Solved Browser redirects are making me crazy!

[lilmissytrishy]

Okay, I have been lurking around here and other various boards for a few weeks now trying to fix my poor computer,but I am giving up and will am begging for help!

Here's the deal, a few weeks ago my laptop was infected with the lovely "xp security tool 2010" and the "Copyright Violation Alert". I knew right away they were trojans and have successfully removed them from my other laptop in the past. I also thought I had removed these, until "Anti--Malware Doctor" raised it's ugly head. I have tried EVERYTHING to get rid of it, and I can keep it at bay for a while, but then it shows back up. I have run malwarebytes, deleted registry keys for it, tried to hunt down every .exe file it was hiding under to no avail....it shows up a few days later again and again. Also, I can barely do a google search without getting browser redirects. I had to manually enter the web address for this forum because whatever it is on here wouldn't let me go here via google.

Anyone able to help me? I follow directions pretty well

Thanks!
Tricia

 

[Bobbye]

Welcome to TechSpot, Trisha. I'll help with the malware. But I refer you to the preliminary virus and malware removal thread HERE.

When you have finished, include the logs in your next reply for review.

Don't run any other cleaning programs or scans while I'm helping you unless I instruct you to. Don't use a Registry cleaner of make any changes in the Registry.

 

[lilmissytrishy]

Thanks Bobbye!

Here are the logs. I will have to post the malwarebytes one in the morning as it will take around an hour and I needs to go to bed! However, the last time I ran a MBAM log it came up clean, which is part of the frustration. I'm sure over the last couple of days I probably racked up some more crud due to the redirects, though.

I followed all of the other steps, and updated to java 20.

I will try and post the Malwarebytes scan before heading to work. Thanks again!

I also have hijack this installed if needed.

 

[lilmissytrishy]

Whoops forgot to attach the "attach.txt"

 

[Bobbye]

Tricia, the logs indicate that you did some kind of Restore: 5/11/2010 7:08:02 PM - Restore Operation. This is not just a System Restore point. It's on the same date as the logs- what action was this and why? Was it to try and remove the "xp security tool 2010" which had been a problem for several weeks. There is very little activity shown in the logs so I need to know when you did the 'restore' and what you did.
==============================
If the redirects started after this, please do the following:

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..

Then Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

I will be setting up some script for you in the meantime. Please include the Combofix report, the Eset online scan log and the Malwarebytes log with your next reply.

 

[lilmissytrishy]

Sorry, I didn't have to to post this before work, but here is my malwarebytes log from last night. As suspected, it came up clean.

 

[lilmissytrishy]

for your next question, this weekend I really thought I had everything clean, so I created a restore point. Then yesterday the redirects started happening again so I did a restore when I got home from work hoping to get back the "clean" state I had before. I wasn't sure at that time if I re-picked up something new. After the restore didn't fix the problem I came crying to you guys for help! I did the restore around 6:30ish last night, I believe.

I will run combofix and Eset when I get home from work this evening.

Thanks!

 

[lilmissytrishy]

Okay, I think I have everything you need. The malwarebytes log is above, but I think you've already viewed it.

Here are:

*Combofix log
*Eset log

Thanks again!

 

[Bobbye]

Tricia, there are some deletions in Combofix that normally wouldn't be removed unless they were particularly addressed in sctript. They are:
c:\windows\system32\hkcmd .exe>> Intel's "extreme" graphics hot key interceptor.
c:\windows\system32\igfxtray .exe>> Intel(R) Graphics Accelerator Helper.
www.processlibrary.com/directory/files/igfxtray/ - Cached - Similar
c:\windows\system32\nerocheck .exe>> Nero Driver Monitor.
c:\windows\system32\ctfmon .exe>> MS Office
c:\windows\system32\rundll32 .exe>> responsible for running DLLs and placing its libraries in the memory.

While all but the last don't need to run in the background, they would not normally show up as deletions like this.

I don't know what you have done previously to clean the system, but I have some concern over what you have removed. Doing the System Restore was not a good idea. If all the logs were run after the restore, they will reflect the entries on the system after you did the previous 'cleaning'. But there aren't many files for me to go on.

You now have a Trojan.Agent/Gen Possibly this was left from previous infections. Maybe that's the only problem now, so remove it:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and chooseCopy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files 
  C:\WINDOWS\system32\memchek.sys	
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
========================
Post the log after and let me know how this works on the system.

 

[lilmissytrishy]

Well if you look athe file extensions on the .dll and .exe files they appeared to be fake. I have the actual normal files still on the system. Those listed above have extra spaces in them so as to "appear" as the real thing. The real ones run just fine. I think whatver I had/have spoofed legit files to appear like system is running normally. I don't even have nero, it was uninstalled ages ago. There may be a system file lingering and I think the malware cloaked itself to appear like a harmless program. Those files were there before the system restore most definitely because I remember seeing them in the process tray. I attacked them many times but they always came back. Part of me things the trojan is a part of this.

I will do your fix as soon as I get home and see what happens.

 

[Bobbye]

You are correct and a bit sharper than I was. Those extra spaces indicate a Vundo infection. I would usually have to remove those with script. You have my apology that I missed those spaces! IF I had used the remove Vundo Command in the script, the deletions would have looked just like what Combofix is showing, but I couldn't find any indication that you had previously run Combofix and had anyone write the script.

[QUOTEI don't even have nero, it was uninstalled ages ago.][/QUOTE]
So this is a bit confusing:
2010-05-12 00:08 . 2010-05-12 00:08 -------- d-----w- c:\program files\Nero

There was a lot of activity on 5/12: These and other installs:
c:\program files\Alwil Software
c:\program files\Java
c:\program files\Nero
c:\program files\DVD Shrink
c:\program files\Cucusoft
and this one:
c:\program files\Windows Installer Clean Up

I think you used the clean up utility to remove some programs instead of uninstalling them properly. So you have entries for both the originals and the infected files in the programs. And you did the restore which further confused the issue.

I'm checking on some other files- they may need to be removed also, but Please don't use the Windows CleanUp Utility while we're doing this

 

[lilmissytrishy]

should I still go ahead and run the fixes from your previous post?


I am also confused on the nero thing....I'm not sure why that's showing up. As for the windows clean utility, I ran that because a previous board I visited suggested removing Java and reinstalling it. The problem was java wouldn't unistall the traditional way (it kept saying access denied) and so I tried uninstalling adobe, too with same problem. The board suggested I use the clean up utility to get those uninstalled. I promise not to use it again I have been pulling my hair out trying to get this fixed. I did uninstall dvd shrink and the cucusoft program because I no longer used them and figured the less on my computer, the better. The Alwil Software is the Avast program that I installed.

I haven't done anything just yet, I will wait and see what your response is first. The weirder part is the redirects haven't happened in 2 days. Could just be a fluke.


Thanks so much Bobbye!

 

[lilmissytrishy]

okay, I'm a damn liar. Sorry. I DO have nero. I uninstalled off my main (other) laptop. Sorry for being an *****. *headslap*

 

[Bobbye]

No problem- I knew you had it! Guess we're even now since I missed the spaces!
Just run OTMoveIt in Post 9. Ignore the rest of it. I've asked someone about additional suspect entries in Combofix and I want to get it all together first.

As for 'access denied', that can be a permissions issue. Uninstalling/reinstalling isn't going to fix it. the policy has to be fixed.

So- you were on another board getting help. And I'll bet someone wrote script for a Combofix report. It doesn't work very well when you seek and take instructions from different boards. It confuses all of the issues.

 

[lilmissytrishy]

Very true...but the good news I was there before I came here...and I actually didn't run combofix prior to coming here, so anything I messed up was solely my fault. So I didn't cheat on you

okay going to run OTMoveit now

 

[Bobbye]

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\windows\system32\memchek.sys
Folder::

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

RenV::
c:\program files\Apoint\apoint .exe
c:\program files\Java\jre1.6.0_07\bin\jusched .exe
c:\program files\Malwarebytes' Anti-Malware\mbam  .exe
c:\windows\pchealth\helpctr\binaries\msconfig .exe
c:\documents and settings\tricia\application data\754be038e2e7f8bfd809e16da26f4e32\newupdate1142c .exe 
c:\docume~1\tricia\locals~1\temp\twel76ztxa    .exe 

Driver::
wywfbu
memchek

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
I'll check this log and see if there are any more entries. I may have to remove a few more.

 

[lilmissytrishy]

Thanks for correcting the spelling error in the thread title...that was ALSO driving me crazy, but I couldn't fix it

Okay, so I ran combofix. Here's the log.

Thanks!

 

[Bobbye]

How is the system working for you? It looks clean on my end. Any more redirects?

I'd like you to run HijackThis to make sure there are no entries that need to be stopped. When that's finished, I'll have you remove the cleaning tools and old restore points.

Download the HijackThis Installer HERE and save to the desktop:

1. Double-click on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

 

[lilmissytrishy]

Actually there are 4 trojans I ran ESET again (without fixes) just to see. I know you didn't ask me to, but I just had to see if that Trojan was gone. I attached the log.

BUT, there have been no redirects in days that I have noticed....so that's a plus.
I will run Hijack this now!


Just noticed that 1 Trojan (the one we detected earlier) is in OTM....will that one be eliminated when I uninstall OTM?

 

[lilmissytrishy]

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:37:02 PM, on 5/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 3129 bytes

 

[Bobbye]

You keep getting yourself all worked up doing things I didn't tell you to do!

actually there are 4 trojans I ran ESET again (without fixes) just to see

About the Eset results:
One file has been moved in OTMoveIT
Three files are in System Volume- this is the system restore points. The malware is not active in the system and I'll have you drop the old restore points when we finish. Please do not use System Restore until this has been done.

There is no new malware showing in the Eset scan.

There are no entries in the HijackThis log to be removed. If the original redirect problem has been resolved:
Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Your system is clean!

 

[lilmissytrishy]

done and done and done!

and don't worry, I slapped my own wrist.

THANK YOU!

Seriously....you've kept me from balding early.

 

[Bobbye]

You very welcome! Slapping wrist is not necessary. I'll close this thread now but please let me know if you need help in the future.