Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijacked - Unable to run HJT, MBAM, Windows Update


  • This topic is locked This topic is locked
14 replies to this topic

#1 vvolfgang

vvolfgang

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 13 June 2009 - 11:35 PM

Help!!

Evil forces have gripped my aging PC... I'm getting frequent pop-ups, redirects, and what looks like "Gatoring" -- Getting questionable Ads being displayed in places where legitimate Ads existed before infection.

I've tried the basics:
Advanced System Care v2 & v3
MS Windows Defender
TrendMicro Housecall (failed to launch many times but finally started, hung during cleanup)

Can't get the following to run or update:
- malwarebytes anti-malware (would not launch)
- MS Windows defender (wouldn't update)
- Trendmicro HijackThis (would not launch)
- Windows update (gets redirected)

found this website and read thread from boopme and followed it here.

Attach.txt and DDS.txt uploaded.

Thanks in advance.

Vv-

Attached Files



BC AdBot (Login to Remove)

 


#2 vvolfgang

vvolfgang
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 14 June 2009 - 04:14 PM

Need to add an update:

Traced the DNS problem to a hijacked Name Server entry. I had static name server IPs entered, those were redirected.

I changed DNS setting to "Obtain DNS Server Address Automatically" and I am now able to reach MS update; patches are now up-to-date.

System still appears to be infected.
- IE browsing sessions still get redirected
- Legitimate Ads still getting gatored
- Malwarebytes anti-malware still not able to execute

In an attempt to diagnose this, I've blocked the Ad site IP ranges, but this does not fix the redirection.

Any help is greatly appreciated.

Vv-

#3 vvolfgang

vvolfgang
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 15 June 2009 - 07:11 PM

Ok, after peeling back the first layer:

I found a registry key that still pointed the altered MBAM.EXE file name to MBAM, I suspected the entry was what's preventing me from running the renamed MBAM.exe. I blanked the value in the subkey and MBAM executed.

Contains the result of initial scan: Attached File  mbam_log_2009_06_14__22_47_54__initial_scan.txt   39.31KB   17 downloads

Contains the result of first round of quarantine and deletion: Attached File  mbam_log_2009_06_14__22_54_27__after_round_1_quarantine_and_delete.txt   45.89KB   12 downloads

Contains the result of round 2 of quarantine and deletion: Attached File  mbam_log_2009_06_14__23_19_29__after_round_2_quarantine_and_delete.txt   1.41KB   8 downloads

I then ran Kapersky online scan, the results: Attached File  Kapersky_result___after_round_2.txt   287bytes   13 downloads

Looks like I have: Trojan.Win32.Agent.clxm

So... my next step is figure out how to get rid of it.

Back in a bit...

Vv-

#4 vvolfgang

vvolfgang
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 16 June 2009 - 12:18 AM

Ok, Round 3-

Tried to find information on-line about Trojan.Win32.Agent.clxm with little luck. A few hits on .de sites is about it.

Boot up in safe mode earlier and ran MBAM, scan results: Attached File  mbam_log_2009_06_15__21_15_23____rount_3_MBAM_scan.txt   1.25KB   6 downloads

Quarantined and deleted using MBAM, results: Attached File  mbam_log_2009_06_15__21_16_30____round_3_quarantine_and_delete.txt   1.3KB   14 downloads

Boot back up in Normal mode and ran Kaaspersky online scan again, same finding: Attached File  Round_3_Kaspersky_result.html   2.94KB   5 downloads
Text version: Attached File  Round_3_Kaspersky_result.txt   279bytes   12 downloads

ARGH... the Trojan.Win32.Agent.clxm is still there. :thumbup2:

Vv-

#5 vvolfgang

vvolfgang
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 16 June 2009 - 12:57 AM

Ok, given the changes I've made .... :thumbup2:

I've re-fun DDS and posted the results.

Attached File  Attach.txt   9.88KB   14 downloads

Attached File  DDS.txt   10.67KB   7 downloads

Any help is greatly appreciated.

Vv-

===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 16 June 2009 - 11:42 AM.


#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:11 PM

Posted 22 June 2009 - 05:01 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 vvolfgang

vvolfgang
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 22 June 2009 - 09:18 PM

Hi Sempai,

Condition has changed slightly, I still am getting redirects to bizarre sites. Internet access performance is very slow.

MABM has identified two issues:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Memory Modules Infected:
\\?\globalroot\systemroot\system32\MSIVXruotpwvljtvjgakwvlsxrfcsytuprbuh.dll (Spyware.Agent) -> Delete on reboot.

Files Infected:
\\?\globalroot\systemroot\system32\MSIVXruotpwvljtvjgakwvlsxrfcsytuprbuh.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSIVXcount (Trojan.Agent) -> Delete on reboot.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Neither would delete on reboot, not sure if I'm "doing it right" because I can't see any evidence of deletion after reboot. Does it delete on normal reboot? or do I have to reboot into safe mode? Also, shortly after reboot the system would suffer the Blue Screen of Death with "Page Fault in Unpaged Area", not sure if this is related to the delete on reboot for Memory Infection.


Additionally, I am still seeing legitimate advertising space being replace with other ads.

DDS is attached. Any help is greatly appreciated. Attached File  DDS.zip   3.92KB   13 downloads

Vv-

Edited by vvolfgang, 23 June 2009 - 06:53 AM.


#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:11 PM

Posted 24 June 2009 - 07:24 AM

Hello vvolfgang,

We need to download and run ComboFix (by sUBs)

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

  • Temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note**:

*If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.


Warning!

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper, *** If your are not the topic starter DO NOT run this tool as it could cause irreversible damage to your computer.


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix



Dex :thumbup2:

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 vvolfgang

vvolfgang
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 25 June 2009 - 07:05 AM

Hi Dex,

ComboFix wouldn't run initially, I re-downloaded it but renamed before saving to the desktop and that allowed it to execute.

It ran and the log is attached: Attached File  combofix_log.txt   11.75KB   17 downloads

I'm now running MBAM to see what remains; I'll attach result when complete.
<<UPDATE>> MBAM results are clean!!

The browser performance is already notably faster then when it was infected.

Where can I learn more about how this particular type of malware works?

Thanks for your help.

Vv-

Edited by vvolfgang, 25 June 2009 - 07:55 AM.


#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:11 PM

Posted 25 June 2009 - 05:22 PM

Hello vvolfgang,

Where can I learn more about how this particular type of malware works?

You've got infected with MSIVX rootkit. Details can be found HERE and HERE.

Also signs of ZANGO adware is present. Details can be found HERE and HERE.


Now let's continue with the cleaning process. :thumbup2:

First:
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

DDS::
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://clubgames.pogo.com/online2/pogop/zuma/popcaploader_v5.cab
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Second:
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
With regards,
Dex :)

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 vvolfgang

vvolfgang
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 26 June 2009 - 06:55 AM

Hey Dex,

Results from #1: Attached File  ComboFix.txt   16.57KB   15 downloads
Results from #2 was a clean scan, zero infection.

Thank you.

Vv-

#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:11 PM

Posted 26 June 2009 - 07:13 PM

Hi vvolfgang,

1. GO to c:>windows>system32 and delete ezsidmv.dat


2. Your Java is out of date.

Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 14...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.


3. Please download ATF Cleaner by Atribune & save it to your desktop.

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".


4. Uninstall ComboFix

  • Click on Start Menu, then click Run.
  • Copy and paste the code below and hit enter.

ComboFix /u

Posted Image


Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Re-hides file extensions and hidden/system files.
  • Clears System Restore cache and creates new restore point.


5. Your Log is Clean, please take the time to read below to secure your machine and take the necessary steps to keep it Clean :)


Microsoft has released the latest upgrades to the XP OS platform, which can be referenced HERE
It is critical to stay up to date with the latest upgrades to your Operating System, as this can help prevent future problems.
Windows XP Service Pack 3 (SP3) includes all previously released updates for the operating system.
I recommend that you visit the link above and apply the SP3 patch.

Visit Microsoft's Windows Update Site Frequently
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Make sure your applications have all of their updates
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

How to prevent Malware: by miekiemoes

Thanks to KahdaH who is also working on this log behind the scene. :thumbup2:

With regards,
Dex :)

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 vvolfgang

vvolfgang
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 27 June 2009 - 08:42 AM

Hi Dex, KahdaH,

Much thanks to the both of you. You've given me much in terms of guidance and tools in this effort and I've applied them to two other computers; I've also passed the preventive information to my friends and that too, will help.

Thank you for you service, keep up the good work. :thumbup2:

Vv-

#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:11 PM

Posted 27 June 2009 - 08:56 AM

You are very much welcome. We are so glad we could help. :thumbup2:

With regards,
Dex :)

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:11 AM

Posted 27 June 2009 - 09:09 AM

You are welcome :thumbup2:


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users