Solved Malware redirecting search engine result clicks

[dierootkitdie]

This sneaky bugger got in around 4pm yesterday, and after several hours of my best attempts to remove it, I finally gave up and came to these forums.

The first hint I had that I was infected was when Winamp unexpectedly gained focus and attempted to play a .tmp file. The next hint was fairly obvious - my search engine clicks were taking forever to resolve the url they were supposed to go to, and instead after timing out would redirect me to useless malware ridden sites.

So far I've run hijackthis, malware bytes and dds, checked my running services and msconfig and I didn't see anything obvious, but I'm clearly no expert at killing malware. GMER is currently running but I don't have high hopes for it completing even by the time I get home from work (this is a work machine I'm using at the moment).

Ironically, I had Nod32 protection up until a week ago, but didn't feel the need to register it... Hindsight eh. I've included the logs requested by your site excluding GMER.

Any ideas?

PS For those of you wanting a high res image of Ramona Flowers from Scott Pilgrim using google image search, while simultaneously searching for glActiveTextureARB #define errors, be careful!

 

[dierootkitdie]

GMER completed

GMER completed, I've tried a lot of different methods since my earlier post, including running spy bot search and destroy, and nothing has gotten rid of the infection. I did notice a file 'catchme.sys' which appeared in my local settings folder temporarily, and that's apparently a key logger... great. Please could someone give me a hand with this?

 

[Broni]

Welcome aboard

Before we go anywhere, you have decide, what you want to do about your AV program.
Register NOD, update it and run full scan, or switch to something else.
Cleaning process doesn't make much sense without any active AV program.

 

[dierootkitdie]

Doing a full scan with Avast, will be buying a copy of NOD32 tomorrow. Avast will have to do for the night, will post results as soon as they're available, thanks for the speedy reply!

 

[Broni]

If you installed Avast, make sure to uninstall NOD, even if for 1 day.
Running two AV programs is nothing, but trouble.

 

[dierootkitdie]

Yup I fully removed NOD32 last night before running malware bytes, TFC and GMER. Avast is about 80% done, found 1 infected file so far...

 

[Broni]

OK. Keep me posted.

 

[dierootkitdie]

Well Avast found nothing beyond the first file, which turned out to be a copy of the Human Centipede, which is a fairly silly film about a mad surgeon and 3 lost hikers. Anything in the logs that points to an infection?

 

[Broni]

Not yet, but we're about to find out

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

=====================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[dierootkitdie]

running MBRCheck and ComboFix...

 

[dierootkitdie]

Logs attached for malware bytes, MBRCheck and Combofix. Winlogon and explorer are hosed

 

[Broni]

Let's see, if we can find healthy replacements.
Do you have Windows CD?


Download OTL to your Desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
  • Check Scan All Users.
  • For Processes choose none.
  • For Modules choose none.
  • For Services choose none.
  • For Drivers choose none.
  • For Standard Registry choose none.
  • For Extra Registry choose none.
  • For Files Created Within choose none.
  • For Files Modified Within choose none.
  • Under Custom Scans/Fixes paste:

  /md5start
  winlogon.exe
  explorer.exe
  /md5stop

  • Finally hit Run Scan and wait for the log to open.
• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[dierootkitdie]

Hi Broni,

I left my PC doing OTL's scan as you instructed before leaving for work this morning, hopefully it'll be done when I get home. Regarding windows CDs, I might have the one I created for my PC with SP3 slipstreamed on it, but failing that, what's plan B?

 

[dierootkitdie]

Hi Broni,

OTL didn't output an extras.txt for some reason. However it did output OTL.txt below:

OTL logfile created on: 10/13/2010 5:52:59 PM - Run 1
OTL by OldTimer - Version 3.2.15.2 Folder = C:\Documents and Settings\Tomi\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 79.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 13.10 Gb Free Space | 2.81% Space Free | Partition Type: NTFS

Computer Name: SKYNETNODE243 | User Name: Tomi | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Custom Scans ==========



< MD5 for: EXPLORER.EXE >
[2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=144DF8BB6E0C1DBF1491521FD6E5DFB4 -- C:\WINDOWS\explorer.exe

< MD5 for: WINLOGON.EXE >
[2008/04/14 08:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=AA803E788001A10533C734CC41AE44F8 -- C:\WINDOWS\system32\winlogon.exe

< End of report >

 

[Broni]

Unfortunately, we don't have any other copies of the files in question on your hard drive.

We need to use the Recovery Console to fix your issue.

• You'll need to find your Windows XP installation disk.
• Insert the Windows XP CD into the CD-ROM drive, then restart your computer.
• If prompted, click any options that are required to start the computer from the CD-ROM drive.
• When the Welcome to Setup screen appears, press R to start the Recovery Console.
• The Recovery Console will start and ask you which Windows installation you would like to log on to.
  • If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press Enter.
• It will then prompt you for the Administrator's password. If there is no password, simply press enter.
• You will now be presented with a C:\Windows> prompt
• At the comand prompt window, type exactly the bolded text below (watch for "spaces"). (The d after the word expand is the drive letter to your CDROM. If it's different on your computer, please make the necessary adjustment).
  
  expand d:\i386\winlogon.ex_ c:\windows\system32\winlogon.exe /y
  expand d:\i386\explorer.ex_ c:\windows\explorer.exe /y
  
  
• type exit to exit the command prompt and restart your computer.

 

[dierootkitdie]

I wasn't able to expand the files, despite the source files definitely existing, when I attempted to run the expand commands, the recovery console simply told me it wasn't able to create the files. I tried expanding them to my root c directory as well, and got the same results.

 

[Broni]

Boot normally.
Open Windows Explorer.
Navigate to:
d:\i386
Copy explorer.ex_ and winlogon.ex_ to C (root) folder.
Using any unzipping program, you have, unzip both files, so they still stay in C folder.
Double check, you have now explorer.exe and winlogon.exe in C folder.

Reboot to recovery console and run following commands:

copy c:\winlogon.exe c:\windows\system32\winlogon.exe /y
copy c:\\explorer.exe c:\windows\explorer.exe /y

Press "Enter" after each command.
You should see this:
1 file(s) copied


Watch for "spaces" in the above commands

 

[dierootkitdie]

oki doke that worked, I'm assuming you'll want me to rerun some scans next?

 

[Broni]

Cool
Delete your Combofix file, download fresh one and post new log.

 

[dierootkitdie]

Oki doke, no warnings about winlogon or explorer being infected, here's the log attached.

 

[Broni]

Very good

Combofix log is clean.

How is computer doing?

Download OTL to your Desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[dierootkitdie]

Report was too long to paste, it's attached instead

 

[Broni]

How is computer doing?

.............

 

[dierootkitdie]

google's search results aren't being hijacked anymore, so I'm assuming much better than Monday evening! I offer my deepest gratitude and thanks for your help, there's no way I would've done this without your assistance, and reinstalling XP would have been horrible. Thanks very much!

 

[Broni]

Good news
Let me take a look at your OTL log.