Browser redirection - Terminal server

Discussion in 'Malware Help (A Specialist Will Reply)' started by SmoggyJackson, Oct 30, 2012.

  1. SmoggyJackson

    SmoggyJackson Private E-2

    Hello all,

    I have a Browser Redirection issue on Terminal server running Windows Server 2008 R2.

    Work has previously been done by another technician to remove malware from this server about two weeks ago, however some of the users are still reporting that Google (specifically) searches take a long time to load and once they do, the links are frequently redirecting them to advertising websites.

    Malwarebytes was the tool originally used. They also tried a tool called SUPERAntiSpyware. Today I have been running through "chaslang's" redirection guide with the following results:
    Step 1 - complete.
    Step 2 - complete.
    Step 3 - Not relevant as Firefox is not used by any of the users.
    Step 4 - TDSSkiller would not run. Neither would fixTDSS.
    Step 5 - MBRcheck.exe found a non-standard or infected MBR. I have attached the log produced by this application.

    Any advice you could give me on resolving this issue would be greatly appreciated.

    Also, this server is in a production environment so I would like to try and minimise downtime if possible (although I know some downtime is inevitable).

    Thanks in advance.
     

    Attached Files:

    SmoggyJackson, Oct 30, 2012
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    You need to run the main body of the below. The Google Redirect link sent you back to this in step 5.


    READ & RUN ME FIRST. Malware Removal Guide


    Also are you saying that there are many user accounts on this server that people actually use to do surfing????

    Note that MBRcheck does indicate that there could be a problem with the MBR. Do you have all files backed up on this server? If not, you should do that before going any further as repairing the MBR can sometimes cause problems. Most of the time it is not a problem, but there is always the chance. Also this is Windows Server not Windows XP/Vista/7.

    Do you have a Windows Server 2008 Boot CD to use to repair the MBR?
     
    chaslang, Nov 1, 2012
    #2
  3. SmoggyJackson

    SmoggyJackson Private E-2

    Hi Chaslang,

    Thanks for getting back to me. I did some looking around your forum before signing up and it's great that you guys offer such sound and thorough advice.

    I have ran through the Malware Removal Guide. There is only one anti-virus/software firewall application on the server (Symantec Endpoint Protection), hidden files/folders are enabled, the server is 2008 R2 so it is 64-bit, there is no emulation software installed and I have not run CCleaner due to shortcuts missing from the Desktop and Start menu.

    Step 6 was not completed due to there being no OS specific instructions (although I suppose it is the same architecture as Windows 7).

    There are many user accounts on this server as it is used as a Terminal Server and most users connect to it using thin clients. This means that the server is the only way they can do web browsing unfortunately. It is however very locked down using Group Policy.

    Important files on this server are regularly backed up and Windows Server Backup is also run nightly for a full recovery. We do still have the Windows Server 2008 R2 boot disk, so a repair of the MBR is possible. Do you recommend this as the next step?
     
    SmoggyJackson, Nov 3, 2012
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try running the below.

    Please download and save the below to your Desktop or anywhere else you can find it ( if the Desktop is not showing )

    http://download.bleepingcomputer.com/grinler/unhide.exe

    Now run it ( if you are running Vista or Win 7, use right click and select Run As Administrator ). Did that help with your missing items?

    Also note that Grinler ( the creator of unhide.exe ) has the below link which gives info on restoring some system defaults when the unhide program
    cannot find backups. Scroll down in the link:

    http://www.bleepingcomputer.com/forums/topic405109.html


    Yes try those instructions. If something does not work, just move on to the next. At the end, I still expect that MGtools should work.


    So they should not have Adminstrator permissions then?

    Not until we see results from other steps.
     
    chaslang, Nov 3, 2012
    #4
  5. SmoggyJackson

    SmoggyJackson Private E-2

    Unfortunately unhide is not compatible with Windows Server 2008 R2.

    I was however able to regain a lot of the missing icons, etc with the information provided in this link.

    I have now run through these instructions. I have attached the logs that they produced.

    Users do have local admin rights to the machine, but Group Policy restricts what settings they can change/view, etc.
     

    Attached Files:

    SmoggyJackson, Nov 4, 2012
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay a few different infections are showing up. Hitman also confirms what I said earlier about your MBR being infected
    Code:
       Master Boot Record (sector 0)
    > G Data . . . . . . : MBR:SST [Rtk]
    > DrWeb  . . . . . . :  Trojan.Tdlbkfs.1
    > Ikarus . . . . . . : Rootkit.Boot.Sst!IK
    > HitmanPro  . . . . : Win64/Bootkit
    I want to give you a fix that does not including fixing the MBR first and then we will come back to this.

    I will post another message with a fix in a little while.

    Are you sure this is a work PC???? There are quite a few questionable ( porn ) files showing up in the logs. You need to manually clean all this stuff up. See the zafind.txt log in MGlogs.zip. No wonder this PC is infected. Also the zafind.txt log is excessively long because of all of this.

    You also need to empty all of the C:\$Recycle.Bin folders for all the accounts shown. Again look at zafind.txt
     
    Last edited: Nov 5, 2012
    chaslang, Nov 5, 2012
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Right the below folders are on this hard disk still and you can find files there to manually restore if you still need them. But do this soon before the temp folders get cleaned out.
    Code:
    d--h--w                 0 2012-10-08 05:39:21  C:\Users\Administrator\Local Settings\TEMP\smtmp\1
d--h--w                 0 2012-10-08 05:44:13  C:\Users\Administrator\Local Settings\TEMP\smtmp\4
d-----w                 0 2012-10-08 05:44:13  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs
d-----w                 0 2012-10-08 05:39:21  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\Accessories
d-----w                 0 2012-10-08 05:44:12  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\Administrative Tools
d-----w                 0 2012-10-08 05:44:12  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\APC PowerChute Business Edition
d-----w                 0 2012-10-08 05:44:12  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\BarTender 9.4
d-----w                 0 2012-10-08 05:44:12  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\CutePDF
d-----w                 0 2012-10-08 05:44:12  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\Google Chrome
d-----w                 0 2012-10-08 05:44:12  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\Internet Explorer
d-----w                 0 2012-10-08 05:44:12  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\Malwarebytes' Anti-Malware
d-----w                 0 2012-10-08 05:44:13  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\Microsoft Office
d-----w                 0 2012-10-08 05:44:13  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\MYOB AccountRight Enterprise v19
d-----w                 0 2012-10-08 05:44:13  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\MYOB Premier Enterprise v6.5
d-----w                 0 2012-10-08 05:44:13  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\Nuance PDF Professional 6
d-----w                 0 2012-10-08 05:44:13  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\QuickTime
d-----w                 0 2012-10-08 05:44:13  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\Startup
d-----w                 0 2012-10-08 05:44:13  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\Symantec Backup Exec
d-----w                 0 2012-10-08 05:44:13  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\Symantec Endpoint Protection
d-----w                 0 2012-10-08 05:44:13  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\TransPost
d-----w                 0 2012-10-08 05:44:13  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\Windows SBS
d-----w                 0 2012-10-08 05:44:13  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\WinZip
d-----w                 0 2012-10-08 05:44:13  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\YouSendIt Desktop App
d-----w                 0 2012-10-08 05:44:13  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\ZebraNet Utilities
d-----w                 0 2012-10-08 05:44:12  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\Administrative Tools\Terminal Services
d-----w                 0 2012-10-08 05:44:12  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\CutePDF\PDF Writer
----a-w             1,133 2012-10-08 05:13:30  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\Malwarebytes' Anti-Malware\Malwarebytes Anti-Malware Help.lnk
----a-w             1,133 2012-10-08 05:13:30  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\Malwarebytes' Anti-Malware\Malwarebytes Anti-Malware.lnk
d-----w                 0 2012-10-08 05:44:12  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\Malwarebytes' Anti-Malware\Tools
----a-w             1,157 2012-10-08 05:13:30  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\Malwarebytes' Anti-Malware\Uninstall Malwarebytes Anti-Malware.lnk
----a-w             1,306 2012-10-08 05:13:30  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\Malwarebytes' Anti-Malware\Tools\Malwarebytes Anti-Malware Chameleon.lnk
d-----w                 0 2012-10-08 05:44:13  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\Microsoft Office\Microsoft Office Tools
d-----w                 0 2012-10-08 05:44:13  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\MYOB AccountRight Enterprise v19\MYOB Tools
d-----w                 0 2012-10-08 05:44:13  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\MYOB Premier Enterprise v6.5\MYOB Tools
d-----w                 0 2012-10-08 05:44:13  C:\Users\Administrator\Local Settings\TEMP\smtmp\1\Programs\TransPost\TransPost Tools
---ha-w             1,115 2012-10-08 05:13:30  C:\Users\Administrator\Local Settings\TEMP\smtmp\4\Malwarebytes Anti-Malware.lnk
     
    chaslang, Nov 5, 2012
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay after observing what I posted in my previous message cleaning up all that garbage, please continue here.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: (no name) - {3a7f3254-eafa-4dbc-b4f3-0d40916f3352} - C:\Program Files (x86)\ReferenceBoss_1p\bar\1.bin\1pSrcAs.dll (file missing)
    O3 - Toolbar: ReferenceBoss - {c4676d53-fce5-4a19-be4d-97e6eaf7e19a} - C:\Program Files (x86)\ReferenceBoss_1p\bar\1.bin\1pbar.dll (file missing)
    O4 - HKUS\S-1-5-21-3247755219-2071388787-105539922-1170\..\Run: [dplaysvr] C:\Users\tmcleod.VIGORELLA\AppData\Local\dplaysvr.exe (User 'TMcLeod')
    O4 - HKUS\S-1-5-21-3247755219-2071388787-105539922-1170\..\Run: [Internet Security] C:\ProgramData\isecurity.exe (User 'TMcLeod')
    O4 - HKUS\S-1-5-21-3247755219-2071388787-105539922-1187\..\Run: [Ihzitew] C:\Users\sdevon.VIGORELLA\AppData\Roaming\Aqokhu\aczo.exe (User 'SDevon')

    After clicking Fix, exit HJT.

    Now rerun RogueKiller and run a scan. After it finishes the scan, select the Registry tab and then select any of the below that still exist and then click the Delete button.

    Then immediately reboot your PC at this point.

    After reboot, please download OTM by Old Timer and save it to your Desktop.
    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe

:Files
C:\Users\sdevon.VIGORELLA\AppData\Roaming\Aqokhu\aczo.exe
C:\ProgramData\isecurity.exe
C:\Users\sdevon.VIGORELLA\AppData\Roaming\Aqokhu
C:\Windows\tasks\PC Optimizer Pro Updates.job
C:\Windows\tasks\PC Optimizer Pro64 startups.job
C:\Windows\TEMP\*.tmp
C:\Users\tmcleod.VIGORELLA\AppData\Local\dplaysvr.exe
C:\Program Files (x86)\ReferenceBoss_1p

:Reg
[-HKEY_USERS\S-1-5-21-3247755219-2071388787-105539922-1187\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ihzitew]
:Commands
[purity]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    After reboot, run a new scan with RogueKiller and save a log as in original instructions and attach the new log.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).
    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the new RogueKiller log
    • C:\MGlogs.zip
     
    chaslang, Nov 5, 2012
    #8
  9. SmoggyJackson

    SmoggyJackson Private E-2

    Haha on some of my other clients this would be more expected. For these guys however, the porn sites are due to browser redirects taking them to all sorts of interesting material.

    This has been cleaned up.

    These files have been restored. Thanks for alerting me to that.
     
    SmoggyJackson, Nov 6, 2012
    #9
  10. SmoggyJackson

    SmoggyJackson Private E-2

    Hi chaslang,

    I have completed all of your latest steps. Thanks again for your in-depth answers!

    Please see attached.

    Also please note, my client has been putting a bit of pressure on me to get this resolved and we currently have a public holiday where I live (ie. a rare opportunity to conduct server restarts etc.), so before your first reply today I also resolved the MBR issue. I ran a bootrec.exe /fixmbr.

    Apologies for my impatience but it was rare opportunity to try and fix this issue.

    After fixing the MBR, I was able to run a TDSSkiller (no results) and I also ran Hitman Pro again which no longer shows any issues with the MBR (See attached).
     

    Attached Files:

    SmoggyJackson, Nov 6, 2012
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Looks good now. But there are still quite a few temp files from IE5 that could be cleaned up. Not necessary but would not hurt just to make sure none of these contain components that caused the infection. See the zafind.txt log Also empty the recycle bin folders.



    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
    3. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Nov 6, 2012
    #11
  12. SmoggyJackson

    SmoggyJackson Private E-2

    Everything looks good! No more browser redirection issues or even slowness being experienced by users.

    I just have a couple of questions regarding this last phase:

    These two applications appear to be stand-alone executables and not 'installed' on the machine. Is this not the case, or can I just delete the exe files?

    I can't see any reference to HiJackThis in add/remove programs. Would it be named as something else?

    Also, I noticed an application in add/remove programs that I have never seen before. It's called WiseConvertToolbar. Have you seen or heard of this in relation to any malware issues?
     
    SmoggyJackson, Nov 6, 2012
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes they are. Running MGclean.bat will possibly cleanup all of this. If not you can delete later.

    No! Ignore it and continue. MGclean.bat will clean this up too.

    No! Which is why I did not touch it. I was not sure it it was something that someone knowingly installed. Personally I don't like any toolbars except the one that are actually part of Windows. ;)
     
    chaslang, Nov 7, 2012
    #13
  14. SmoggyJackson

    SmoggyJackson Private E-2

    Hi Chaslang,

    I've been pretty busy over the last couple of weeks so I never got to say a final thank you!

    You saved me a great deal of time and effort (and from a grumby client). I really appreciate your help.

    Thanks again.
     
    SmoggyJackson, Nov 22, 2012
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Nov 23, 2012
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds