Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Web Browser, Ie, Unknown Virus/malware


  • Please log in to reply
9 replies to this topic

#1 philking47

philking47

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 04 September 2008 - 02:54 PM

Hi guys,

Help is urgently required..!!.please….!!

It started with a close encounter with “ Virus2009”, I recognised this has not been correct and stopped it downloading, but ever since I have had so many problems with other things, such as :-

Cant Enable Windows Update in Security ( which I didn’t disable in the first place )

When I click on I.E. the Browser Window is not the one I expect to see, and moments after opening the Browser I get numerous Ad. Windows opening up.

I have downloaded and tried a few detection / removal programs, which at first looked successful, but after rebooting I found that they had returned.

Also the Temp Files I was deleting were returning almost immediately.

I noticed some program in my Startup that shouldn’t be there , so I unchecked them.

Any Ref. To DW.Startup in my Registry was also deleted.

Please Help..!

Ihave a hijack log file if required Attached File  hijackthis.log   5.28KB   23 downloads

BC AdBot (Login to Remove)

 


m

#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:01:09 AM

Posted 05 September 2008 - 08:33 AM

Hello PhilKing47 and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Restart your computer.

4. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first (not for Windows Vista users !).
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you. (WinXP SP3 users, please download the appropriate SP2 file, Home or Pro, to install the RC)

In the event you already have Combofix, and you're notified a more current version is available, please download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 philking47

philking47
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 08 September 2008 - 02:54 PM

Hi Thunder,
Sorry i didnt get back to you sooner, I have been working.

So just got round to trying out your suggested repair,, thank you by the way for taking time out to help me.

When i ran Malware. it found lot of infected files, i ran it a few times to be sure until it said it was clear.

Before i ran Combofix I tried restarting and logging on.
Everything seemed faster and ok....
I logged on my user, and just waited, then about 20mins later a attack from a Ads called ads.agadoo.biz appeared on my screen without me touching it.

So I tried Combofix.

I restarted after the scan was complete.

Here is the Combofix Log.

Attached Files

  • Attached File  log.txt   14.29KB   31 downloads


#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:01:09 AM

Posted 08 September 2008 - 03:38 PM

Hello Philking47,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/167439/web-browser-ie-unknown-virusmalware/
Collect::[9]
C:\WINDOWS\system32\wvqmgeqtjp.exe
C:\WINDOWS\system32\tgeumwjiecenxal.dll
File::
C:\WINDOWS\system32\uhkhzlamslbrwuk.dll-uninst.exe
Folder::
C:\WINDOWS\system32\wed
C:\WINDOWS\system32\tab1
C:\WINDOWS\system32\id
C:\Program Files\ShopperLink
C:\WINDOWS\system32\wTR19
C:\Temp\dax41
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b24053f6-485e-b9c3-74f9-f122abf8b94c}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{71b1366a-a38d-21c6-b444-87005c114928}]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

When CF finishes running, the ComboFix log will open along with a message box, --do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open.
Simply follow the instructions to copy/paste/send the requested file C:\QooBox\Quarantine\[9]-Submit_Date_Time.zip.

Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 philking47

philking47
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 10 September 2008 - 05:16 AM

Hi again Thunder,,
firstly, thanks so much for your help,

I am at work at the moment and havnt tried the last fix, i will later today and post the results.

I can tell you that the last time i logged on to the net, again everything seemed ok, then A ad. appeared (a gambling URL)
then another appeared almost immediatley which was one of the adult ones :thumbsup: .

Hopefully the last fix will help.

I will let you know.

Thank again.

#6 philking47

philking47
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 10 September 2008 - 02:41 PM

Hi Thunder,
I have just noticed, when i move the CFScript file over the ComboFix Icon on my Desktop, a box appears with the following msg :-

CFSCRIPT NAME ERROR

Were you trying to Run CFScrpt ?

The name, CFScript appears to be incorrectly spelt.

When i press OK. the program shutsdown..

Is this normal ?

Philking

#7 philking47

philking47
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 10 September 2008 - 03:41 PM

Ok, i think the spelling was my fault ,,, i finally got combofix working ok.

here are the latest logs you requested.

Please let me know if i need to do any more.

Thanks
Attached File  log2.txt   5.42KB   28 downloads
Attached File  log2.txt   12.68KB   34 downloads

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:01:09 AM

Posted 10 September 2008 - 04:22 PM

Hello Philking,

Looking good now. :thumbsup:

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against the following, if still present :O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, you can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update7.
  • Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Check the box that says: Accept License Agreement
  • The page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windowsi586-p.exe to install the newest version.
Any more problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#9 philking47

philking47
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 11 September 2008 - 11:13 AM

Hi Thunder,
At work at the moment but thought i would bring you up to speed on my computer problem.

I did everything you have suggested, and my computer booted up quicker than normal and the internet signing on was alot faster.

I visted a few sites waiting for any Ads. to appear , and..yesssssss there was nothing :thumbsup:

So , when i get home i will switch on again and recheck,

I have to thank you for your time and efforts, you have been a God Send to somebody like myselve who was struggling.

I was moments off reformatting and reinstalling, So A HUGE THANK TO YOU AND THE SITE..!!

Can i ask you about a entry on one of the logs, i saw a ref. to "Dewoo" .!! is this ok ..?

and up to now i have been signing on with administrator rights, is this ok..? or should i create another name which would be NON ADMIN, and use that as a regular sign on..!

Last question...!

Can you suggest any precautions i should be taking , to stop this happening again ...?

Thank you.

#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:01:09 AM

Posted 11 September 2008 - 04:54 PM

Hello Philking,

That registry key containing the Deewoo.lnk reference is in fact empty since the linked malware file is gone,
so it's quite harmless now.
If you want it gone, just go to the Startup folder (Start > Programs > Startup) in the "Jen" account and delete the shortcut.

Working out of an account with limited rights is always a good idea,
and can prevent some problems, although not everything.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users