IE Hijack Recurred 3 Days Later

Hi,

Last Friday my IE8 running on XP was hijacked by malware wanting me to buy antivirus software. I ran the malware removal tools in the guide except RootRepeal, which would not run. Combofix found and removed many things. Everything started working again seemingly properly, so after two days I thought everything was fixed, and deleted the logs.

The "beginnings" of the same virus recurred today (about 3-4 days later), where a search in IE8 brought me to the "buy antivirus" and "scan your computer" screen. I immediately closed IE8.

Because I have not surfed the internet hardly at all since the first occurrence 3-4 days ago, I believe I missed a file or two in the first cleaning.

I have now done the malware removal procedure a second time, and am attaching the logs. When I ran SuperAntiSpyware, I accidentally told it to check traces, and it found 3 which I did not delete, but could find again if these are part of the problem. Root Repeal again did not run, so I tried Sophos Anti-Rootkit instead and it found overly long file names (which I have since fixed) and one file about which it was unsure.

Issue: Is my computer now clean, or is this virus still lurkihng? I was in the process of making an image of my harddrive when this virus recurred, so I am still without a full backup. I do not want to image the harddrive until I know I' clean. Thanks.

Here are the first four log files. Last log file in the next message.

Thank you.

 

Here's the last log file.

 

Hi,

Thanks for all your help!

Other Scans

Before responding to the procedures you outlined, let me tell you what has occurred in the interim time. I ran many of the recommended alternative scans (programs, online scanners, rootkit scanners). Here is what those found:

A full scan by Malawarebytes found a trojan which was removed. All other downloaded general programs found nothing (e.g., spyware doctor, spybot, vundofix, rogue remover, virtumondebe gone, stinger, etc.).

Of the online scans, I couldn't run Bit Defender. ESET found NSIS/TrojanDownloader.Agent.NAV trojan and it was deleted. F-Secure found TracingCooking.207, and cleaned it. Panda ActiveScan found a dll file it didn't like, and deleted it. Trend Micro Housecall found 3 cookies. Kaspersky found 3 files in Norton Quarantine that Norton itself didn't show, and I followed the path and deleted these files by hand (all of the 07A0000.VBN variety).

Of the rootkit scans, BitDefender Rootkit Uncover, Rootkit Revealer, and Pavark AntiRootkit found nothing. I ran GMER in both normal mode and safe mode, and because I don't understand the logs, I am attaching one txt file that contains both logs (may be some potentially suspicious files here). I also ran SysProt AntiRootkit and it also pointed to some odd files and that log is also attached. As I don't understand these files, I took no action based on them.


Oddities

After this was all said and done last night, I encountered some odd processes running, and noticed for the first time ever that CCleaner would identify but was not able to remove certain files.

I traced the first problem to sptd.sys trying to load (I've never had daemon tools on my machine), even in safe mode it would prompt to load, and managed to get it deleted from my machine following the guidelines on http://www.greatis.com/security/What is SPTD####.sys.htm (note: I did not have sptd9885.sys on my machine).

The CCleaner problem I traced to a rogue version of adobelmsvc.exe (and associated processes), which was leaving processes and files in my temp folder that I initially couldn't stop and couldn't delete. I finally managed to kill the processes and delete the files in safe mode.

After all this, my computer ran better, but still not right.

As an aside, I think the MAIN source of the problem (the browser hijack) is likely gone, though I must be dealing with many residual effects. I noticed before this last set of scans, that I was having "automatic downloads" (the yellow icon would appear in the tray), and I have always had automatic downloads shut off. That behavior has stopped now. On the other hand, it seems like there are a lot of "other" problems being tracked down, and so hopefully those will be caught as best as possible.


Results of Suggested Procedures

Files in Root Folder

I do not know what the files are in the root folder. I looked at their dates, and all but FARSBOOT.BIN and FARSBOOT.BIO have dates around the time of the infection:

c:\index.sys 8/24/09
c:\driverbmp.bin 8/24/09
c:\logicinf.bin 8/28/09
c:\delete.bat 8/20/09
C:\FARSBOOT.BIN 5/25/09

I opened the delete.bat file in Notetab Lite and made a txt file of it, which is attached. I know I never wrote this batch file.

Software Versions

Thanks. I'll get the programs updated. I do update the definitions before I use them.

HJT Fix

The 023 - Service: McAfee Application Installer was fixed.
The 024 - Desktop Component was no longer in the HJT list. Perhaps the earlier work took care of this problem?

Registry Fix

The fixme.reg was successful, and the keys were successfully added.

CMD Prompt

The "sc stop" command didn't work because "service has not been started". I tried 3 times, and doublechecked to make sure I typed it properly.

The "sc delete" command worked and received the message "delete service success"

MGTools Log

The MGTools.zip log is attached.


Where Things Stand

My computer is definitely running better after all of this. I remain a bit worried though, as I believe it is still taking a bit longer to open programs than before all this started. Nonetheless, a good improvement.

THANK YOU!!!! I appreciate greatly your help and the time you dedicate to helping people generally.

 

Hi,

Thanks. I did nothing more between my last post and this post.

--The sptd.sys file I removed had a non-standard size. I did the following vis a vis the keys:

Used regedit to:
Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SPTD.
Right clicked and chose "Permissions" in the popup menu.
Changed the rights for Adminitrator group to Full access.
Deleted SPTD subkey.
Did the same for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPTD.

--The adobelmsvc.exe was in a temp folder along with some associated processes.

--I did not search for or try to remove the spjz.sys driver. Should it be removed?

--All the weird files in the root drive have been deleted.

--All "clean-up" work has been done, and I am now starting down the very helpful "protection" guide.

Thanks!

 

Hi,

Thanks for all your help! I think we've got it solved.

I couldn't find spjz.sys as a file, but there was a registry key for it -- set a restore point, deleted the key, everything was still working afterwards, so stopped all restore points, rebooted, and set another restore point.

Computer seems to be running smoothly, and so I hope this continues!. I learned a lot in this process. Thanks.