Browser redirect cleaning problem not gone but worse

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by reinhart_menken, Dec 21, 2009.

  1. reinhart_menken

    reinhart_menken Private E-2

    Hi,

    So I started doing "READ & RUN ME FIRST. Malware Removal Guide" on my desktop (XP) a few weeks ago and it was a success. The problem was browser redirects. Lately the same problem has plagued my laptop (Vista) to such a degree that is it unbearable, so, with previous success in mind, I used the same method on my laptop. Now the browser redirect problem seems to be gone, but somehow I've gotten something worse now.

    Now I'm getting what seems to be one of the symptoms of Vundo (it had been detected in the past and removed, according to one of the scanner specified in the Read and Run Me First). I have no problem other than a constantly crash and restarting Windows Explorer. That seems to be the only problem I'm having (aside from a blue screen of death 0x0000007e usbhub.sys problem on shutdown/hibernation, which occurred months before and should be unrelated). I can still access my files in very limited capacity, using task manager's new task button (which brings up an explorer-like menu for you to choose which task to start) to copy/cut/run whatever.

    Now, here's what I did (that were out of the ordinary, compared to the instructions).

    I had to repeatedly run Malwarebyte and Superantispyware a couple times, because I have a 140GB drive which required the scanners to take a while, and a lot of times they're not done by the time I have to leave the house and need to cancel the scan to bring it with me to do some other work later on. Then when I have time to run the scanners I was afraid that I'd have reinfection. All in all it was just bad timing (with finals and other end of semester things going on). Those were the only programs I had to run a couple times, but I'm only including the most recent logs (of each program). They were both updated with the latest definitions/updates prior to start of scan.

    I ran ComboFix beta version (named KittyFix) that was out when official ComboFix was taken down, only once. RootRepeal was ran twice (as I understand it only scans and take no action unless told to), both times the duration exceeded 24 hours. The first time my computer just shutdown on me before it was done (I guess it got overheated with the scanner and ZoomPlayer both running). The second time only RootRepeal was run (no videos), but it got stuck on "winsxs" folder for over 12 hours (after 24 hours had already passed) and the directory that was shown to be being scanned never changed (which usually did). I had gotten no log from RootRepeal (since the first time it was shut down when the laptop shut itself down, the second time I canceled it and it was stuck at "Stopping..." for hours so I had to do "End Process" from task manager on it).

    MGTools was run twice, because following the read me and run, it said to click on MGTools.exe and that it would not start the scanning process (batch), which it did (but I didn't know). When I followed the read me and run to run "GetLogs.batch" it ran the scan again, and it was at that point that I realized the first run had initiated the batch on its own.

    Attached are the logs from Superantispyware, Malwarebyte, ComboFix (KittyFix beta version), and MGTools, barring RootRepeal which could not complete the scan. Thanks!
     

    Attached Files:

    reinhart_menken, Dec 21, 2009
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    1. You have the combofix beta running from the wrong location. We request always that combofix be run directly from the desktop.

    You have it running from:
    c:\users\Will\Downloads\KittyFix.exe

    You need to move it to the desktop now before we continue.

    2. Important Notice: A new version of SUPERAntiSpyware is available.
    • Please uninstall your current version (this is necessary).
    • Then download this SUPERAntiSpyware
    • Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
    • After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
    • Now run a new full scan of your system. And attach this log later.

    3. TIDY this desktop:

    C:\Users\Will\Desktop

    4. Is all the below related to programming?

    Plus many more similar files.

    5. Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    
KILLALL::

DirLook::
c:\programdata\43eea
C:\Program Files\pl

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    6. You said:

    Please explain in more detail how exactly things have gotten worse.

    What vundo like symptoms are you getting? I am not seeing anything in the logs, MBAM did report it removed a rootkit. Let's do the below:

    7. GMER - running with a random name

    8. Now go to this MGTools and download the new version of MGtools.exe. Overwrite your previous MGtools.exe file with this one.

    9. Run the new MGTools.exe and attach the C:\Mglogs.zip that it creates.

    10. Also attach logs from running the new version of SUPERanti-spyware, combofix, and GMER and make sure you answer all of the questions I have asked you.

    Thanks
    Kes13!
     
    Kestrel13!, Dec 23, 2009
    #2
  3. reinhart_menken

    reinhart_menken Private E-2

    Hi again,

    First of all, sorry for the time I took to reply. You'll see the reason why below, when I explain my problem with GMER.

    Yeah, I have had a malware in the past (before this incident) that practically disabled my write/download-to-desktop ability, so whatever I saved to desktop would write, and then upon completion would get deleted; so I rerouted all my downloads to the location you saw. I guess it got fix at one point, but I just got used to the habit of writing to elsewhere.

    I've moved ComboFix to desktop and ran it as per your instructions.

    Done.

    Haha. When I saw this I think I laughed. I know my desktop's a mess. How does it affect the running of an OS? I have XP on my desktop and that's not been a problem, but I understand if Vista was different.

    Instead of tidying it - since I had no windows explorer and could only cut/paste one file at a time manually, through the window that pops up when you try to run a new task in Task Manager - I cut out the entire Desktop folder and moved it elsewhere.

    It seems that my Desktop was indeed the source of my constant windows explorer crash and restart loop problem (crash and restart and then crash again only to restart again).

    What happened was, ComboFix was run after the Desktop was moved (well, not immediately after, I followed your steps), so when the whole ComboFix process was finished, my desktop logged in without a problem, no more crashes of windows explorer. At first I thought it was because the malware was removed, but then when I went into the old Desktop folder (which I moved), the explorer crashed instantly. It's fine if I don't navigate to it.

    So what I did was I created a new folder, and moved all files to that folder, then deleted the old Desktop folder, since it seems that folder came with it's own property and was still treated as the Desktop folder even though its path was different (it still had the Vista desktop icon, and would rename itself back to Desktop even after I change it to Old Desktop).

    Yes, those were from my assembler language classes, among other C++ and Java programs scattered across the drive (which you might have recognize).



    Done. This time I ran with the official ComboFix that seems to be released again, instead of the beta KittyFix.

    I forgot to mention that in the first run KittyFix reported that it was being attacked by APSHook.dll, and rebooted before running smoothly.

    Well, it wasn't really worse, so to speak, but another symptom altogether that was just more severe for the running of the OS. It's the problem with windows explorer's constant crash/restart loop, which now seems to be gone.

    Previous MBAM scans reported that it removed vundo, and the scan log I sent you - if memory serves - reported that it had removed a TSDD (or something like it) rootkit. That actually came up twice, in two scans, which seem to mean that it wasn't really removed (else why would it show up in a second scan if it was removed in the first).

    I ran this program twice or thrice, and every single time my system crashed to blue screen. I did close all programs as per instruction.

    So, I tried to run Root Repeal again, this time giving it longer time to see if it would get past winscx (more than 2 days). It did. I left it running for more than 5-6 days before realizing that it was probably constantly running my harddrive like a slave (continuously reading) and therefore harmful, so I stopped it and wasn't able to get a log from that either.

    Done.

    And done, at least the logs that I can provide. For some reason I don't have a newer ComboFix log. Still have the old one, but the old one was renamed to ComboFix2 for some reason; and there's not a just "ComboFix.txt" file. I do have a ComboFix quarantine file that has the same creation date as the day I ran it.

    Thank you and happy new year!
     

    Attached Files:

    Last edited by a moderator: Jan 4, 2010
    reinhart_menken, Jan 3, 2010
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Perhaps this will explain why:

    A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here. Also a very easy way to lose files no matter how advanced a user you are.

    1. Tell me what's inside of this directory:

    c:\programdata\43eea


    2. I want you to delete the combofix that you have and download and run a fresh copy (from the desktop)

    Combofix

    3. Then I want you to run the below:

    Go to TDSSKiller and Download TDSSKiller.zip to your Desktop
    • Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
    • Click Start > Run and copy/paste the following bold command into Run box and hit Enter.
    "%userprofile%\Desktop\TDSSKiller.exe" -v

    • Follow the instructions to type in "delete" when it asks you what to do when if finds something.
    • When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply.

    4. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.

    5. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now! Are you still being redirected?
     
    Kestrel13!, Jan 4, 2010
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds