  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Start by downloading a tool we will need - Pocket KillBox

    Save it to its own folder somewhere that you will be able to locate it later.

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    If I have the full path name to the file below incorrect, then please use the correct path and file name so that Pocket Killbox can find and delete the file.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    • select File, Cleanup, Delete All Backups
    • Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    • Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\avshlext.dll
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    After reboot see if you can now delete the below folder:
    C:\Program Files\CA

    Now tell me how the above steps went.

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
  15. vasoxfan

    vasoxfan Private E-2

    Sorry it's been a few days since I could get to this.
    The system seems to be running much better. I ran the steps you provided below and the dll file is gone - and I was able to delete the folder. (thank you).

    I ran HJT, ShowNew and GetRunKeys again - and have attached their logs as a final check for you before I do the system restore step.

    Thank you for all your efforts and help - a huge difference.
     

    Attached Files:

    Last edited by a moderator: Mar 7, 2007
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Things look good! Just have HJT fix the below line:

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    Then continue on with the rest of the steps and Surf Safely! ;)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds