Browser redirect virus - check after 8 step cleanup

[Milfoil]

Browser redirect virus - 8 step cleanup done but still redirecting!

Hi there.

I downloaded what looked like bona-fide software but the link must have redirected and instead I got a nice virus package.

Have gone through the 8 step clean up procedure (thank you so much for having such excellent information here).

Here are the 3 logs you request and I just wonder if someone can have a look to see if all looks ok now (its all Greek to me!) since I still seem to be getting redirected and would like a 2nd opinion if its not too much trouble.

 

[Milfoil]

Update

Ok, after reading other threads about the same sorts of problems, I downloaded Hitman Pro 3.5.4 and it found something and removed it. Since Hitman pro doesn't give a log, I can't see what was removed but here is another Hijackthis log after Hitman Pro.

Browser seems ok now after a couple of tries - but would someone mind taking a quick look at the log to see if it looks ok?

Thanks in advance.

 

[Bobbye]

Hitman is not a program that I recommend.

It appears that you don't do any maintenance on the system like disc cleanup. Please do this to get control of the tracking Cookies:
Reset Cookies

For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')

I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus
Easy List

Please uninstall the HijackThis Beta you have used. The install and scan with this version found HERE.

Attach the new log. There are some questionable entries but I can't rely on a Beta version.

The directions given were: Make sure you use the version on the link HERE (and NOT a BETA version)

 

[Milfoil]

Thank you

Ok, Did what you suggested, changed the cookie settings on both IE and Firefox, did a disc cleanup, downloaded suggested addons, uninstalled beta Hijackthis, downloaded Hijackthis 2 from your link (sorry about that - yesterday was a long day!) and restarted. Ran the HJT on startup and the log is below.

Is there a particular reason you don't recommend the Hitman program? It certainly seemed to find and clear the offending problem.

Edit: I've also just downloaded the Comodo Firewall to replace the pre-installed window's one. That won't show on the log below.

 

[Bobbye]

Your server is showing as located in the Ukraine:
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.165.187,93.188.161.76

netname: UA-PROMNETLTD-20080416
descr: Promnet Ltd.
country: UA (Ukraine)

So you are being sent to the Ukraine when you search. I suspect this isn't your ISP. But I see you have a homepage set for the UK. IF by chance, this IS your ISP, then omit the DNS flush and go on. Otherwise follow the flush direction.

DNS Flush: we may have to reset your router:

In the Control Panel: For Category View> select Network and Internet Connections
For Classic View> double click on Network Connections.

Right click on your default connection-LAN for cable and DSL> Properties> Double-click on the Internet Protocol (TCP/IP)> select Obtain DNS servers automatically

Press OK twice to get out of the properties screen and reboot if it asks. (That option might not be available on some systems)

Next Go to Start> Run> type cmd> OK.
On the Command Screen, type the following:
ipconfig /flushdns> Enter> Enter
Note: The space between g and / is needed.

When finish, Exit the Command screen.

There is an entry in the HijackThis log that I cannot specifically identify:
O4 - HKCU\..\Run: [F5JMWNZTHI] C:\DOCUME~1\Julie\LOCALS~1\Temp\Hlw.exe
All I get for Hlw.exe is 'unspecified malware. There is a program that included the HLW, iTapi, but I do not see that running on your system.

Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.

• Double click on the setup file on the desktop to run
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
• When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
  
• Query- Recovery Console image
  
  
  
  
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
  
  
• Click on Yes, to continue scanning for malware.
  
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Do a new scan with HJT when through and attach Combofix report and new HJT log.

Is there a particular reason you don't recommend the Hitman program?

Yes, a few. Based on what I read and the cleaning programs I run. Others may think differetly. The publisher's description is:

Anti-spyware program combines up to six popular engines to maximize removal effectiveness.

Part is personal preference, wanting to maintain control over my system. Hitman is also different in the versions. One main objection is the use of multiple programs that are free on the internet. Depending on the program, it should prevent and/or remove. While the scans with Hitman are free, removal of the malware can only be done within the 30 trial.

Hitman Pro (version 1 and 2) automatically downloads, installs and runs third party anti-spyware and anti-adware programs that are freely available on the Internet:

• 
  [*] Eset NOD32 antivirus system (trial, expires in 30 days)
  [*] Webroot Spy Sweeper (trial, expires in 7 days)
  [*] PC tools Spyware doctor (demo, will not clean anything)
  [*] Lavasoft AdAware SE (freeware)
  [*] Safer Networking Spybot - Search & Destroy (freeware)
  [*] TrendMicro CWShredder (freeware)
  [*] JavaCool Software SpywareBlaster (freeware)
  [*] McAfee VirusScan SuperDAT (virus signature definition updates, McAfee PrimeSupport license required for qualifying product)
  [*] Ewido Micro Scanner (freeware)(AVG)

The scan time was very long, the program used many system resources and errors in the used third party programs could cause system instability

Hitman Pro is using other people’s knowledge without their permission. NOD32 has granted permission to use their software. Software producer Lavasoft is in discussion with Mr. Loman over changes to the program before granting any official permission to implement their software and McAfee says they did not grant permission and claim no knowledge at all of the program with no further comment.[/quote]

Hitman Pro 3 uses a white list that includes Windows system files and other (safe) files that are present on most PCs. Hitman Pro 3 also requires a license key to remove malware found on a users computer, however it does offer a free 30-day trial.

The new version of Hitman Pro, version 3, uses:

• NOD32 Antivirus
• Avira AntiVir
• Prevx
• G DATA Anti-Virus
• a-squared Anti-Malware

Virus scanners are not installed on the local computer, but in the scan cloud on Internet
Unlimited free scanning and free 30-day version to remove detected malware

None of these programs- alone or together have the power of a program like Combofix- or other 'intensive' programs. While Hitman may resolve one problem, that does not mean all of the malware has been removed.

Most of the logs I see have multiple malware infections. Some, like the DNS Changer malware, will require a DNS flush and a router reset. If that isn't done, the resolution to the problem is only temporary.

Since Hitman pro doesn't give a log, I can't see what was removed

Not good. What about False Positives? I also think that is can give the user a false sense of security.

 

[Milfoil]

Thank you for the help and for explaining the reasons behind why you don't recommend HitMan. What you say makes sense. I had no idea such a product was utilising other people's knowledge and work without permission. That paints it in a whole new light.

Ok then, did the DNS flush and ran Combofix as requested. Below are the results:

BTW, I just have to say how incredibly grateful and impressed I am at not only the level of assistance that the experts here on Techspot offer but the sheer volume of advice given too. I can appreciate how tedious it can be to keep on being asked the same stuff over and over by the unenlightened. It is, however, very much appreciated.

 

[Bobbye]

Regarding Hitman Pro: It's still loading and installed on your system. You should consider removing it. You have it set to scan on boot which means everyone of those programs are going to scan every time you startup. This is going to delay your start time and the trade off isn't equal to any benefit you might get. I'll give you the instructions for removal if you want.

I meant to include this in my reply but forgot. You need to empty the Java cache:
Click on the Control Panel> Java> General tab> Temporary Internet Files> Settings> Delete the files.
Then go to the Update tab> Uncheck 'check automatically for update'> Answer Yes when asked to confirm> Click on Apply> OK.

I need to know if the DNS flush made any difference with your searches.? If it did not, please repeat the flush and follow with this:

• 
  [1]. Shut down your computer, and any other computer connected to your router.
  [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
  [3]. Unplug the router. Wait sixty seconds.
  [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
  [5].With the router unplugged, start your computer. Run MBAM again.
  [6].Connect to the router again. The turn the router back on.
  [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
  [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.

Run HijackThis again and see if the Name Server 93.188.165.187 is still listed.

If it is, please verify that this is NOT your ISP or company in the Ukraine. IF not:
I've been puzzling over the 017 entry which remains. I can't resolve the Netname and the IP range- they don't match. So I need for you to check the IPs on your machine:

Start> Run> type in cmd> enter> you will get a black screen with a blinking C prompt:
Paste this in at the C prompt: (Note space between t and - )

Netstat -an

You will get multiple lines in white print like this:

• Column 1rotocol: TCP> IP followed by port #
  Machine IP: usually 127.x.x.0
  Router IP: 192.0.0
  Your IP: Do NOT type it here.
• Colume 2: Local Address: the machine address 127.0.0.1.xxx followed by port #
• Column 3: Foreign Address: other than the machine or router such as 74.125.45.139 (Google)
• Column 4: Status Established, Listening

I am only interested in the TCP protocol in Col. 1&2.

Do you shown any IPs in the 85.255.112.0 to .255, or 93.188.160.0 - 93.188.167.255 ranges?

 

[Milfoil]

Hi again

Yes, please let me know how to remove Hit man. Although I've uninstalled it since the last hijackthis log I get the feeling not much has actually been removed.

I doubt that we have a Ukraine ISP - we are a UK company and our ISP is www.plus.net.com based in Sheffield UK.

The searches were already acting normally after the (dare I say it) Hitman scan so the DNS flush didn't seem to demonstrate any marked change.

I'll go off and do the rest now . . .

 

[Milfoil]

I couldn't do a hard reset of the router because the D-Link DSL-504 doesn't have a reset button! So instead I did a factory reset from within the router, turned it off, turned pc off and on again, plugged router back in, put IP info back in and ran hijack this. I hope that will have done the same thing.

Before changing the router the IP was listed as 84.51.146.128 and the gateway was 195.166.128.123.

After resetting and rebooting the router, the IP is listed as 84.51.146.218 with same gateway except last 3 numbers changed.

Hijackthis log is listed below but it still looks as though 017 is the same:

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.165.187,93.188.161.76

Trying to do the IP check I get an error:

Windows cannot find '[b[cmd[/b[>'. Make sure you typed the name correctly, and then try again. To search for a file, click the start button, and then click Search.

I tried a few different ways but still the same message. Sorry but I don't know enough about what I am doing to try anything else.

I've just called our ISP (plusnet) to ask about the name server, they confirm that it is not one of theirs.

http://www.who.is/dns/plus.net/

 

[Milfoil]

Hope this helps - just and ipconfig list

deleted for privacy reasons

 

[Bobbye]

Trying to figure out what all you did! As for uninstalling Hitman Pro, the best I can do for you is this:

"C:\Program Files\Hitman Pro\unins000.exe"

You should find this by passing the cursor over the program in All Programs, then choose the uninstall file. Suggest you do this in Safe Mode:

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Sorry, I messed up the attribute for cmd> you should only have seen the 3 letters in bold print-the b and brackets aren't included- I have two brackets backwards so you shouldn't have even seen them:

Corrected: Start> Run> type in cmd> follow the previous directions.

Give me a couple of hours. I need to ask about the 017 entry. In the meantime, try removing Hitman. You can run the Windows Installer Cleanup Utility if there are any files left over. Use the Hitman uninstaller first.

 

[Bobbye]

I'm going to ask the Moderator to delete the information in your Post 12. I see what I want and there is a bit too much info showing.

 

[Bobbye]

Please give me current status.

 

[Milfoil]

Everything seems to be working ok thanks. Still not sure what that 017 line is but it doesn't seem to be causing any problems.

I have uninstalled Hitman pro as entirely as I can.

 

[Bobbye]

Okay, one more:

Run this online AV scan to make sure we didn't miss anything. If it shows anything leave the log. If it is clean, you can remove the cleaning tools and old restore points:

Uninstall ComboFix.exe And all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

Remove all of the tools we used and the files and folders they created

• DownloadOTCleanIt by OldTimer
• Save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

If you are prompted to Reboot during the cleanup, select Yes.

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:

• Go to Start > All Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
• Click "OK" to select the partition or drive you want.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

More details and screenshots for Disk Cleanup in Windows Vista can be found here.

Let me know if you need any more help.

 

[Milfoil]

Sorry to be a pain but which online AV scan?

 

[Bobbye]

Sorry about that!

Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

 

[Milfoil]

Ok, thanks for that. Done

Here is the log (called ESETlog.txt) and a separate file listing what it found (ESET.txt)

 

[Bobbye]

I can move all the files except for Thundrerbird. I had one other person who save infected file in Outlook Express. Please check on the Thunderbird site about their 'store' folders. These are what you will have to delete.

I'll set up the Eset moves in a bit. Meantime, see what you can find on TB.

 

[Bobbye]

Okay, I'm not sure what I'm seeing here. There appear to be multiple email accounts and servers:
mail.pop.freeserve-3.com
pop.freeserve-3.com, 2
mail.farrerltd.co.uk

There is malware in the Inbox, Sent box, Trashbox, Junk box. Worse date is 3/19/2008. You need to find where the Thunderbird store boxes are and delete each of them.

Multiple moz backup dates have malware:> moz backup\Mozilla 1.7.1 en - 2008-03-19.pcv

It looks like you were using the Mozilla 1.7.1 (en) browser at the time> this became Firefox several years ago. To make it worse, you have used the MozBackup which is a backup tool for Firefox and Thunderbird.

The best thing for you to do is to delete it all, including the early Mozilla entries.You might find helpful information here: http://kb.mozillazine.org/Antivirus_software

Once you have done that, run the Eset scan again. I will then have you remove the entries. There is too much for the mail for me to wade through.

 

[Milfoil]

Thanks, I am trawling through emails on the old Thunderbird system to see if there is anything we still need, then will completely uninstall thunderbird, profiles and stored folders. Will let you know when I have got through it all. Anything I do save will simply be text copied and pasted to a new text doc - no entire emails. That should be ok shouldn't it?

 

[Bobbye]

You can go ahead and move these entries which are not in the email boxes:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files  
  C:\Documents and Settings\Julie\My Documents\backup folder\moz backup\Mozilla 1.7.1 en 
  C:\Documents and Settings\Julie\My Documents\backup folder\moz backup\Thunderbird 2.0.0.12 en-GB 
  E:\Documents and Settings\Administrator\Desktop\ebooks1\davidblaine784.zip	
  E:\Documents and Settings\Administrator\Desktop\moz backup\Mozilla 1.7.1 en  
  E:\Documents and Settings\Administrator\Desktop\moz backup\Thunderbird 2.0.0.12 en-GB 
  E:\Documents and Settings\Administrator\My Documents\Mozilla 1.7.1 (en) 
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

It looks like you're backing up to your E drive.

Anything I do save will simply be text copied and pasted to a new text doc - no entire emails. That should be ok shouldn't it?

I suggest you make folders to save anything you think you nee- make the folder on the desktop to be mroe accessible. When you have finished with a folder, do a right click on it and have the AV scan. I don't know what parts of the email were infected- whether it was an attachment you opened or a line of script in the email itself.

Let me know when you've finished deleting the boxes and I'll have you scan again to make sure nothing was missed. In the meantime, practice 'safe emailing':

• Never open an email from some one you don't know.
• Be careful of attachments and/or Forwards you open.-even from a friend who might not know what they are sending has malware. Never open at attachment you're not expecting.
• Never open an attachment from within the email itself> save it to the desktop> right click and scan with the AV.
• Be more selective in the email you save. You have a folder named 'Junk.' Did you really need to save that junk?

Note the ebook you downloaded came with a Information stealing Trojan: Win32/PSW.Agent.The Trojan collects information related to the on-line game Zhengtu. The Trojan can send the information to a remote machine. The HTTP protocol is used. There is no date indicated for this download. But you are advised to change all of your password and monitor any online financial transactions.