TechSpot

Trojan.Fake & browser redirect

By Eugenesec
Feb 10, 2010
  1. Yesterday when we started our system, ESET NOD32 (paid) found "Trojan.Fake" and presumably deleted it. We ran Malwarebytes and it found several other versions, which were deleted. Thought it was gone. However now with both Explorer and Firefox, we are getting constantly re-directed from numerous websites. We do run an anti-virus - NOD32. We have a hardware firewall. We have no file sharing programs. I have run Malwarebytes again and found nothing. I have run a full system scan with NOD32 and found nothing. I have run Trojan Remover and found nothing. I have run Superantispyware and found nothing. Logs from Malwarebytes, Hiackthis, and Superantispyware are attached. Can someone help me stop the redirecting?
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Re-run HJT and checkmark all four O17 entries.
    Click "Fix checked" button.

    Restart computer.

    Still redirecting?
     
  3. Eugenesec

    Eugenesec TS Rookie Topic Starter Posts: 18

    I think that fixed it. I did run a couple of other removal programs before this morning so today's HJT only had 2 O17 lines, which I removed. I then checked for redirects and the browsers appear to be working fine. Thank you!! Do I assume that the NOD32 removal or Malwarebytes removal removed the program that caused the registry entries in the first place and this HJT fix completed the repair? Or do I need to worry that something is still there that will come back to bite (byte?) me? Thanks for your help.
     
  4. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    I'd like to make sure, your computer is totally clean, so...

    Please download ComboFix from Here or Here to your Desktop.


    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Please, never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  5. Eugenesec

    Eugenesec TS Rookie Topic Starter Posts: 18

    Guess I'll have to wait until tonight or Sat afternoon to do this. ComboFix is an "unfriendly" program, albeit very informational. It takes a very long time to run and there is very little clue that it IS running.
    When I ran it two days ago it eventually ran and that is the log I originally attached. This AM I could not get it to the point of saying that the recovery console was not installed. Unfortunately this computer is a "real time" account processor and I have to close down account processing while trying to run the program, and I can't do that for long periods of time. So I have attached another HJT run today, and another copy of the older Combofix log. When I get a new Combofix run, I'll repost.
     

    Attached Files:

  6. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    I'll wait for your fresh Combofix log then...
     
  7. Eugenesec

    Eugenesec TS Rookie Topic Starter Posts: 18

    I'm unable to get Combofix tor run. I've tried four times this evening. I've shut virtually all software down, killed all the AVs and Spyware products, downloaded the latest version, and run the program. One of the 4 times it aborted and said I didn't have the right OS. I'm running WIN XP. The other times as soon as it starts, the CPU usage pegs at 100% . I get the green bar on the screen and Task Manager does show Combofix as a process, but with zero CPU. System is pegged at 100%. After a LONG while, the green bar disappears, Task Manager shuts down (I started it to monitor what was happening) and CPU returns to nominal usage. No log file appears at C:\. I have no clue why it isn't working since I did manage to get it to work a couple of days ago.
     
  8. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.pif
    * Rkill.exe

    * Double-click on the Rkill desktop icon to run the tool.
    * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    * If not, delete the file, then download and use the one provided in Link 2.
    * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    * Do not reboot until instructed.
    * If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run Combofix.
     
  9. Eugenesec

    Eugenesec TS Rookie Topic Starter Posts: 18

    Still Problems

    I was able to DL and run Rkill.exe and then immediate ran Combofix. The first time it simply quit after a while with no log file. Ran it again. This time is eventually aborted and said that the Combofix file was compromised and that I might be infected with the Virut virus. It also deleted Combofix. I loaded Combofix on a thumb drive on another system, and ran it on the affected system from the thumb drive, It to eventually said the file was compromised. I don't recall if i got the Virut message this time. It deleted Combofix off the thumb drive. As an aside, I have been totally unable to find a site where I can download ResetTeaTimer.zip. They are all 404 errors or can't find the site. At the moment I'm running Malwarebytes again and will run HJT again, and attach both.
     

    Attached Files:

  10. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Upload following files to http://www.virustotal.com/ for security check:
    - explorer.exe located @ C:\Windows
    - userinit.exe and svchost.exe located @ C:\Windows\System32
    Post scans results.
     
  11. Eugenesec

    Eugenesec TS Rookie Topic Starter Posts: 18

    While waiting for a response on my uploads of those three files, I downloaded and ran Dr. Webbs Cureit program. It found the virus BackDoor.Tdss.565 in iaStor.sys, as well as another virus in the install file for Stopzilla, both of which it deleted. It was necessary for me to restore from the last correctly running version to get Windows working again as it would not start without iastor.sys. I then ran Cureit again, and it found no viruses. I have not yet received the responses on the three uploaded files, nor have I tried Combofix again, nor have I run the full version of Cureit yet - all of which I'll try tomorrow. Interesting that Nod32 and Malwarebytes could not see these trojans.
     
  12. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    This is what happens, when you don't follow instructions and you do things on your own.
    iastor.sys, is your hard drive controller driver and you can't simply remove it.
    More, or less, you wasted a lot of your and my time, because we have to start all over.
    Earlier, I said:
    TDSS is a rootkit and regular security programs won't see it, nor Dr.Web will cure it.

    So, let's start over....

    Delete your Combofix file.

    Please download ComboFix from Here or Here to your Desktop.


    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Please, never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  13. Eugenesec

    Eugenesec TS Rookie Topic Starter Posts: 18

    Delete your Combofix file.

    Done. In fact I deleted and downloaded new versions of HJT, Malwarebytes, as well.


    Please download ComboFix from Here or Here to your Desktop.

    Done

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

    Done



    [*]Please, never rename Combofix unless instructed.
    [*]Close any open browsers.


    [*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

    Done, although I had to uninstall Spybot Search & Destroy because I found no way to remove Teatimer

    [*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.


    NOTE 1. If Combofix asks you to install Recovery Console, please allow it.

    It asked and I did.


    NOTE 2. If Combofix asks you to update the program, always do so.

    It did, and I did

    [*]Close any open browsers.


    [*]Double click on combofix.exe & follow the prompts.
    [*]When finished, it will produce a report for you.

    I started Combofix at 3:37 pm. It finished scanning at 3:45 and said it was preparing a report. I presume it totally froze the system because at 4:45 I had to rebot the whole system with a hard reboot. There was no C:\ComboFix.txt


    [*]Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

    The HJT log is attached.


    [/list]
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    The computer was not touched in any way for one solid hour.

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!![/QUOTE]

    Nothing has been done other than what is stated here.
     

    Attached Files:

  14. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Download TDSSKiller and save it to your Desktop.
    Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
    Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

    If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
    When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.
     
  15. Eugenesec

    Eugenesec TS Rookie Topic Starter Posts: 18

    DONE - attached
     

    Attached Files:

  16. Eugenesec

    Eugenesec TS Rookie Topic Starter Posts: 18

    Scan of 3 files

    I had also submitted those three files for analysis - explorer.exe(zip), userinit.exe(zip) and svchost.exe(zip), that you requested. All three came back clean. I did not see a way to generate a log file from the reports. I scaned the report pages and zipped to a single file but it's 647 kb, too large to attach.
     
  17. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Good :)

    Delete your Combofix file, download fresh one, but BEFORE saving it to your desktop, rename the file from combofix.exe to broni.com.
    Double click on broni.com to run Combofix.
     
  18. Eugenesec

    Eugenesec TS Rookie Topic Starter Posts: 18

    Before doing the reload of combofix->broni.com, I uninstalled Adaware, and Superspyware, and had previously uninstalled Spybot S&D, just to make sure they were not interfering with this process. I then disabled NOD32. Only then did I delete the old Combofix, downloaded a new version to Downloads, renamed it to broni.com and moved it to the desk top. The program ran immediately and was completed within about 15 minutes. Attached is the combofix log and another HJT log.
     

    Attached Files:

  19. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Superantispyware is a fine program, which will not interfere with Combofix.
    Reinstall it at your convenience.


    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\drivers\kgpcpy.cfg
    
    
    Folder::
    
    Driver::
    
    Registry::
    
    RegLockDel::
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     
  20. Eugenesec

    Eugenesec TS Rookie Topic Starter Posts: 18

    Major Failure! Created the script and merged with Broni.com. Process started to run and then said there was an update to Combofix available. In the absence of knowing precisely what to do, I stopped the process, deleted combofix (Broni.com), downloaded a new version from your hyperlink above, renamed it Broni.com in the downloads directory, and moved it back to the desktop. I then merged the script and the program started. It ran and got to pause before generating report. I then had a full System Crash with memory dump! I reported it in the automatice notice to Miscrosoft who said it was a driver problem and wanted me to go to system updates. I did NOT do this for this reason. This computer is part of a two computer LAN that operates the real-time gate security and accounting/rental process for a storage company. When it is down, we are not in business. Last year a Microsoft update disabled the communications between the two computers. This one - the one we're working on - has the master programs which the other computer accesses via the LAN. So the bad update caused the second system to be unable to process any of our business functions. A computer company called in to fix the problem, removed the offending MS updates and suggested we no longer update the system. So we have not used MS update for at least a year, including all of their security updates. IF I enable updates again and it puts in the problem update, we will have the same problem again which cost me over $1000 to fix the last time. I don't have a problem with specific driver updates if I know what needs to be replaced, but I can't risk the full system updates for the last year.
     
  21. Eugenesec

    Eugenesec TS Rookie Topic Starter Posts: 18

    Here is the HJT log.
     

    Attached Files:

  22. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Couple of things...
    By not keeping Windows updates current, you expose your computer to a serious security risks.
    Current infection is probably the best example of it.
    Then, since the computer is a part of important network, an image of the hard drive should have been created and updated daily. Having that, you would have saved yourself a lot of trouble and 1000 bucks.

    Now, I suggest, you re-try Combofix one more time and hope for the best.
     
  23. Eugenesec

    Eugenesec TS Rookie Topic Starter Posts: 18

    I understand your logic regarding updates. However Microsoft has more than once put out updates that caused significant problems for many users. Even this week another such incident is being discussed on the web. The techs that worked on our system said that this was the best option to protect against this type of failure - and it has worked for more than a year. Wrong choice? Possibly - depending on what bug I have and whether or not MS updates would have prevented it. It was however, the choice given to me by our paid technicians that were the best I could find in our small town. Our accounting software vendor confirmed that choice. The problem we faced before was a loss of communication between our two computers. The "slave" could not interact with the main computer because of some sort of problem with remote drive mapping - a problem caused by a Microsoft update.

    As far as the image backups are concerned you are making an incorrect assumption. Our accounting software backs itself up every evening so there is always data backed up to yesterday on a separate file. We backup an image of the whole main system drive every night at 4:00 am to a USB drive. Every Saturday we swap the USB backup for ANOTHER USB backup and use that one for a week. So I have about 10 days each of full image backups using ACRONIS software on two 150 GB drives, aside from our main system drive. We do this until the drives fill up and then we'll delete the files on one backup to start over, and delete the files on the other system the following week. Although this provides a good total backup concept, it is not without problems. As I said before, this is a live, real-time system. It runs 24 hrs/day operating the security systems, and handles the accounting 11 hrs/dy. IF I reinstall an image, then I have to re-enter all data manually that took place since the image I used to fix the system. That is a very large and complex task particularly since we must also "disconnect" our accounting from our credit card systems to avoid double charges. The remote system also has a USB backup protocol.

    And then there is the issue of how far back we got infected. Was it last Saturday, Sunday, Monday? I don't know. Since NOD32 did detect one problem, but not the rest, who is to say. My ONLY reasonable option at the moment is to try and identify the specific issue and fix it, rather than a full system delete, format, and reload.

    As far as your last guidance - you did not say whether or not to put the script in again, so I'll try it without first, and with it, second.
     
  24. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Yes, try it with the script, please.
     
  25. Eugenesec

    Eugenesec TS Rookie Topic Starter Posts: 18

    I again downloaded the latest Combofix and renamed it. And again created the script. Disabled NOD32. Ran the program. It ran. Attached is the combofix report and HJT.
     

    Attached Files:

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...