Adware Popups & Trojan Attempts to Access the Net

Discussion in 'Malware Help (A Specialist Will Reply)' started by OminousThunder, Dec 4, 2008.

  1. OminousThunder

    OminousThunder Private E-2

    Greetings:

    For the past week or two, my laptop has been plagued with popups and trojan attempts to access the Net. Unfortunately, I have not had this laptop in service very long so I haven't created a non-privileged user account to use as my primary acct. Also very unfortunate for me, this laptop is used by anyone/everyone who visits our home so I can't say for certain what was occurring when the infection started.

    Normally, I can clean an infected system rather well with the aid of HJT and a few tools from sysinternals but this one is getting the best of me so I bow to your expertise. I attempted to remove suspect files and reg entries manually only to discover they came right back, only renamed. I read and followed the guidelines for "READ & RUN ME FIRST. Malware Removal Guide". I have all of the logs generated by the tools which I will attach to this thread for your review.

    Since running the tools, I no longer have popups but I know I am still infected based on reg entries and files noted in HJT.

    Please help? Thank you!

    PS - I hope it's ok, but I zipped the 3 other logs requested so I don't have to make 2 posts. I will be glad to upload the text files in another post if necessary.
     

    Attached Files:

    OminousThunder, Dec 4, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Did you add the below to start Task Mananger at startup?
    Code:
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
Task Manager.lnk - c:\windows\system32\taskmgr.exe [2002-08-29 135680]

    Uninstall the below old versions of software:
    Java(TM) SE Runtime Environment 6

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {0784ab67-9363-4a4c-929b-d3501aea4549} - C:\WINDOWS\system32\nanehutu.dll (file missing)
    O4 - HKLM\..\Run: [kizowuyobu] Rundll32.exe "C:\WINDOWS\system32\wobarale.dll",s
    O4 - HKUS\S-1-5-19\..\Run: [kizowuyobu] Rundll32.exe "C:\WINDOWS\system32\wobarale.dll",s (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [kizowuyobu] Rundll32.exe "C:\WINDOWS\system32\wobarale.dll",s (User 'NETWORK SERVICE')
    O20 - AppInit_DLLs: C:\WINDOWS\system32\zakupuju.dll c:\windows\system32\sapinisa.dll c:\windows\system32\zebekeli.dll

    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Dec 6, 2008
    #2
  3. OminousThunder

    OminousThunder Private E-2

    Thank you for your response chaslang. Yes, I did create the shortcut link to taskmg.

    I uninstalled Java(TM) SE Runtime Environment 6 as requested. I executed HiJackThis (analyse.exe) but most of the items were no longer present.

    I executed the ComboFix script you posted, which rebooted the system, then finished upon bootup. Upon bootup, McAfee On-Access Scan message window popped up declaring it deleted c:\combofix\psexec.cfexe. It detected it as RemAdm-ProcLaunch!171. This has been McAfee's normal behavior with psexec if not configured as an exception. ComboFix must use psexec to perform its tasks? Hopefully, it was able to do what it needed to before being deleted.

    Finally, I executed Ccleaner then GetLogs.bat. From the looks of things in HJT, the system appears to be clean, but I do have one concern. If I uninstall SUPERAntiSpyware, will I be reinfected? The reason I ask is I ran through all of the steps in the Windows XP Cleaning Procedure post before posting my issue. I thought the system was clean, so to save resources, I uninstalled SUPERAntiSpyware, Malwarebytes Anti-Malware, and Spybot. Right after I rebooted, I opened IE, browsed to MajorGeeks, and started getting popups again. Since SUPERAntiSpyware is the only one that runs continuously, I wonder if uninstalling it exposed me to something it was "blocking"? It's possible, I suppose that it was never truly cleaned but while those programs were installed, I no longer had the popups and redirects.

    Currently, it appears I am in good shape. No popups or redirects, no odd dll files noted in any logs. Sysinternals Autoruns looks clean. Are you familiar with Sysinternals RootkitRevealer, by chance? I am attaching a screen capture of what it shows as possible "suspicious" settings.

    Aside from being unsure if I can safely uninstall the programs listed above and the rootkit question, I am satisfied with the results. I can't thank you enough, chaslang! You (and all the other MajorGeeks) ROCK! I will incorporate your methods and tools into my own troubleshooting techniques for future infestations. I am extremely grateful for the site and the services provided by all of the members who volunteer their time and energy to help others in need. If I didn't work full-time and go to school part-time, I'd gladly offer my own time and energy to assist others here. I just completed a networking degree and am in the process of mastering Windows scripting with my eye on VBScript for Desktop/network management purposes (corporate environment).

    Mucho gracias, mi amigo! :major
    Thunder
     

    Attached Files:

    OminousThunder, Dec 6, 2008
    #3
  4. OminousThunder

    OminousThunder Private E-2

    Update:

    Since posting this morning, I have encountered a few new issues. Websites are taking a long time to load, or I get frequent timeouts. This occurs on various hosts, including MajorGeeks. Other systems on the network are working normally. I can send you pings or tracerts to any IP/domain you like but it seems to be a browser issue rather than a connection issue. This post has taken 5 times so far to post. Hopefully it will this time!

    Also, Windows Live OneCare Free Safety Scanner freezes on 52% (wmplayer.exe) and Windows Update site fails to load the search results when looking for new updates: [Error number: 0x80072EE2]. The site is still listed as a trusted site. I ran all of the malware apps again and Spybot came up with an instance on vondo, which it claims it removed?

    Also, McAfee occasionally pops up a message indicating it has discovered various suspicious files in the restore area. Should we dump the previous restoration files? What was I infected with based on what you read in the logs? Can it cross contaminate between my other systems on the network if I have open file shares?

    ~sighs

    I think that's it for now. Let me know what you think about my new issues and the previous questions/concerns at your earliest convenience.

    Thank you for all of your help!
     
    OminousThunder, Dec 6, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes it does and by the way, psexec.exe is a Microsoft (SysInternals) tool. It is not a problem, but like many programs, it could be used maliciously.

    No! The free tool has no realtime protection. The reason you became reinfected previously was that you were not totally clean. The fix I gave you in message # 2 shows you this.

    Yes and it does not show any problems.
     
    chaslang, Dec 9, 2008
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Based on your logs which were clean, this does not appear to be due to malware. I suggest you try a few tests:
    1. boot in safe mode and see how browsing looks
    2. in normal boot mode try a differnt browser. I suggest installing this: Mozilla FireFox How do things work with it.
    3. If still having a problem, try a brief test of shutting down McAfee and your firewall just to see what happens. Only do this briefly.
    We will clean these up in my below final cleaning steps which I want you to run anyway.

    You had a variety of malware problems. Most were forms of Vundo. Vundo is not known to automatically infect other shared systems on a network.



    Now it is time to do our final steps:
    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    chaslang, Dec 9, 2008
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds