Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help Cleaning Out Browser Hijacker And Trojan


  • Please log in to reply
8 replies to this topic

#1 CrisGer

CrisGer

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:07:46 PM

Posted 12 January 2008 - 07:33 PM

Hello and thanks for any help.

I have been working to clean out some trojans and a smith attack, and today found that I can't sometimes select the first one or two topics of a google search, i get redirected, i had a heck of a time getting the latest install of Sun JAVA today, and had to come here to find a good link, as all the links i tried including SUN's i got redirected. So i suspect a virus is trying to protect itself from being cleaned.

I run AVG all the time and Outpost firewall and have been running Spybot and AdAware several times a day and also the AVG scan, i get hits sometimes and yesterday i cleaned out ALL the reported bad files from the AVG list including several in the SUN Java folders, and ended up with a weird error message saying a memory address could not be read.

the instruction at "0x13141d4e" referenced memory at "0x131424e".
The memory could not be "written".

Click on OK to terminate the program
Click on CANCEL to debug the program

OK Cancel

I thought i had better uninstall JAVA and did and reinstalled it and that error seems to have gone but I got an error report and a Generic Host Process Alert after re installing JAVA and it said:


Generic HOst process for Win32 Sesrvices encountered a problem and needed to close

This error occured on 1/12/2008 at: 11:40:03AM


EventType: BEX P1:svchost.exe P2:5.1.2600.2180 P3: 41107ed6
P4:svhost.exe P5:5.2600.2180 P6:41107ed6 P7:00001d4e P8:c0000005
P9:00000008

C:/DOCUME~Owner/LOCALS!~\Temp\WER329e.dir00\svchost.exe.mdmp
C;\DOCUME!1Owner\LOCALS~1\TempWER3293dir00\appcompat.txt

so something was trying to get out....

I have the main tools still installed as you guys have saved my compy before, and I am soo grateful. I am willing to do whatever i can to try to get the pesky stuff out, but at this point it is not showing up easily in the bug scans. Can you help me?

I have an AMD 3400 running at 2.6 ghz, 400 GB Hd Drive, 2.5 GB RAM, XP Pro SP2, and am somewhat comp saavy so can follow your instructions pretty well, just need to know exactly where to look for what is hiding in my system.

As i was just running a Spybot scan about 20 mins ago, i got an alert from AVG that there was a Trojan Backdoor Generic c_AEW Object name smtpdrv.sys, in C:WINDOWS\system32\drivers\ as i had scanned earlier and it has not showed up i dont knwo how it got there but i moved it to the virus AVG vault.

The AVG scan also found a cs2fg53311.exe Trojan horse Sheur.ALOS in C:\WINDOWS\system32\ and that is in the vault too. I am hesitant to try to go looking for infected files and moving them by hand into trash and deleting them after that problem that happened with the SUN Java infected files that caused the error yesterday.

Soooo, can you help? I will do all the scans and steps you suggest and await instructions. I will go ahead and do a Hijack This log and follow the intructions over there, after reviewing that section again (it has been a while since i did a session here) i realize i need to post my help request over there. thanks.

Edited by CrisGer, 12 January 2008 - 07:36 PM.

Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,056 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:46 PM

Posted 12 January 2008 - 09:58 PM

IMPORTANT NOTE: One or more of the identified infections is related to a nasty rootkit componet. Rootkits are very dangerous because they use advanced techniques as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Please read "When should I re-format?" and "Reformatting the computer or troubleshooting; which is best?".

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, please do the following.

Please download Please download SDFix by AndyManchesta and save it to your desktop.
alternate zipped version
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • (this is the drive that contains the Windows Directory, typically C:\SDFix).
  • DO NOT use it just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load, the SDFix report will open on screen and also save a copy into the SDFix folder as Report.txt.
  • Copy and paste the contents of Report.txt in your next reply.
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:07:46 PM

Posted 13 January 2008 - 10:46 AM

Thank you quietguy, will start immediately and thanks.
Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,056 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:46 PM

Posted 13 January 2008 - 12:24 PM

Also go to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of cs2fg53311.exe and submit (upload) it for scanning/analysis.
Post back with the results of the file analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:07:46 PM

Posted 13 January 2008 - 12:42 PM

Hi I have sad and bad news,total system failure.

I ran SDFix as requested from a fresh download, Safe Mode, ran fine and I monitored closely to be sure, at 75% the comand screen disappeared and all i had was the safe mode black screen with Safe Mode at the corners but no access to the rest of the system, no nuttin. I waited half an hour but only minimal system activity so i cold rebooted. tried to boot into Safe mode, got back to the same safe mode screen with safe mode at the corners and the system build at the top but no access to system. Tried last working install, no go, no go for normal. now the system wont boot at all, just stayed black.

I am assuming something malicious did not want us to complete the regeistry clean up and wiped my whole system? I can do a total re install next week, but i wanted to check with you first. Is there any way round th black screens? I am using my older Win98SE test platform to communicate.

thanks for any help...

so end result, SDFix did not complete or create a report that I can get to, and I dont know how to get the system booted in its current state. I can try but i will need help.

PS I did run a Hijack This scan yesterday and posted in that area of the forum after I thought maybe this section was just for beginners...so here was the scan before things crashed: in case this will help:Hello dear Friends at Bleeping,
Well, here i am , got some pesky and stubborn trojans I can't seem to get rid of with the anti virus tools i use regularly, here is my info:

Edited by quietman7, 13 January 2008 - 01:30 PM.

Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,056 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:46 PM

Posted 13 January 2008 - 01:54 PM

You reposted your entire first post in this reply so I removed it to avoid confusion.

If you cannot bootup in normal or safe mode, then your options are limited. You may be able to use a Windows XP bootable Floppy Disk to boot from a diskette instead of your hard drive. If your hard drive's boot sector or Windows' basic boot files have been corrupted, this disk will circumvent the problem and boot you into Windows. If you don't have an emergency boot floppy, you may be able to use one created on another PC running Windows XP but there's no guarantee that it will boot your machine.

"Resolving Boot Issues with a Boot Floppy Disk".
"How to obtain Windows XP Setup boot disks". The Setup boot disks are available so that you can run the Setup program on computers that cannot use a bootable CD-ROM.

Another option is to create a Bootable CD:
Bart's way to create bootable CD-Roms
Hiren's BootCD
Ultimate Boot CD
EzReload Bootable CD
Windows and DOS Boot Disks

You can try doing a "Repair Install with Recovery Console". The Recovery Console is a Windows utility that provides a DOS-like command line from which you can run some repair programs. If you have a Microsoft Windows CD-ROM, you can get to the Recovery Console by booting from that CD and pressing any key when you told to 'Press any key to boot from CD'. At the 'Welcome to Setup' screen, press r for Repair.

"Langa Letter: XP's No-Reformat, Nondestructive Total-Rebuild Option"
"How to install and use the Windows XP Recovery Console".
"How to recover from a corrupted registry that prevents Windows XP from starting".

If you don't have your XP CD you can download a Recovery Console ISO file and burn it as an image to a disk to get a bootable CD which will startup the Recovery Console for troubleshooting and fixing purposes. This is especially useful for those with OEM systems with factory restore partitions or disks but no original installation CD. Read Creating A Windows XP Recovery Console CD Image.

However, the better course of action would be to reformat and reinstall the OS. Some types of malware can result in a system so badly damaged that a Repair Install may NOT help!. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Starting over, reformatting the drive and performing a clean install removes everything.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:07:46 PM

Posted 13 January 2008 - 05:32 PM

thank you very much, that was the info i needed, i will go over it all with a tech who has helped me in the past tomorrow and we will see what the best option may be, he is a professional with integrity and i will trust him and you guys to lead on the best path. My own instinct is to reinstall as you say for the reasons you give. thanks for the help so very much. i will report on any future progrerss or outcome.
chris
Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,056 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:46 PM

Posted 13 January 2008 - 05:43 PM

Your welcome and good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:07:46 PM

Posted 13 January 2008 - 06:18 PM

Hi again, I may just try the Rescue CD you sent me a link for to see if i can get the recovery console to work, are there specific remedies I should try to use the console for, to make the installation on my system operable if i can indeed get the console to work?

Just am trying to learn about these processes in case this comes up again ever in the future, even tho I still think a total reinstall may be the best way to go.

thanks
Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users