Symantec site will not load (mildly persistant malware)

Discussion in 'Malware Help (A Specialist Will Reply)' started by mrpoate, Sep 9, 2010.

  1. mrpoate

    mrpoate Private E-2

    Hi
    I'm writing in the hope someone could help bring closure to a malware infection I had (have?) recently. I followed the malware removal guide on this site and was largely successful, managing to remove most of the infection.
    Initial symptoms were:
    - a change of the desktop to a blue screen with a centred black box warning in bold lettering of a virus infection
    -a fake pop-up from the taskbar warning me of the infection urging me to "click here" for presumably rogue anti-spyware
    -browser hijacking, with most anti-malware sites redirected (generally to hxxp:searchingandclick58 etc, and from there to hxxp://****Book. etc). This included symantec, although from memory malwarebytes (and maybe super anti spyware) were accessible. Some other sites like wikipedia were redirected also.
    Fortunately, malwarebytes picked up the following two files:
    -C\\WINDOWS\system32\us?rinit.exe (Rogue.Antivirus 2010); AND
    -HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Userinit
    (Trojan.Agent)
    It deleted both, but on reboot the first would reappear. I suspect this was from restoration of an infected restore point, and fortunately after following the guide properly the file didn't reappear (I toggled system restore off).
    However, even after scanning with both malwarebytes and super antispyware, the browser redirection remained. I then deployed RootRepeal and ComboFix, and luckily they seemed to completely kill of the browser redirection (the only remaining symptom). I tested symantec.com and it worked fine.
    However, when I rebooted, symantec seems to be frozen and will not open. It doesn't redirect, it just seems to not want to load. However, all other sites (so far) seem to be working properly. This includes other anti-malware sites and wikipedia (which specifically was redirected pre-fix).
    I've checked the hosts file in C:\WINDOWS\system32\drivers\etc to see whether symantec.com has been mapped to a different IP, but the only entry in the file is the localhost and it checks out.
    I'm greatly thankful for the guide provided already, its certainly helped kill most of the pest. Any assistance would be very much appreciated, although I completely understand there are probably more urgent cases out there than a (so far) single website being unusable. My main concern is less about symantec.com being stopped in and of itself, and more that it is a symptom of the problem still being there and possibly other clandestine processes remaining.
    Thanks very much, I've attached logs.
    Nelson (mrpoate)
     

    Attached Files:

    mrpoate, Sep 9, 2010
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Uninstall the below outdated Java:

    • Java 2 Runtime Environment, SE v1.4.2_15
    • Java(TM) 6 Update 11

    Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

    • Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
    • Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor.
    • Allow the application to run and a window will open showing that it is TDSSkiller from Kaspersky
    • Click Start scan
    • It will run rather quickly and will notify you of whether anything is found or not.
    • Follow the instructions to delete/quarantine if asks you what to do when if finds something.
    Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

File::
C:\WINDOWS\Temp\ib3.tmp
C:\WINDOWS\Temp\ib4.tmp
C:\WINDOWS\Temp\ib5.tmp
C:\WINDOWS\Temp\ib6.tmp
C:\WINDOWS\Temp\ib7.tmp

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6


    Scan with both Malware Bytes and SUPERantispyware again and attach the logs they create into your next reply.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Sep 9, 2010
    #2
  3. mrpoate

    mrpoate Private E-2

    Wow speedy response there, cheers.
    I'll get to it now, and get back with the new logs.
    Thanks,
    Nelson
     
    mrpoate, Sep 9, 2010
    #3
  4. mrpoate

    mrpoate Private E-2

    Ok, I followed instructions and ran ComboFix but scarily during the automated restart process triggered by ComboFix, my computer is now stuck hanging on the blue windows is shutting down screen. This is fairly worrying, particularly after hearing all the warnings about the potency of ComboFix and how it can permanently damage your system if you misuse it. I'm concerned because I forgot to toggle system restore back on after disabling it earlier (following the original guide, to stop reverting to an infected restore point). This was probably pretty stupid, sorry.
    Anyway should I try and switch the computer off by cutting power or something? Any advice on what to do from here?
    Argh its not the most pleasant of things to happen at 3:13 am :(
    Anyway advice appreciated,
    Nelson
     
    mrpoate, Sep 9, 2010
    #4
  5. mrpoate

    mrpoate Private E-2

    Hey
    Manually cut power off then on and was able to restart. Upon restart, ComboFix popped up and finished off the process, generating the log. Like before, symantec.com now works and there appears to be no problem. I am not sure whether the problem will reappear when I restart, but it is almost 4.00 am now so I might restart and run malwarebytes and superantispyware again tomorrow.
    Thanks for your assistance,
    Nelson
     
    mrpoate, Sep 9, 2010
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    How about attaching the C:\mglogs.zip as requested? :)
     
    Kestrel13!, Sep 9, 2010
    #6
  7. mrpoate

    mrpoate Private E-2

    Hey Kestrel
    Sorry for the late response, slept in really late today then had to give the doc a visit. Good news is that everything seems to be fixed, symantec works and all the boo boos seem gone. So your advice obviously did the trick, thanks heaps :)
    I ran the scans again anyway, and I've attached logs just in case there's still something lurking there that wasn't blatant. Problem seems fixed though, so whether you want to take the time to read the latest logs is your call.
    Anyway really appreciate the help,
    Nelson
     

    Attached Files:

    mrpoate, Sep 10, 2010
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).
    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\FindRN.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).
     
    Kestrel13!, Sep 12, 2010
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds