IE redirection and more

Discussion in 'Malware Help (A Specialist Will Reply)' started by wflei, Apr 21, 2011.

  1. wflei

    wflei Private E-2

    Hi Geeks,

    Recently my computer was infected by the XP security 2011, and I tried to fix it thru googling. Maybe I did not fix thoroughly or was complicated, the IE on my computer was redirected to where is not supposed to be most of the time; most noticeably, I was not able to access the Microsoft's window update web page. I went through the "Read and Run..." guideline and the malware removal procedure on this forum, I still failed to fix the problem. In addition, from time to time it occurred the "Generic Host process for W32" and svchost.exe error, and many system and application softwares on the computer were not able to be executed (even the task manager!). BTW, TDSSkiller.exe would not run no matter how I changed its name. Attached below are the most recent logs (the SAS log is not included because it did not find any virus or malware).

    Thanks in advance for your great help.
    Wenfang
     

    Attached Files:

    wflei, Apr 21, 2011
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Still want to see it please. :)

    Hmm, try it in safe mode, let me know how that goes? Try renaing the .exe to .com if all else fails.

    Combofix found and addressed a problem according to the log so let's dig a bit deeper regardless.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

DirLook::
C:\antispy
File::
C:\Documents and Settings\Molina Center\Local Settings\Application Data\q45f63b3111o63c2hk0htmd5p3j4poe
C:\Documents and Settings\All Users\Application Data\q45f63b3111o63c2hk0htmd5p3j4poe
C:\Documents and Settings\Molina Center\Templates\q45f63b3111o63c2hk0htmd5p3j4poe
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"itlsvc"=-
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

    What are you using for antivirus?

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Apr 21, 2011
    #2
  3. wflei

    wflei Private E-2

    Dear Gee-K,

    Many thanks for your prompt reply. I have followed your instructions to tap the problems. Attached are the logs you requested (including the SAS.txt I did not include previously).

    I atempted to run the TDSSkiller.exe in safe mode and had no much luck either. It complained that "TDSS rootkit removing tool has encountered a problem and needs to close", in which the error report conatins the following error signiture:
    EventType : BEX P1 : tds.com P2 : 2.4.21.0 P3 : 4d789985
    P4 : tds.com P5 : 2.4.21.0 P6 : 4d789985 P7 : 00056ec9
    P8 : c0000409 P9 : 00000000

    The AV used is the Microsoft Security Essentials.

    Thanks! --Wenfang
     

    Attached Files:

    wflei, Apr 22, 2011
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I cannot open the zipped file you attached for some reason.
    And how are things running now?

    Please go to virustotal and upload the following files for analysis, and let me know the results.

    c:\windows\system32\mssign324.dll


    Could you please get this: mssign324.dll into a zipped file and attach it for me in your next post? To do this, see the below:

    Please go to start > Run and paste in the following:

    log retrievable @ C:\collect.zip

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Apr 22, 2011
    #4
  5. wflei

    wflei Private E-2

    Unfortunately still no much progress (IE still hijacked). The mssigh324.dll file seems quite suspicious--was created a few days ago and was with the read-only attribute. And likely because of this attribute, I was not able to upload it onto virustotal for scan, and the file collected following your instruction was empty (anyway I acctach below). Hope this time you are able to open the new MGlogs.zip. Thanks.
     

    Attached Files:

    wflei, Apr 22, 2011
    #5
  6. wflei

    wflei Private E-2

    I hope this is not the bump. It looks like that you would not be able to open MGlogs.txt in the previous post. So I attach it here one more time
     

    Attached Files:

    wflei, Apr 22, 2011
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

c:\windows\system32\mssign324.dll
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Apr 24, 2011
    #7
  8. wflei

    wflei Private E-2

    Hate to say this, but the IE is still hijacked.
     

    Attached Files:

    wflei, Apr 24, 2011
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Error in my script! File did not delete so let's try again this time with the correct script!

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

File::
c:\windows\system32\mssign324.dll
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Now how are things running for you? Still being redirected?
     
    Kestrel13!, Apr 25, 2011
    #9
  10. wflei

    wflei Private E-2

    After the fix, I notice that the file mssign324.dll is removed, but the browser is still being directed, and the Generic host error still happens which stalls the computer.
    BTW (even though it does not matter now), I managed to change the attribute of mssigh324.dll (before combofix was used) and uploaded it to the virustotal site (the scan result is attached below).
     

    Attached Files:

    wflei, Apr 25, 2011
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please run the below:

    Run this and attach the results.

    Using ESET's Online Scanner

    Also give this a go:

    Rooter and attach the log.

    Then:

    Scan With RKUnHooker

    • Please Download Rootkit Unhooker Save it to your desktop.
    • Now double-click on RKUnhookerLE.exe to run it.
    • Click the Report tab, then click Scan.
    • Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
    • Wait till the scanner has finished and then click File, Save Report.
    • * This can take a while. Please be patient *.
    • Save the report somewhere where you can find it. Click Close.
    • Copy the entire contents of this log in you're next reply.
    • This log can be lengthy you may have to post it in separate replies.
    • Note: You may get the following warning - it is ok - just ignore it:
    • "Rootkit Unhooker has detected a parasite inside itself!
    • It is recommended to remove parasite, okay?"
     
    Kestrel13!, Apr 25, 2011
    #11
  12. wflei

    wflei Private E-2

    The relevant logs are attached below. Thanks!
     

    Attached Files:

    wflei, Apr 25, 2011
    #12
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Do you have your XP boot CD?
     
    Kestrel13!, Apr 26, 2011
    #13
  14. wflei

    wflei Private E-2

    I have. Maybe time for me to reformat the computer?
     
    wflei, Apr 26, 2011
    #14
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No, we are going to repair the MBR which will hopefully get rid of the infection you have. But I need to get to work very soon so will have to get back to you later on in a few hours time. :)
     
    Kestrel13!, Apr 26, 2011
    #15
  16. wflei

    wflei Private E-2

    Dear K: It happens that my office will take back the computer tomorrow, which means that it will be reformatted anyhow. I already have all my data and files back up, so the damage is minimum. I greatly appreciate your great help over the past days, and I leanred a lot on the malware removal during the course. Again thank you and all MG geeks!
     
    wflei, Apr 26, 2011
    #16
  17. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Kestrel13!, Apr 26, 2011
    #17

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds