internet was connecting but IE fails to load pages

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by hmouta, Jun 7, 2009.

  1. hmouta

    hmouta Private E-2

    i'm trying to clean a friends laptop. a few months ago he had infections and i did my best to clean them. he had more infections recently. the last time his browser was hijacked and all searches led to dummy pages. i disabled tdsss (i think thats it) and was able to start the cleaning process (i did use smitfraudfix and sdfix and recently deleted them to make it easier to scan for real infections-these 2 programs show up as malicious in other scanners, i know they arent). this time around his laptop shows connected to the network (at his house and mine) but IE won't load pages like something was intercepting the page requests. i started the cleaning process with the programs i had and then found this site (which is awesome). i went thru the run me first cleanup tutorial and the how to protect yourself tutorial first. when i completed the combofix step IE finally started loading pages. i continued and finished with mgtools. thinking everything was allset i reran some basic scanner programs to confirm it was clean before i did the restore points step. SAS did find something and after that IE stopped loading pages again so i reran combofix and mgtools again. i know i wasnt supposed to but it did correct IE again and I haven't run the afterthefact scanners again.

    i'll list the info from all previous scans to help get a picture of the laptop and will attach the first set of combofix and mgtools log. the next post i'll attach the 4 newest logs as requested (with newer combofix and mgtools). the computer seems to be working ok but it was working ok a few months ago too so my friend wants to reformat to be certain the computer is clean. i told him i'd try to avoid that. thanks in advance for any help.


    ADAWARE
    6-3-09 win32.trojanspy.agent, win32.trojandownloader.bho, win32.worm.koobface, win32.trojanproxy.agent
    6-6-09 win32.trojan.spy c:\system volume information\_restore{3a579f61-82cf-4117-919a-db7b394cd5bc}\a0000533.exe



    sas
    1-27-09 Rootkit.TDSServ
    HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys
    HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#start
    HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#type
    HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#imagepath
    HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#group
    HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules
    HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#TDSSserv
    HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#TDSSl
    HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssservers
    HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssmain
    HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdsslog
    HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssadw
    HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssinit
    HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssurls
    HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdsspanels
    HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdsserrors
    HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#TDSSproc
    HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum
    HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#0
    HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#Count
    HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#NextInstance
    HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#INITSTARTFAILED

    Adware.Vundo Variant
    C:\SWSETUP\MSWORKS\US\SYSTEM32\USP10.DLL
    D:\MININT\SYSTEM32\USP10.DLL

    Rootkit.TDSServ-Trace
    C:\WINDOWS\SYSTEM32\TDSSOSVD.DAT

    5-4-09 Trojan.Dropper/Win-NV
    C:\WINDOWS\MSTRE18.EXE
    C:\WINDOWS\MSTRE18.EXE
    C:\WINDOWS\PP06.EXE
    C:\WINDOWS\PP06.EXE
    [sysLDtray] C:\WINDOWS\LD08.EXE
    C:\WINDOWS\LD08.EXE
    [sysmstray] C:\WINDOWS\MSTRE18.EXE
    [pp] C:\WINDOWS\PP06.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run#sysldtray [ C:\windows\ld08.exe ]
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run#sysmstray [ C:\windows\mstre18.exe ]
    C:\WINDOWS\Prefetch\LD08.EXE-0CB609EE.pf
    C:\WINDOWS\Prefetch\MSTRE18.EXE-1905F08F.pf
    C:\WINDOWS\Prefetch\PP06.EXE-33D9D96C.pf

    Trojan.Agent/Gen-DL32
    C:\WINDOWS\SYSTEM32\DL32.EXE
    C:\WINDOWS\SYSTEM32\DL32.EXE
    C:\WINDOWS\Prefetch\DL32.EXE-1820A76F.pf

    Trojan.Agent/Gen-Freddy
    [sysfbtray] C:\WINDOWS\FREDDY42.EXE
    C:\WINDOWS\FREDDY42.EXE
    C:\WINDOWS\Prefetch\FREDDY42.EXE-10324AC7.pf

    Adware.Vundo Variant
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D263FA6D-84CC-48A8-9AF6-C664362B7A5B}
    HKCR\CLSID\{D263FA6D-84CC-48A8-9AF6-C664362B7A5B}
    HKCR\CLSID\{D263FA6D-84CC-48A8-9AF6-C664362B7A5B}
    HKCR\CLSID\{D263FA6D-84CC-48A8-9AF6-C664362B7A5B}\InprocServer32
    HKCR\CLSID\{D263FA6D-84CC-48A8-9AF6-C664362B7A5B}\InprocServer32#ThreadingModel
    C:\WINDOWS\SYSTEM32\WINCONFIG.DLL

    Trojan.Downloader/ZLob
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}
    HKCR\CLSID\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}
    HKCR\CLSID\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}
    HKCR\CLSID\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}\InprocServer32
    HKCR\CLSID\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}\InprocServer32#ThreadingModel
    HKCR\CLSID\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}\ProgID
    HKCR\CLSID\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}\Programmable
    HKCR\CLSID\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}\TypeLib
    HKCR\CLSID\{E7F15AC4-E0A9-43F0-921B-70DFEA621220}\VersionIndependentProgID
    HKCR\y537.y537mgr.1
    HKCR\y537.y537mgr.1\CLSID
    HKCR\y537.y537mgr
    HKCR\y537.y537mgr\CLSID
    HKCR\y537.y537mgr\CurVer
    HKCR\TypeLib\{E63648F7-3933-440E-AAAA-A8584DD7B7EB}
    C:\WINDOWS\SYSTEM32\796525\796525.DLL

    Trojan.Agent/Gen-Zlob
    C:\DOCUMENTS AND SETTINGS\CHRIS\LOCAL SETTINGS\TEMP\JOPAXX_1241500089.EXE

    Trojan.Agent/Gen-Freddie41
    C:\WINDOWS\FREDDY41.EXE
    C:\WINDOWS\Prefetch\FREDDY41.EXE-29994379.pf


    6-6-09 1am Trojan.Unknown Origin c:\WINDOWS\PEV.EXE


    MBAM
    1-27-09 Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\64858849920652462534544112936363 (Rogue.Antivirus) -> Quarantined and deleted successfully.

    5-4-09 Folders Infected:
    C:\Program Files\A360 (Rogue.A360Antivirus) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Chris\Start Menu\A360 (Rogue.A360Antivirus) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Documents and Settings\Chris\Start Menu\A360\A360.lnk (Rogue.A360Antivirus) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Chris\Start Menu\A360\Help.lnk (Rogue.A360Antivirus) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Chris\Start Menu\A360\Registration.lnk (Rogue.A360Antivirus) -> Quarantined and deleted successfully.



    the new scans come up clean (for now)
     

    Attached Files:

  2. hmouta

    hmouta Private E-2

    these are the 4 newest logs as requested. i apologize for doing combofix and mgtools twice.
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    According to the logs, the PC appears to be in good shape now. I do have a couple things for you to do though.

    First you need to remove some left overs from Symantec/Norton. Please run the below then reboot. After reboot run it one more time.

    Norton Removal Tool (SymNRT)

    Now uninstall the below outdated version of Spybot:
    Spybot - Search & Destroy 1.4


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
  4. hmouta

    hmouta Private E-2

    under add/remove there's 2 listings: spybot and spybot 1.4. i assume the spybot is the newer version thats on the computer. will deleting 1.4 affect the new version, maybe they shared files during the upgrade to 1.62
     
  5. hmouta

    hmouta Private E-2

    i uninstalled the rest of norton and the old spybot. before doing the system restore steps i wanted to make sure the computer was clean so i ran sas and malwarebytes again.

    sas flagged trojan.unknown.origin
    c:\windows\pev.exe
    c:\windows\prefetch\pev.exe-0ce2bf4a.pf

    comodo also has been flagging 8-9 files in system volume information under the nircmd.exe -> application.win32.nircmd & applicunsaf.win32.hide (7 files-2 .hide and 5 .nircmd, all about 1 second apart)

    malwarebytes had previously flagged some .exe for peoplepc. it appears to be an internet provider preloaded from hp so i set it to ignore. i ran mb again and when it got to this file, comodo flagged it along with c:\swsetup\pccs\setup.exe. the pccs folder appears to contain files from AMD chipmaker (which the hp is running) but there's no setup.exe visible in the pccs folder and i have hidden files shown.

    when i had smitfraudfix and sdfix running a few months ago they would give false positives in sas and the other scanners. i googled nircmd and it seemed to be linked to combofix. pev.exe i get 50/50 results if its good or bad but other people's hjt logs show pev being created at same time as combofix:

    =============== Created Last 30 ================

    2009-05-26 01:14 161,792 a------- e:\windows\SWREG.exe
    2009-05-26 01:14 154,624 a------- e:\windows\PEV.exe
    2009-05-26 01:14 98,816 a------- e:\windows\sed.exe
    2009-05-26 01:14 <DIR> --ds---- E:\ComboFix

    =============== Created Last 30 ================

    2009-05-25 22:21 359,883 a------- C:\dds.scr
    2009-05-24 16:40 <DIR> --d----- c:\program files\ESET
    2009-05-24 16:36 2,668,240 a------- C:\esetsmartinstaller_enu.exe
    2009-05-23 13:26 161,792 a------- c:\windows\SWREG.exe
    2009-05-23 13:26 139,776 a------- c:\windows\PEV.exe
    2009-05-23 13:26 98,816 a------- c:\windows\sed.exe
    2009-05-23 13:25 <DIR> --ds---- C:\ComboFix

    peoplepc isnt in the add/remove program list. can i just delete the folder from the program files\online services folder? this should remove this false positive from scanning. i was thinking the pccs folder was linked to peoplepc but now i'm not sure.

    if pev and nircmd are from combofix, i think the computer is clean. if i uninstall combofix these possible false positives should go away also, right? combofix is still installed in case i have to still run it.

    that leaves the pccs\setup.exe file in question.

    comodo appears to not let u copy and paste nor save logs to be able to attach.

    should i just delete the peoplepc folder and uninstall combofix then run the scanners again? any way to tell if the pccs/setup.exe file really exists?

    i think i made this sound confusing. sorry ahead of time.
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! Just uninstall the old version.
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    SUPERAntiSpyware is incorrect. That file is PevFind which is a program used by ComboFix. It is not a problem but you don't need it anyway. If you had uninstalled ComboFix as requested and the file was still there, it could just be deleted. Since SAS deleted it, it does not matter anyway.

    Also false positives since NirCmd is a well known program used by many tools including ComboFix, but you have not finished my final instructions which included steps for toggling System Restore. You need to complete my final instructions which asked you to uninstall ComboFix and remove MGtools and toggle System Restore.

    Then perhaps MBAM or Comodo deleted it an you would need to restore it from their quarantine. I don't think this is a People PC folder and could just be something for your PC or something you put here and forgot about. It is contains AMD related files, perhaps it is for your HP computer which is AMD based.
     
  8. hmouta

    hmouta Private E-2

    i deleted the peoplepc folder and uninstalled combofix and deleted the desktop icon and deleted the 3 mgtools files then did the restore points steps and reran sas and malwarebytes.

    sas flagged: trojan.agent/gen c:\32788r22fwjfw\pev.exe

    i assume this is a leftover from combofix so i deleted it and rebooted to complete the deletion.

    malwarebytes came up clean. i got rid of the ignore file for peoplepc before running malwarebytes.

    comodo still flagged stuff. its quarantining stuff in system volume information when malwarebytes is scanning these files and coming across the nircmd related stuff. i figured it wouldn't since combofix was uninstalled and restore points reset. i searched for these restore files but windows wouldn't allow me to deleted them manually.

    in previous scans i'd get c:\system volume information\_restore (a bunch of numbers letters)rp3 or rp5\a0000###.exe the last quarantined stuff listed rp1. does rp stand for restore point? if i cleared the restore points then rp1 is the newest point? how does it create the nircmd stuff for rp1 if combofix is gone. is there a way to further remove the combofix remnants so they aren't showing up in the system volume information files?
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes it was. The whole folder can be deleted.

    If you toggled System Restore after all the cleanup including removing the above pev.exe file, it should not be finding anything in system restore. So toggle SR once more just to be sure.

    ComboFix does not uninstall everything it puts on your PC. It does a very poor job of cleaning up and is hard for us to keep up with since it scatters things around in many places. Either way, Malwarebytes, Comodo, or any other scanner detecting nircmd.exe or pev.exe as problems are having false detection issues. These are valid programs. It is most likely an issue with where they are seeing the programs run from (the Windows root folder) which is causing the problem.


    RP = Restore Point.

    As I was saying above you will have to cleanup all of these remnants from ComboFix like C:\Windows\nircmd.exe and C:\Windows\pev.exe and the ComboFix folder in your C:\ root directory and then empty your Recycle Bin. Then you need to toggle SR.
     
  10. hmouta

    hmouta Private E-2

    your right. i guess the combofix uninstall still leaves stuff behind. i searched and found two folders:

    c:\qoobox google search show this being combofix's "quarantining vault"

    c:\32788r22fwjfw google search shows other people with this folder too so i assume its installed by combofix only. this folder has a bunch of files inside. some files contain names combofix, nircmd, restore_pt, srestore, etc.

    i deleted both. maybe thats why the restore points still contained stuff. these folders seemed to have logs of combofix's restore point info.

    i searched for pev, nircmd, combofix and deleted everything.

    i toggled the restore point and rescanned. sas and mbam came up clean. comodo didn't flag anything either when mbam was scanning. should i post a hjthis log to finalize the cleanup?
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! It would not be of any use anyway since it does not show any of this stuff anyway. That's part of the reason we don't ask for HJT logs.;)
     
  12. hmouta

    hmouta Private E-2

    well, i'm still getting hits with comodo for nircmd. i toggle the restore points then run sas and mbam which always come up clean. when mbam scans the system volume info, comodo quarantines 13 nircmd files. if i let them sit in quarantine and rerun the scans nothing happens. if i retoggle the restore points and leave the files in quarantine and run mbam, comodo does nothing. once i clear the quarantine and retoggle and run mbam, comodo flags the restore files again. i search the hard drive for nircmd and its clean. i deleted every file. but something is still creating the restore points. any way to track down where the restore points come from, like what app is making them since combofix is deleted. the same file, for example heur.suspicious@22980792, shows under c:\system volume info...............rp1\a0000047.exe. when i clear the quarantine and retoggle the restore points, this same file shows up as a0000016.exe so even if i add them to the safe files list then retoggle, it'll be created under a different a00000##.exe each time and comodo will quarantine it when mbam reads that file. i believe the computer is clean but it would be nice to stop the nircmd files from reappearing every time i retoggle. i cant access the system volume info folder. if i could, and right clicked properties on the respective files would it tell me what app is originating that restore point file?
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Disable System Restore on ALL drives and then reboot. Keep it disable until I ask you to enable it. Now do the below.

    Make sure that you have complete all of my final cleanup instructions from message # 8 and uninstall all that I stated.

    Empty all quarantine folders for things like Comodo, SUPERAntiSpyware, Malwarebytes,....etc

    Now delete any of the below folders if they are found:
    C:\ComboFix
    C:\QooBox
    C:\32788R22FWJFW <<-- anything like this or similar

    Now delete the below files if found:
    C:\Windows\nircmd.exe
    C:\Windows\pev.exe
    c:\windows\sed.exe
    c:\windows\SWREG.exe

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now reboot again and run a full scan with Comodo. If anything is found, provide a log of what is found.
     
  14. hmouta

    hmouta Private E-2

    i followed your last post. the two files that i hadn't previously deleted were the c:\windows\sed.exe and c:\windows\SWREG.exe so those are gone now.

    there were 2 other sw files after swreg but i left them. swsc.exe and swxcacls.exe all 3 sw files are from steelwerx and had the same date created of june 5 2009, which is likely the date i installed combofix. should these 2 files be deleted too?

    comodo scan was clean. since comodo was quarantining stuff previously while mbam was accessing files during its own scan, i ran mbam too after the comodo scan and it was clean and comodo still didn't quarantine anything (maybe the system restore being off is doing this or swreg was creating the nircmd restore points?). i saw mbam scan the system volume info folder but since its probably empty from restore being off comodo didn't flag anything.

    restore is still off.

    should the next step be toggling the restore on and running the scans again. if it still flags stuff, maybe deleting the 2 remaining sw files and retoggling restore and more scans?
     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    These were all used by ComboFix and can be deleted.

    After deleting the files above, and any others we have mentioned in the past, empty your Recycle Bin. Then turn System Restore back on and see how things look now.
     
  16. hmouta

    hmouta Private E-2

    i deleted those final 2 files and turned restore back on. ran mbam and rebooted a few times and comodo stayed clean each time, never flagging anything. ran sas a final time and it was clean still.

    i feel good about the computer being clean. thank you very much!!! i have another friends computer to do and will use my thread as a guideline to do the same cleaning process on his, barring any stubborn files. this was a good learning process for me.
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!

    Make sure you start a new thread for this other computer.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds