Whitesmoke & Firefox "Jump"

Discussion in 'Malware Help (A Specialist Will Reply)' started by Miss M, Feb 16, 2011.

  1. Miss M

    Miss M Private E-2

    Hi, I have a friend with whom I have worked to get her more internet-savvy and secure. She's getting better. We changed the security on her computer recently, from TrendMicro Titanium (which I learned protects against only new threats -- if it's over 3 months old, they don't protect against it anymore) to Avast and Online Armor.

    Unfortunately, before we ditched the TrendMicro, she got an infection, which we removed with help from our friends here at MajorGeeks! She's managed to get another infection, though, which baffles me a bit. I know how Avast goes nuts when it detects malware. And Online Armor has always served me well, blocking stuff it doesn't recognize. I'm wondering if something may have sneaked by the last disinfection, or if they clicked "allow" on something they shouldn't have. :confused

    Anyway, she noticed that her computer suddenly slowed down a couple of weeks ago, and Firefox was redirecting with this "jump" thing. She'd go to a website, click on a link, and it would "jump" to some site that was trying to sell her something. In looking through her computer, we discovered something called Whitesmoke translator.

    She was having enough trouble that we tried System Restore a couple of times, eventually ending up at a point two weeks prior. This returned her computer to normal speed, but I had a feeling that Whitesmoke was still lurking somewhere in there. The "jump" thing remained, and a few days later Online Armor put up a warning about Whitesmoke. She blocked it, and we went into the settings and blocked all the Whitesmoke stuff we found. We were both very busy, and so left it at that for several days.

    We finally got to run the Read & Run over the span of a week or so, a little at a time.

    As we went through Add & Remove Programs, she found "coupon printer for windows", which she had not installed. We did not remove it at the time, but only because it wasn't in the list of malware.

    Another couple of things that she found on her drive were "grep.cfxxe" and "pev.cfxxe". I was not able to find out what these were.

    When she ran ComboFix, it got to the end, gave no log file, and deleted several of her desktop icons (including her Avast link) and her Avast tray icon. She did a search, and did not locate a ComboFix log.

    She has 64-bit Windows 7, so we did not download RootRepeal.

    When she ran MGTools, she got a message saying "the program 'SteelWerX WhoAmI' stopped responding and had to close." She followed the instructions not to click "cancel", but to wait and click on "close program".

    So here are the three logs I do have! Thank you in advance for helping us!! :)
     

    Attached Files:

    Miss M, Feb 16, 2011
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You still have items from Trend Micro on your system. So let's remove them and a few other things.

    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract+ avenger.exe from the Zip file and save it to your desktop

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Feb 16, 2011
    #2
  3. Miss M

    Miss M Private E-2

    Thank you very much, TimW, for helping us with the Trend Micro! I meant to ask you if there was anything we could do about it!

    We did all that you asked, except after the computer rebooted, we forgot at first to turn off the security again before running getlogs.bat. We took care of it quickly, before it got too far in. Hopefully it was okay.

    Unfortunately, like ComboFix, Avenger gave us no log. Looked where it was supposed to be saved, still no log. Did a search, no log. While looking for it, she did find a ComboFix folder with a log in it, but I don't think it's the log you would have wanted. I'm attaching it anyway, even though it's from a couple of days ago, just in case. :confused

    I have no idea what happened to the Avenger log, and without it I'm not sure it completed its task. It did ask to reboot the computer.

    The computer is still doing the Firefox "jump" thing... she'll click on a link, and it will begin to load, and then it will redirect.

    She is also now getting popups saying, "you won this!" and such. She closes them from the Task Manager.
     

    Attached Files:

    Miss M, Feb 17, 2011
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes, it doesn't look like Avenger ran properly. However, since you have Combo on your desktop, let's see if we can get it to work.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

SecCenter::
{68F968AC-2AA0-091D-848C-803E83E35902}
{D3988948-0C9A-0693-BE3C-BB4CF86413BF}

Driver::
Trend Micro Solution Platform

AtJob::

File::
C:\Windows\System32\drivers\jauviu.sys
C:\Windows\SysWOW64\drivers\jauviu.sys

Folder::
C:\ProgramData\Trend Micro
C:\\Program Files\\Trend Micro

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"Trend Micro Client Framework"=-
"Trend Micro Titanium"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CA1377B-DC1D-4A52-9585-6E06050FAC53}]
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Note: If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!


    Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

    • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
      Vista/Windows 7 users right-click and select Run As Administrator.
    • If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123tdk.com).
    • Click the Start Scan button.
    • Do not use the computer during the scan
    • If the scan completes with nothing found, click Close to exit.
    • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_14.17.05_log.txt) will be created and saved to the root directory ( usually Local Disk C ).
    • Attach this log to your next message


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Feb 17, 2011
    #4
  5. Miss M

    Miss M Private E-2

    Hi, TimW! Sorry it took me so long to get back. Today's the first day I could breathe, I've been so busy!

    We did the cfscript.txt thing, and ComboFix updated itself and ran, but again, it produced no log. She looked for it a couple of times in c:\ .

    TDSSkiller did find something, so that log and the MGlogs.zip are attached.

    Her Online Armor came up and said it had automatically blocked some things, and it wanted her to take a look at them and decide what it should do with them in the future. I really can't find out what they are:

    pev.cfxxe
    sed.cfxxe
    grep.cfxxe
    swreg.cfxxe

    Are these things that should be blocked?

    She went to bed right after she sent me the logs, so I can't tell you yet how her computer is running now. Sorry I forgot to get her to try some stuff. :-o
     

    Attached Files:

    Miss M, Feb 23, 2011
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    No, she should not be blocking those items as they relate to Combo. However, we still need to do a few things.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Please also download MBRCheck to your desktop

    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...

    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    * MBRCheck log
    * C:\Avenger.txt
    * C:\MGlogs.zip
     
    TimW, Feb 23, 2011
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds