Browser Redirect Virus/Malware help request

[NotEnoughSand]

Just completed the 8 step process and I'm still infected.

A brief history on how this came up and what I've tried so far:

At the conclusion of a download, I got the BSoD (0x24 NTFS stop). After some troubleshooting I found that the problem was a corrupt driver, and I renamed it to stop the problem. During this process, the infection (which I suspect was present, but dormant) became apparent, redirecting google searches that I was running to troubleshoot the BSoD problem. The google search returns results normally, but about 50% of the time clicking a resulting link opens a page different from the linked one. Once one result is redirected, it's closer to a 100% redirection rate.

I don't know the origin of the infection, but I suspect that the most likely source was a fake plug-in. I vaguely recall that some browser plug-ins I downloaded some months ago did not add any functionality; at the time I didn't think anything of it. I use Norton AV with firewall+autoprotect, and it performs scans at scheduled times and during idle time.

After the infection became active, I ran a full Norton AV scan, and 4 viruses were detected and cleaned (IDed by Norton as "CoreGuardAntivirus2009" "Trojan Horse" "Trojan.FakeAV", and "Packed.Generic.277"). The redirect problem persisted.

Once those viruses were detected and cleaned, a series of intrusion attempts began; Norton blocked and reported these. The attacks originated in the Netherlands and are targeting SVCHost and Acrobat. These attacks are mostly random, sometimes separated by 10 minutes, sometimes by a few hours. The attacks frequently occur after a reboot, suggesting that infection is signaling the presence of this computer online to a remote source. SVCHost has generated error messages several times also.

Another problem has been popups from "Just in time Debugging." I looked into this and found that this program is related to Visual Studio, which is interesting because I never installed Visual Studio nor do any programming. I was able to disable this annoyance by logging onto the system in administrator mode and adjusting a setting somewhere (I forgot which). I also removed some OEM Visual Basic programs from the Add/Remove programs menu.

Since then, I've been running multiple scans, including the scanners recommended here, but they have detected nothing except tracking cookies. I have just finished the 8 step process and have verified that google results are still redirecting.

Thanks in advance for any advice. Logs attached.

 

[NotEnoughSand]

Update:

I've looked through some other threads and noticed many users are being asked to run combofix. So I went ahead and did that, and, at least for now, it appears to have worked. Combofix detected and removed a few infected files, including rootkit activity. I just ran a few Google searches and I'm not getting redirected.

I'm attaching the log.

I'd also like to apologize if I wasn't supposed to post a thread without trying this first. I was using the 8-step process as the prereq to posting instead of a search. I would like to suggest, though, that if Combofix is something that can help most users, maybe it should be included in the 8-step process.

I'm still going to be on "re-flash watch" for a day or two. After that, unless otherwise informed, please close the thread and mark it resolved. Thank you.

 

[Broni]

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\drivers\riaxnpwv.sys


Folder::

Driver::
riaxnpwv

Registry::

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

 

[NotEnoughSand]

Thanks for the quick reply.

Here are the logs requested.

 

[Broni]

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Restart computer.

=======================================================================

Disable your antivirus program.
Go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt before clicking on the Save button. Then post it here.

 

[NotEnoughSand]

This didn't quite work as expected. Kaspersky did not prompt me to install a scanner or give me an option to click Run. It did have commands available in the web window to use to update and scan, though.

I've run Scan---> My Computer. I'm currently running Scan---> Critical Areas. This may be a redundant search, or "Critical Areas" may include memory and registry areas that "My Computer" didn't, so I'm running both to be sure.

Kapsersky detected two infected files during the My Computer scan. It did not report that these files were cleaned, so I have manually deleted them.

Also, these scans have taken unexpectedly long.... >6 hours for the My Computer scan. Norton Auto-Protect was disabled for 5 hours and was back up and running for part of the scans (I turned it off again for another 5 hours when I saw that it was back on).

 

[Broni]

How is redirection issue?

 

[NotEnoughSand]

Here is the log from the Criticical Areas scan (nothing detected)

The redirect issue hasn't been present since running Combofix (post #2).

 

[Broni]

Very good

Verify your Java version here: http://www.java.com/en/download/installed.jsp
Update, if necessary.
Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista).

=======================================================================

Unless you installed Viewpoint Manager knowledgeably...
Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
Uninstall any of the following programs associated with Viewpoint:
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ("drive-by-install") as it is installed without your consent through programs like AOl, AIM, Compuserve, etc.

=======================================================================

Print this post out, since you won't have an access to it, at some point.

1. Open HijackThis.

2. Close all windows, except for HijackThis.

3. Put checkmarks next to the following HijackThis entries:

nothing malicious to remove

4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

- O4 - HKLM\..\Run: [DLBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16
- O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
- O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
- O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
- O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
- O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
- O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
- O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
- O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
- O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
- O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
- O4 - Global Startup: Digital Line Detect.lnk = ?
- O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
- O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
- O4 - HKLM\..\Run: [DLBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16

5. Click on Fix checked button.

6. Restart computer.


When done...


Your computer is clean

1. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.