Major Trojan and Browser Hijack problems

Hi - great info here - thanks for the efforts.
I have a major issue which I hope someone can help me with.

System is Dell Dimension
Browser - IE8
Firewall - Zone Alrm Free
AV - AVG free.

I have carried out all the processes in 'Read and Run Me first' but still have infection.

Problem started about 1 week ago on innocuous webpage - suddenly diverted to a page warning me of infections. I did NOT (intentionally) download any s/w, and indeed immediately disconnected my cable modem.

I ran S&D and AVG but on reconnection I got increasingly urgent messages and popups about infections. (eventually a desktop image saying sytem was 'disabled')! Task Manager and System restore were 'disabled' by the infection, including in Safe mode.
I took the PC to work and our IT experts helped with Malwarebytes, which initially seemed to get somewhere, but it I was still seeing browser redirects, further messages about infection. At that point I followed the whole of the MajorGeeks 'run me first' process which I completed this morning.

On first try of internet - I immediately got a redirect and infection warning so it seems that the steps have not solved the infection.

I attach the logs as requested. Note - there does not seem to be a SASlog.txt file - I ran the utility but it reported no infections found, so maybe no log was created.

My machine is essentially unuseable, so would REALLY appreciate some guidance. Is this recoverable? Some forums suggest that it is NEVER possible to be confident of completely clening this type of infection.

Thanks in anticipation

 

Re: Major Trojan and Browser Hijack problems - extra logfile

My apologies - I found the SAS log file (by reading the instuctions!)

Hope this will make i easier to track the problem!

Thanks

 

Welcome to MajorGeeks!

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

FCopy::
c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe | c:\windows\SYSTEM32\USERINIT.EXE

Folder::
c:\documents and settings\Joanne\Application Data\lowsec
C:\found.000
C:\WINDOWS\system32\1024

File::
c:\windows\system32\stu2.exe

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

http://img249.imageshack.us/img249/1218/cfscript1.gif

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze



Download GMER Rootkit Detector and save it your desktop.

* Extract it to your desktop and double-click GMER.exe
* Make sure all of the boxes on the right of the screen are checked, EXCEPT for "Show All".
* Click the Rootkit tab and then Scan.
* Don't check the Show All box while scanning in progress!
* When scanning is finished click Copy.
* This copies the log to clipboard
* Post the log in your reply.



Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Attach the new C:\MGlogs.zip file that will be created.


Next post please attach:

• New ComboFix log
• GMER log
• MGlogs.zip

Go to Add or Remove Programs and uninstall Spybot - Search & Destroy 1.5.2.20 (if found). That's an old version that needs to be uninstalled if it is there.

 

Hi - thanks for the quick response.

I have run the checks you asked for and attach the 3 logs.

I'm not able to work on my PC for the rest of this week - and won't be able to run any more scans until Friday, but will definitely be back on the case then.

Any feeling as to the likelihood of repair here?

Cheers!

 

Actually, unless you are still showing signs of a malware infection we are close to finishing up.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX Checked until you exit all browser sessions including the one you are reading in right now:

• O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
• O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

After clicking Fix checked, exit HijackThis.



Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger or Windows Live Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.



I also highly suggest go to Microsoft Windows Update and get all critical updates including XP SP3. Besides performance fixes there are multiple security issues addressed in SP3.


How is the computer running now?

 

WOW!
Thanks for that.

I have completed your suggestions, and the first indications are that you have solved the problem.

The main site which was redirected is now OK, and initial usage of IE8 has not produced any redirects or 'Warning' pages.

Please could we leave this thread open till Friday as it is now late in UK and I cannot be at PC again till then.

You can't know how much I appreciate this help - I believe I am generally PC savvy, and it makes me so angry that someone would cause me (and you for that matter) so much grief out of sheer malice.

Thanks again - I'll report on Friday.

Keep up the good work.

PS - I have disabled SAS from runnng on startup since it was taking a while to launch - Is AVG Free and Zonealarm adequate for everyday protection?

Cheers

 

It will stay open.

Yes AVG and ZA should be good. The free version of SAS does not have real time protection anyway.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Go to the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!