Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE and Firefox Popups - Windows XP


  • This topic is locked This topic is locked
26 replies to this topic

#1 HalfSpec

HalfSpec

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 27 January 2010 - 05:04 PM

Hello,

My name is Lane and I'm a 27 year old electrical engineer. I can usually solve my own malware problems, but this one has me stumped. This is on my work computer, so my normal login account has limited privileges, but I do have a local administrator login so I can install software. I won't give you a pile of excuses about how this shouldn't have happened. Obviously, I went somewhere or opened something I shouldn't have, although I usually only read through automotive message boards when I have downtime, and I haven't had anything out of the ordinary happen over the last couple of days.. Who knows..

Ok, down to business. I've been getting pop-ups that mainly advertise spyware/malware removal software. Happens in both IE and Firefox and seems to increase frequency with the speed that I maneuver to different websites. I tried malwarebytes. It didn't find anything. Spybot found 90 something "infections" and after it did its cleanup I seemed popup free, at least for the last half of the day. Well this morning the popups are back, and I have a startup error (don't know if it's relevant or not) saying that netshone.dll can't be detected in the documents and settings\myname\local settings\temp (I cleared this out after my antivirus program started detected trojans in the temp/temporary internet file folders).
I have attached DSS logs and a hijackthis log that I ran from my local administrator account. RootRepeal gives me an error every time I run it saying that it's having a Decompression error (5)! so I don't have logs for it.

Any help is greatly appreciated.

Lane

Finally got RootRepeal.exe to run on my administrator account. Here's the log.

Thanks for looking
Lane

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 27 January 2010 - 10:08 PM.


BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:56 AM

Posted 03 February 2010 - 02:44 PM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 HalfSpec

HalfSpec
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 03 February 2010 - 04:08 PM

Thank you for replying Blind Faith. I could really use your help. I've attached the requested files to this post.

Attached Files



#4 HalfSpec

HalfSpec
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 03 February 2010 - 04:15 PM

Also, I don't know if it will show up in the new DDS logs, but "Antivirus Plus" just became active not 2 minutes after I replied to this thread sad.gif

#5 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:56 AM

Posted 03 February 2010 - 04:46 PM

Hello HalfSpec ! welcome.gif

I am Blind Faith or Elle(it's easier to remember,I think) and I will help you with your malware related problems.
As you can see I am still a trainee and that means my work is revised by a coach.
Therefore, it will take a bit longer for me to reply.
So don't be impatient because I won't leave your case suspended in the air,waiting forever.

NOTE: Do not make any type of changes to your system during the cleaning process.The steps you are following are based on strict information from your system.So changes which I did not give instructions for are not recommended.

I will need some time to research the files on your system so please click the Options button at the top bar of this topic and Track this Topic, where you should choose email notifications to know when I replied.



During the cleaning process many files may be hidden so please unhide them by following the instructions listed here: How to show hidden files and folders.
And also do not make any other changes to your system.
This will not help any of us because fixes are based on strict information I find in your logs so changing it will only complicate the situation. smile.gif

Remember to check your topic for new replies.

Probably, it will take a couple of days until the next reply but after that everything will go faster.

Also please let me know if you still need help after you have read this.



Elle



Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#6 HalfSpec

HalfSpec
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 03 February 2010 - 04:52 PM

Thank you Elle,

I made a couple of changes before I read your second reply, so I'm going to repost my DSS logs. Sorry to complicate the situation. I ran combofix to take care of Antivirus Plus because it was really interfering with my productivity. Other than that, things should be the same.

Lane

PS
I'm also uploading combofix's log (log.txt) to make you aware of what it fixed.

Attached Files



#7 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:56 AM

Posted 03 February 2010 - 07:07 PM

Hi HalfSpec,


Try to avoid making changes from now on,please.


One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.





If you decide to continue then lease download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.



Elle

Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#8 HalfSpec

HalfSpec
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 04 February 2010 - 02:56 PM

Hey Elle,

I have attached the gmer log below. I ran it on an administrator account in safe mode. I would like to continue with the clean if you have the time. This computer doesn't have any personal or work related banking information on it and I don't allow my internet browsers to save my username/passwords. I think that the only way a backdoor program could sniff my passwords is with a keylogger. Then again, I'm here for help, so I probably don't know what I'm talking about smile.gif

Thank you for your help.

Lane

Attached Files

  • Attached File  gmr.log   16.66KB   5 downloads


#9 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:56 AM

Posted 05 February 2010 - 07:42 PM

Hi Lane,


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
Folder::
c:\docume~1\alluse~1\applic~1\timuhopu
c:\docume~1\alluse~1\applic~1\fohumudi
c:\docume~1\alluse~1\applic~1\badalefi
c:\docume~1\alluse~1\applic~1\zekohuyi
c:\docume~1\alluse~1\applic~1\toyovobu
c:\docume~1\alluse~1\applic~1\mojohigu
c:\docume~1\alluse~1\applic~1\yohusepa
c:\docume~1\alluse~1\applic~1\tozativi
c:\docume~1\alluse~1\applic~1\fukupiva
c:\docume~1\alluse~1\applic~1\ziniguhe
c:\docume~1\alluse~1\applic~1\mapotimi
c:\docume~1\alluse~1\applic~1\bokodase
c:\docume~1\alluse~1\applic~1\vewihene
c:\docume~1\alluse~1\applic~1\nogipeja
c:\docume~1\alluse~1\applic~1\jubopige
c:\docume~1\alluse~1\applic~1\zizarino
c:\docume~1\alluse~1\applic~1\zibuyiri
c:\docume~1\alluse~1\applic~1\lotibuye
c:\docume~1\alluse~1\applic~1\seyawidi
c:\docume~1\alluse~1\applic~1\hilemebu
c:\docume~1\alluse~1\applic~1\jovaleja
c:\docume~1\alluse~1\applic~1\hezuhoge
c:\docume~1\alluse~1\applic~1\relifaga
c:\docume~1\alluse~1\applic~1\nejopoyi
c:\docume~1\alluse~1\applic~1\wukoraga
c:\docume~1\alluse~1\applic~1\vedilune
c:\docume~1\alluse~1\applic~1\habodotu

File::
c:\windows\system32\smss32.exe
c:\docume~1\alluse~1\applic~1\fohumudi\fohumudi.dll
c:\documents and settings\lane.simmons\local settings\application data\ujohesogologiwab.dll
c:\documents and settings\lane.simmons\local settings\application data\d3xcpl.dll
c:\documents and settings\all users\application data\zibuyiri\zibuyiri.dll
c:\documents and settings\lane.simmons\Local Settings\Application Data\Qxogoxirakipejox.bin
c:\documents and settings\lane.simmons\Local Settings\Application Data\Vborulop.dat
c:\docume~1\admini~1\locals~1\temp\EVNNLZ.exe

Driver::
EVNNLZ

DDS::
uRun: [jikejezid] Rundll32.exe "c:\docume~1\alluse~1\applic~1\fohumudi\fohumudi.dll",a
uRun: [Ekeroneniqedukic] rundll32.exe "c:\documents and settings\lane.simmons\local settings\application data\ujohesogologiwab.dll",Startup
uRun: [Yquvujupil] rundll32.exe "c:\documents and settings\lane.simmons\local settings\application data\d3xcpl.dll",Startup
uRun: [desapumolu] Rundll32.exe "c:\documents and settings\all users\application data\zibuyiri\zibuyiri.dll",s
uRun: [smss32.exe] c:\windows\system32\smss32.exe
Trusted Zone: buy-internet-security10.com
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: is-soft-download.com
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Also,please include new DDS logs.

Please also tell me how the PC is going after running Combofix again. smile.gif
And re-run DDS and post the new logs togheter with the Combofix log.




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#10 HalfSpec

HalfSpec
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 05 February 2010 - 09:29 PM

Thank you for the updated instructions Elle.

After dragging CFScript.txt into ComboFix.exe, Combo fix ran, told me it was rebooting the machine, then when windows booted back up, it ran again for about 5 minutes then spit out the log.

However, when windows came up I received several warning screens telling me that the following files could not be located:

ujohesogologiwab.dll
d3xcpl.dll

At the same time, my network's antivirus was reporting that the file C:\Documents and Settings\All Users\Application Data\luruwono\luruwono.dll was infected and could not be removed since it was in use, which I took to mean it was running.

So I rebooted to safe mode, opened REGEDIT and found the entries in HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\Current Version\Run\ along with several others:

Rundll32.exe "C:\Documents and Settings\All Users\Application Data\luruwono\luruwono.dll",s
rundll32.exe "C:\Documents and Settings\lane.simmons\Local Settings\Application Data\ujohesogologiwab.dll",Startup
Rundll32.exe "c:\docume~1\alluse~1\applic~1\musowewo\musowewo.dll",a
rundll32.exe "C:\Documents and Settings\lane.simmons\Local Settings\Application Data\d3xcpl.dll",Startup

I deleted the keys above, then browsed to C:\Documents and Settings\All Users\Application Data\ and deleted all the random 8 letter folders that were there hiding dll files of the same name and rebooted.

Everything seemed to be alright, so I reran DSS.scr as you requested and have attached the logs below.

Hope my actions didn't screw up your repair. I just felt like if this thing was running, it could reinfect the machine and I was trying to disable it as best I could tongue.gif

Thanks
Lane


Attached Files



#11 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:56 AM

Posted 07 February 2010 - 03:14 PM

Hi Lane,


I told you not to make any other changes except the ones I tell you to.Those changes can ruin our work and damage your computer.
You requested assistance into removing the malware on your PC, then please follow my instructions and do not make any other changes.




Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.




Rerun DDS and post the new logs along with the MalwareBytes' log.



Elle

Edited by Blind Faith, 07 February 2010 - 03:19 PM.

Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#12 HalfSpec

HalfSpec
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 08 February 2010 - 04:08 PM

Elle,

You're right. I did ask for assistance. Sorry for the trouble.

The Malwarebytes log is as follows:

-----------------------------------------
Malwarebytes' Anti-Malware 1.44
Database version: 3655
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512

2/8/2010 2:07:31 PM
mbam-log-2010-02-08 (14-07-31).txt

Scan type: Quick Scan
Objects scanned: 113478
Time elapsed: 3 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ROUA3O12PW (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\rundll32.exe (Backdoor.Bot) -> Delete on reboot.
-----------------------------------------

As you can see rundll32.exe is a file that couldn't be deleted. I let Malwarebytes reboot my computer and try to remove the file on the restart. Unfortunately, after running Malwarebytes again it still said rundll32.exe was infected. I let Malwarebyes reboot the system again with the same results. I can not find the file using Explorer with my folder options set to show all system and hidden files. Also, Windows dos prompt can not find/delete the file rundll32.exe

I have attached the latest DDS logs below

Lane

Attached Files



#13 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:56 AM

Posted 12 February 2010 - 03:27 PM

Hi Lane,


We Need to check for Rootkits with RootRepeal
  1. Download RootRepeal from the following location and save it to your desktop.
  2. Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  3. Open on your desktop.
  4. Click the tab.
  5. Click the button.
  6. Check all seven boxes:
  7. Push Ok
  8. Check the box for your main system drive (Usually C:), and press Ok.
  9. Allow RootRepeal to run a scan of your system. This may take some time.
  10. Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.


1. Please Download ComboFix
Here is a Tutorial on using ComboFix: A guide and tutorial on using ComboFix
  • Save it to your Desktop
  • Do NOT run ComboFix yet
  • Here is an alternative link to download ComboFix, if the above one is not working for you:

2. Disable Your AntiVirus and AntiSpyware Programs
  • You should be able to Right-Click on the program's icon in the System Tray and get an option to shut-down/disable each program.
  • These programs may interfere with our fix. We will re-enable them when we are done.

3. Double click on ComboFix.exe that you just saved to your Desktop
  • Follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. The Recovery Console will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • It is strongly recommended to have the Recovery Console installed on your machine before doing any malware removal.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


NOTE: If the Microsoft Windows Recovery Console is already installed, you will not receive a prompt from ComboFix regarding the Recovery Console.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

4. Re-enable Your AntiVirus and AntiSpyware Programs That You Disabled in Step 2.

5. What I need in Your Next Reply:
  • ComboFix.txt



Post those togheter with a new set of DDS logs.


Elle

Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#14 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:56 AM

Posted 15 February 2010 - 07:32 AM

Hi,

Are you still with me?
Have you resolved the problem?
Tell me if so.
Be aware that in 2 more days of inactivity this topic will be closed.



Thank you,
Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#15 HalfSpec

HalfSpec
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 15 February 2010 - 06:39 PM

Elle. I'm still here. Sorry. I was out of town until around 3 oclock CST. I am following your procedure right now. Will post results shortly.

Lane





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users