Multiple instances of iexplorer and redirecting while clicking on links

[VMurali]

There are multiple instances of iexplore.exe in my task manager and whenever I click on the search links from google it is redirecting me to random site. Clicking back button couple of times brings back the original page. Can someone please help. Do I have to run Hijack this or do I have to follow that 8 steps before posting ?. I'm new to this forum.

 

[Bobbye]

Welcome to TechSpot, VMural. I'll help with the malware.

First, if you have IE8, it is normal to see multiple processes for iexplore.exe running.

We have preliminary steps we'd like you to follow, then leave the logs for us to review. You will find the steps, the links and the directions HERE.

Please do not run any other cleaning program or scan while I am heloing you, unless I ask you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[VMurali]

Attaching the logs as mentioned in the thread. Please advice on how to proceed. Thank you very much for looking in to this.

Murali

 

[Bobbye]

You're running 3 antivirus programs: a-squared, Avira and BitDefender Please remove 2 of them.
========================
Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
====================
Please download HijackThis from here.

• 
  
  Save it to a permanent folder (such as C:\HJT).
• Next, open HijackThis, and select Do a system scan and save a logfile.
• A Notepad document will open. Please paste the log in the next reply.

 

[VMurali]

Hi,
Attaching the Cobofix log and floowing is the hijackthis log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:28:12 PM, on 5/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rediff.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.kumudam.com/wfplayer/tdserver.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/26.30/uploader2.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://preview.evite.com/js/ImageUploader5.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
O16 - DPF: {7B133798-FAA8-4A7E-950D-BEB35D3363AF} (LinksysViewer Control) - http://75.17.247.79/img/LinksysViewer.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://remoteoffice.genworth.com/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://remoteoffice.genworth.com/dana-cached/sc/JuniperSetupClient.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - Unknown owner - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6212 bytes

 

[Bobbye]

Please run this first:

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\windows\system32\DRIVERS\motccgp.sys 
c:\windows\system32\DRIVERS\motccgpfl.sys
c:\windows\system32\DRIVERS\motport.sys
C:\trjsetup681.exe
C:\OriginalReg.reg
c:\windows\system32\rezumatenoi.dat
c:\documents and settings\NewName

Folder::
C:\pcwords2.dat
C:\pcwords.dat
c:\documents and settings\All Users\Application Data\TEMP
C:\Cache
C:\spoolerlogs
 
Registry::
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_USERS\.Default\Software\SetID\Internal]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{76c81ddb-435c-4a1c-ba3e-4e96c1ecba76}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]

Driver::
motccgp
motccgpfl
motport

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Then to make sure all Rootkit entries were found and removed:

Download TDSSKiller. Extract the zipped file to your desktop.

Go to Start ->Run. Type/Copy and Paste the following text into the prompt:

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v

• This will have the program write a detailed log
• The screen will resemble this black screen:

• If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
• After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list..
• You should get a screen like this:

• A log file named report.txt should have been created and saved to the root directory (usually C:\report.txt).
• Follow the prompts and attach the report to your next reply.

Please post both logs in next reply.

 

[VMurali]

Hi,
Attaching the Combofix.txt and report.txt.

 

[Bobbye]

Which antivirus program did you keep? Did you remember to enable it again after running Combofix?

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\windows\system32\scsichk.sys
c:\program files\peerblock\pbfilter.sys
c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
c:\windows\system32\DRIVERS\motport.sys

Folder::

Registry::

Driver::
trrxtiav
scsichk
pbfilter
GoogleDesktopManager-093007-112848
motport

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Then run this online scan: Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Follow with new scan with HijackThis. If all are okay and the problems have resolved, I'll have you remove the cleaning tools and old restore points.

Please leave all logs.

 

[VMurali]

Sorry, the antivirus pgm was not running at that time. I have installed Avast and it is running now. Attaching the logs.

Thank You.

 

[Bobbye]

You need to get the antivirus protection cleared up. You should only run one antivirus program. Bit Defender AV has been on the system all along. If it is current and working with updating, you don't need another antivirus. A firewall would be good, but not another AV! There are 3 on the system previously: a-squared, Avira and BitDefender. Now you have Avast and Bit Defender. Please get it down to only one current, updating antivirus program. I asked "Which antivirus program did you keep?" so that if I saw entries remaining from the other programs, I could have you remove them.

I checked the HijackThis log and found entries for McAfee and Avast. Combofix shows BitDefender and Avast.
I see the Java updater and the Java QuickStart Service, but I don see Java running. I'm going to have you remove the cleaning tools and then suggest some maintenance.

Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

===================================
It would be helpful to your system to do the following:

• Disc Cleanup
• Error Checking
• Defrag

Access all > My Computer> Right click on Local Drive (C)> Properties> in this order

• 
  [1] Click on Disc Cleanup
  [2] Then Tools Error Check> check both boxes on screen that comes up> OK> Reboot and let complete.
  [3] Then Tools> Defrag.

Empty the Recycle Bin

 

[VMurali]

Hi Bobbye,
Once again thank you very much for your time on resolving my issue. You guys are doing a great job. If not for you guys I would have formatted my hard drive. One last thing, even though I removed bit defender and McAfee (thru Add remove pgms) it still shows up(from your previous post). Is there a way to remove them permanently ?

Also, please let me know if I could of be any help in this forum ( going thru logs or something, of course I need some guidance from you guys

-Murali

 

[Bobbye]

You're welcome. Glad to help.
You might want to just follow the logs and the programs that are used. Malware removal can be a tough job! The more you know, the better prepared you are to handle the 'stuff' that's coming out. If you think you'd be interested, check out some of the online forums that have online malware training> Bleepingcomputer, Geekstogo to name a couple.

Here are some tools that will help you remove the remaining entries:
McAfee Removal

BitDefender Uninstall Tool
For Internet Explorer:

For Firefox:

1. .After the download completes go to the location where you downloaded and run (double-click) it;
2. .After a couple of moments the uninstall tool interface will appear;
3. .Click Uninstall;
4. .Wait for the tool to display the completion message and then restart your computer.

Let me know if you need more help.