Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent Infection - InternetSecurity2010 and Broswer Re-directs


  • This topic is locked This topic is locked
65 replies to this topic

#16 David-In-Chicago

David-In-Chicago
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 24 December 2009 - 06:26 PM

Just fended off an onslaught of TR/SPY.27136.45 trojan which had cloaked as the Windows/System/notepad.dll per the Avira alert screens. Tried their deny and move to quarantine options about 15 times rapid fire succession when I used the delte option and that seemed to knock it down. Who knows if it'll rear back up after a reboot.
FYI
David

BC AdBot (Login to Remove)

 


#17 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:22 PM

Posted 24 December 2009 - 09:10 PM

According to the screen shot you gave me of of TDSSKiller it found an infected file although the log did not show it.

Give ComboFix another try now and see what happens.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#18 David-In-Chicago

David-In-Chicago
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 25 December 2009 - 12:47 AM

ComboFix red meter bar runs to full, cursor goes hour glass for a couple seconds, blinks, entire page blinks/refreshes and then nothing. No scan window or anything.

#19 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:22 PM

Posted 25 December 2009 - 06:28 AM

This is really being stubborn. Let's try ESET, if it doesn't work update MalwareBytes and let it have a shot. If that doesn't work we'll go with another kind of scan and I'll see if we can manually remove some of the offenders if we can find them.



I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#20 David-In-Chicago

David-In-Chicago
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 26 December 2009 - 12:54 PM

FYI,
At step 7 - Checkmarking the scan archives box, there was also another box already checked for "deleting threats" - I left it checked as well assuming that whatever it deletes will be summarized in the report.
Scanning now, update report to follow.
Ciao, David

#21 David-In-Chicago

David-In-Chicago
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 26 December 2009 - 04:16 PM

ESET Scan Results:

C:\oqnqso.exe a variant of Win32/Cimag.BI trojan cleaned by deleting - quarantined
C:\qmgx.exe a variant of Win32/Kryptik.BLS trojan cleaned by deleting - quarantined
C:\uwlwfa.exe a variant of Win32/Kryptik.BIM trojan cleaned by deleting - quarantined
C:\waxfhosk.exe Win32/TrojanDownloader.FakeAlert.AED trojan cleaned by deleting - quarantined
C:\Program Files\InternetSecurity2010\IS2010.exe Win32/Adware.AdvancedVirusRemover.B application cleaned by deleting - quarantined
C:\WINDOWS\system32\kikuziru.exe Win32/TrojanDownloader.FakeAlert.AED trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\winlogon86.exe Win32/TrojanDownloader.FakeAlert.AED trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\winupdate86.exe Win32/TrojanDownloader.FakeAlert.AED trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt Win32/TrojanDownloader.FakeAlert.AED virus deleted - quarantined
C:\WINDOWS\temp\346660478.exe a variant of Win32/Kryptik.BGF trojan cleaned by deleting - quarantined
C:\WINDOWS\temp\4240846524.exe a variant of Win32/Kryptik.BGF trojan cleaned by deleting - quarantined
C:\WINDOWS\temp\csrss.exe a variant of Win32/Kryptik.BGF trojan cleaned by deleting - quarantined
C:\WINDOWS\temp\hawp33d5.exe a variant of Win32/Kryptik.BLS trojan cleaned by deleting - quarantined
C:\WINDOWS\temp\install.exe a variant of Win32/Kryptik.BGF trojan cleaned by deleting - quarantined
C:\WINDOWS\temp\notepad.exe a variant of Win32/Kryptik.BGF trojan cleaned by deleting - quarantined
C:\WINDOWS\temp\r1em5lc.exe a variant of Win32/Kryptik.BLS trojan cleaned by deleting - quarantined
C:\WINDOWS\temp\smss.exe a variant of Win32/Kryptik.BGF trojan cleaned by deleting - quarantined
C:\WINDOWS\temp\system.exe a variant of Win32/Kryptik.BGF trojan cleaned by deleting - quarantined
C:\WINDOWS\temp\taskmgr.exe a variant of Win32/Kryptik.BGF trojan cleaned by deleting - quarantined

#22 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:22 PM

Posted 26 December 2009 - 04:32 PM

That found quite a lot, go ahead and try ComboFix once again.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#23 David-In-Chicago

David-In-Chicago
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 26 December 2009 - 06:36 PM

Same results... small red meter 2" wide x 3/8" tall comes up, fills up, desktop flashes a couple times and then nothing. It seems as one of the viruses has CF's number and is blocking it.

On a positive note, I have access to the Task Manager back.

Edited by David-In-Chicago, 26 December 2009 - 06:37 PM.


#24 David-In-Chicago

David-In-Chicago
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 26 December 2009 - 07:00 PM

I had tried running MBAM and was getting a Runtime error message #9 - Subscript out of range. Researching it on their site brought me to this page with info on RootRepeal for fighting an infection that appears to be what I have caught. Should we try his fix? http://www.malwarebytes.org/forums/index.php?showtopic=12709
Let me know how you want me to proceed.
Thanks!
David

#25 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:22 PM

Posted 26 December 2009 - 07:34 PM

Do you know if you are having success shutting McAfee down before you try to run it. Sometimes McAfee can be a serious impediment to the program.


Just saw your other post. RootRepeal is an ARK we use but I prefer GMER most of the time.

Edited by thewall, 26 December 2009 - 07:36 PM.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#26 David-In-Chicago

David-In-Chicago
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 26 December 2009 - 07:56 PM

I took McAfee off completely yesterday/day before(?) and left just Avira running since McAfee has more conflict issues. I'll try RR and see if it catches them off guard. Any other thoughts?

#27 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:22 PM

Posted 26 December 2009 - 09:04 PM

You're welcome to run RR if you want to. What the MBAM site is referring to is TDSS rootkit. Although there is still some of that out there the newest version is TDL3 which is an entirely different matter. Let's see what it shows.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#28 David-In-Chicago

David-In-Chicago
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 26 December 2009 - 10:07 PM

You're correct. It didn't show anything of importance.
RR report:


ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/12/26 19:54
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================


Hidden/Locked Files
-------------------
Path: c:\documents and settings\owner\local settings\temp\~df7236.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\owner\local settings\temp\~df85c2.tmp
Status: Allocation size mismatch (API: 32768, Raw: 16384)

Path: c:\documents and settings\owner\local settings\temp\~dfb705.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\owner\local settings\temp\~dfbe93.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\owner\local settings\temp\~dffcf0.tmp
Status: Allocation size mismatch (API: 163840, Raw: 16384)

Edited by David-In-Chicago, 26 December 2009 - 10:08 PM.


#29 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:22 PM

Posted 26 December 2009 - 10:35 PM

Try DDS again. If it won't run then try RSIT which I have below. If you have to run RSIT post the logs as an attachment because they may be fairly lengthy.


  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#30 David-In-Chicago

David-In-Chicago
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 27 December 2009 - 01:20 AM

Update on activity before seeing your last post.
I ran SUPERAntiSpyware scans twice and it cleaned off some 98 threats. After this I ran MBAM which cleaned up another 55 issues.

I have attached the three logs.

I'll now run the DDS if possible as well as the RSIT.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users