Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware? Firefox crashes, IE redirects, blocking / disabling antivirus software


  • Please log in to reply
3 replies to this topic

#1 stargazersilent

stargazersilent

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 20 January 2010 - 09:50 PM

I had to admit defeat last night - I have no idea what else to try to fix my computer. Sorry in advance for the long post (and, at times, possibly run-on sentences & "creative" grammar)!

Synopsis:
Something is causing the following symptoms -
- Disabling Symantec Corporate resident (Noticed in Safe Mode - gives a message that it's disabled, but the system icon remains the same - may be happening in "normal mode" as well)
- Does not allow MBAM to run, even if renamed (Started Saturday?)
- Does not allow SpyBot S&D to run, but leaves the resident system icon (Started Saturday)
- Does not allow SpyBot S&D to be installed, even in Safe Mode (I uninstalled & was attempting to reinstall, because this was the first symptom I noticed)
- Does not allow HJT to be installed, even in Safe Mode - states that the Administrator has enabled settings that does not allow install to run (even though I am on Admin account) - Will allow a copy I installed about a year ago to run.
- Does not allow SmitFraudFix to run (I have all the tools I downloaded for fixing my computer about a year ago in a folder and I clicked the wrong icon by mistake)
- IE & Firefox crash trying Panda Scan at 3%, even in Safe Mode (Noticed last night - was able to get through a Panda Scan in Firefox as late as Sunday, which didn't catch anything)
- IE crashes on loading Trend Micro HouseCall online scan, even in Safe Mode (didn't try in Firefox, noticed last night)
- IE crashes on loading Kapersky scanner, even in Safe Mode (didn't try in Firefox, noticed last night)
- Firefox crashes (Started Sunday night)
- Google IE Redirects - sporadic (Noticed on Sunday night - I use Firefox)
- Bleeping Computer & some other sites blocked in IE and Firefox - "Unable to find server" type response, as if invalid (Noticed on Sunday night)
- IE is often my "default browser" on restart - it should be Firefox - but it doesn't always reset it (Started Saturday?)
- Odd history entries in IE - there is one particular entry (which I did not visit) which is a peculiar page with just text and a web link. I can post the text here, when I get home (Noticed last night)
- Very occasional IE pop-ups to a "security" company's web site.

Perhaps extraneously, I did get a trojan last week which caused the Security Center pop-ups / system tray icon and set bogus proxy server settings in IE. MBAM removed it in safe mode, and the problem went away - my computer appeared clean on Thursday and Friday, but it may not have been. Also, sometime on either Monday or Tuesday, Windows automatic updates were reset (I previously had them off and was doing the updates by hand, because there are some I don't want to install it keeps bugging me about) - this may have been something I did by accident, and not a virus, however.

I have never posted to Bleeping Computer before, and I'm a little confused on the difference between the Malware Removal and the Am I Infected? forums. Am I in the right place? :thumbsup:

I can try to post logs when I get home, assuming I can attach a text file to an e-mail and send it to another computer - I'm posting from work.

BC AdBot (Login to Remove)

 


#2 stargazersilent

stargazersilent
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 20 January 2010 - 11:25 PM

OK, one of the things that WOULD run was VundoFix - May not have been the smartest thing in the world to try without really knowing what I was getting into, but I figured a "scan only" wouldn't cause a problem. I left VundoFix running last night, and at some point, Windows restarted due to an update the darn thing installed all by its lonesome. It doesn't appear VundoFix left a log of any kind - I don't know where it normally saves something like that, though.

Today, I come home from work and am pleasantly surprised by being able to load bleepingcomputer.com :thumbsup: , and Firefox has not crashed yet (in comparison, it had been crashing anywhere from immediately to a minute after I loaded it).

However, I still received a message just a moment ago that Symantec was disabled (but the system tray icon still looks like it's not disabled).

Anyway, I don't want to jump the gun, because I'm not sure whether I'm cured at this point or not!

I was just able to get MBAM to load by copying everything from its original installed folder to a different folder and renaming it. I'll see if it finds anything - I intend to run RKill, then MBAM, from "normal mode" (non-Safe Mode).

Another symptom I forgot to list above - I was unable to download Super AntiSpyware. Today I am able to do so, so I will try that as well. I will also try installing Spybot S&D to see if it will allow that.

Will update once I have those things run.

#3 stargazersilent

stargazersilent
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 21 January 2010 - 01:18 AM

If I understand the two forums correctly, if I post logs my thread needs to be moved to Malware Removal... Is that right? Can someone move this thread, or do I need to make a whole new thread there?

I'll hold off on posting a HJT log until I'm squared away, but I will post what MBAM and SuperAntiSpyware caught.

MBAM log:
Malwarebytes' Anti-Malware 1.44
Database version: 3606
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

1/20/2010 9:56:05 PM
mbam-log-2010-01-20 (21-56-05).txt

Scan type: Full Scan (C:\|)
Objects scanned: 243027
Time elapsed: 28 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Kabrina\Local Settings\Temp\winhlp64.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


Next I installed Super AntiSpyware, updated it, and ran it:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/20/2010 at 10:35 PM

Application Version : 4.33.1000

Core Rules Database Version : 4500
Trace Rules Database Version: 2314

Scan type : Complete Scan
Total Scan Time : 00:22:12

Memory items scanned : 447
Memory threats detected : 0
Registry items scanned : 6117
Registry threats detected : 17
File items scanned : 19988
File threats detected : 9

Rootkit.Agent/Gen-Alureon
HKLM\System\ControlSet001\Services\H8SRTd.sys
C:\WINDOWS\SYSTEM32\DRIVERS\H8SRTNQUALPALNR.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_H8SRTd.sys
HKLM\System\ControlSet002\Services\H8SRTd.sys
HKLM\System\ControlSet002\Enum\Root\LEGACY_H8SRTd.sys
HKLM\System\CurrentControlSet\Services\H8SRTd.sys
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_H8SRTd.sys
C:\WINDOWS\SYSTEM32\H8SRTCTVLXLPWJP.DLL
C:\WINDOWS\SYSTEM32\H8SRTEYNWXVJTTQ.DLL
C:\WINDOWS\SYSTEM32\H8SRTOUKYFBPSAC.DLL
C:\WINDOWS\SYSTEM32\H8SRTUAHSHAQQLY.DAT
HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys#start
HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys#type
HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys#imagepath
HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys#group
HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules
HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules#H8SRTd
HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules#H8SRTc
HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules#H8SRTsrcr
HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules#h8srtserf
HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules#h8srtmsg
HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules#h8srtbbr

Trojan.Agent/Gen-MSFake
C:\DOCUMENTS AND SETTINGS\KABRINA\LOCAL SETTINGS\TEMP\H8SRTA1CC.TMP

Adware.Tracking Cookie
.sonyonlineentertainment.112.2o7.net [ C:\Program Files\Sony\Vanguard\bin\mozilla\cookies.txt ]
.cgm.adbureau.net [ C:\Program Files\Sony\Vanguard\bin\mozilla\cookies.txt ]
.cgm.adbureau.net [ C:\Program Files\Sony\Vanguard\bin\mozilla\cookies.txt ]


What else should I do to make sure I'm clean?

I think I caught whatever I have from an infected banner ad (from Disney, no less) - I usually have Symantec AntiVirus version 9.0.1000 (updates automatically) and Spybot S&D (which I try to keep updated) running resident on my computer. I run SpywareBlaster and CCleaner every few months. Once I'm clean, what other steps should I take to make sure my computer doesn't get infected again? Or should I chalk this one up to "no program can catch everything?" (On a semi-related note, can Spybot S&D, Super AntiSpyware, and Symantec AntiVirus all be run resident at the same time without messing any of them up? Super AntiSpyware is a neat program.)

Edited by stargazersilent, 21 January 2010 - 01:19 AM.


#4 stargazersilent

stargazersilent
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 21 January 2010 - 01:34 AM

Just noticed: HJT Setup now works, or at least the installer will run now (prior, it was giving me an error about that an Administrator had enabled settings that prevented the setup from running). Since I have HJT on my computer already, I'm not going to finish the install at the moment.

SmitFraudFix will now launch also, on test (although I didn't unzip it because I didn't actually want it to run).

MBAM will now launch from its entry on the Start Menu instead of having to go to the random folder I moved it to.

Able to download Spybot S&D, install & update. As soon as I close this browser, I'm going to immunize and scan, and I'll update with anything it finds, or if I have a problem.

EDIT: When I go to the "Recover" tab, Spybot says something about "Invalid Zip File" four times. I either recovered or purged all of the entries on the list and it still pops up the error messages. Once I'm clean, I'll try using the uninstaller and reinstalling again and see if that fixes it, otherwise I'll post a new thread. Just mentioning it here in case it is part of the infection.

Edited by stargazersilent, 21 January 2010 - 01:39 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users