Internet Explorer hijacked! and other malware

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by dabensta, Apr 25, 2007.

  1. dabensta

    dabensta Private E-2

    Problem description:
    [some sort of Internet Explorer hijacker and various spyware]
    Everything was running fine as far as I know until Sunday afternoon after some friends had been watching some online videos (I'm not sure where from). I turned my computer back on and went into IE to google some stuff, and I was redirected from my home page to "natwestoffshore", supposedly a "bank" that wanted me to log in with my birthday, etc.

    I knew something was awry, so I started to investigate, and I began having lots of problems. I had 63-ish running processes, and a whole lot of strange things in msconfig. I also had lots of error windows popping up saying that there was an error in some file that "memory access ... 0x0000000 can not be read". These program errors were usually, I think, masquerading as legit system files, but many were stored in the System32 folder, where, as I learned, it was a high likelihood they were masquerading spyware files.

    Those errors didn't seem to cause me any problems, though, so I downloaded the new IE version 7 (i was running 6 at the time). Downloaded Firefox. Each time I'd restart, I would get a warning that Windows Explorer was trying to access the internet, so I blocked it each time. I also got the "...WindowsFirewallBypass" note in Spyware Terminator, I think.

    I've run the entire Read and Run Me First, down to step 7, and it has been very helpful. Very.
    Now I've run HijackThis, but I'm not skilled enough to know what to do with the log and what to turn off... Please help! Thank you!! ~Ben
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please attach the other three logs requested in the READ ME:
    • CounterSpy - only for Windows XP, 2K, & NT users
    • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
    • Bitdefender - from step 6
    • Panda Scan - from step 6
    Also uninstall Viewpoint Media Player as requested in step 0 of the READ ME!

    What problems are you currently still having? A quick scan of your logs shows no problems.
     
  3. dabensta

    dabensta Private E-2

    Whoops! Not sure how I missed that list. Viewpoint Media Player is now uninstalled as requested. Sorry, I got a little lost on the Read & Run page with all the redirecting to other pages and restarting.

    Counterspy found no problems.
    I think I have manually fixed the problems Panda found.

    Current problems:
    I still have 60 running processes...is that bad?
    When I run Security Task Manager, it tells me about 15 files are 40% dangerous or more dangerous. I researched several of them, found some that were only dangerous if located in the System32 folder, which they were, so I quarantined them, restarted, and had no problems, so I will probably delete them later.

    I want to make sure my computer is really realy clean before I trust it to log into my bank, etc again. The # of unrecognizable running processes, and a long list of msconfig items that are checked currently freak me out a little.

    Thanks for the help!! ~Ben
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    In most cases, it is just due to what you have installed and chose to run. I assume this is a laptop based on what I see in you HJT log? Laptops always have a lot more processes running then a Desktop.

    You cannot always believe everything you read. Give me a list of which processes you are referring to that were running from the system32 folder. Your HJT process list showed no malware running from the system32 folder or from any other folder. In fact the only item seen in any of your logs was from BitDefender and it removed the trojan. All other logs are clean. Are you still having problems? Note you should not stop Explorer.exe from having internet access.


    The truth be told is that, if you are truly concerned about financial security, that you really should delete your Windows partition, reformat the disk, and reinstall from scratch. No PC can truly be thought of as being 100% clean after it has been infected. And no guarantees can be made about this. Yes we can clean up everything we see and the outcome may be that all of your problems are gone, we just cannot guarantee it. The decision on how you would like to proceed is yours to make. The above statements are just the hard truth and I wanted you to be aware of this. Personally I think in many cases the above is not really required and that cleaning is adequate, but again, there are no guarantees!

    No all that being said, since you had potential password stealing trojan issues, for your own financial security, you really should follow the directions in the below:


    You are strongly advised to do the following immediately:
    1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned. If you have network compters, start checking them for problems too.
    2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
    3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
    Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.
     
    Last edited: Apr 26, 2007
  5. dabensta

    dabensta Private E-2

    Yes, this is a laptop: Toshiba Satellite A105

    I'm not having noticeable problems, everything seems to be normal.

    However, I ran SpyEraser, and it supposedly identified a bunch of problems, including a keylogger called Surf Spy in c:\documents and settings\ben hegler\windows\system , however when I went there, the folder claimed it was empty. I did not have SpyEraser delete anything, because it's the trial version and i'm only allowed 15 removals. I attached the log. There are a bunch of Favorites url's that it claims are invected, but I know I put those there, so I'm not sure it's saying they're infected.

    A little help sorting through SpyEraser's log would be helpful!

    Security Task Manager: I think all is well after researching and getting rid of a few processes and running it again.

    Thanks again! Ben
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Mostly just a bunch of harmless registry keys left over from having WildTangent stuff installed at some point. Doesn't this program fix anything.

    The Favorites that are list should be checked by you to see if they really exist and if they are things you put there. None of those seem bad. SpyEraser is falsely associating the Health and Shopping folders to be bad which is not necessarily true. They should be checking what the actual links are before deciding something is bad.

    You still did not tell me what processes!
     
  7. dabensta

    dabensta Private E-2

    No, I don't think SpyEraser is particularly good. Anymore.

    I attached a screenshot of the SecTaskMangr quarantined files.

    Any thoughts on Surf Spy from my last post?

    Is there a good way to clean up my registry keys? CCleaner supposedly has a reg key cleaner I may run later.

    Thanks!!
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    None of those process are problems! They should not be quarantined.

    No, because SpyEarser does not know what it is taking about. That folder is valid. SpyEraser is not a good program and is not dependable. Also since it does not remove anything it is even of less use.


    Not a topic for this forum. Just be advised if you are going to use registry cleaning that you need to be careful and you must make backups first.



    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you run Avenger, you can delete all files related to Avenger now.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    9. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Last edited: Apr 27, 2007
  9. dabensta

    dabensta Private E-2

    Ah, I see.

    Once again, thank you. You've been very helpful!
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds