Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"XP Defender" Trojan Hijack - Browser Hijacked - Help


  • This topic is locked This topic is locked
19 replies to this topic

#1 edwardsgang

edwardsgang

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 14 April 2010 - 05:43 PM

Hi, I have been hijacked by a trojan - not sure what the name is but, I have "XP Defender" in my tray and keep getting pop ups to purchase the "full version" of XP Defender. Also, my browser is hijacked and won't let me visit Bleeping computers from internet explorer. I am using Safari to post this but hope the hijack doesn't infect that too.

Any help would be so appreciated - thanks.

Edwardsgang

Edited by Budapest, 14 April 2010 - 05:45 PM.
Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~BP


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:40 PM

Posted 14 April 2010 - 07:50 PM

Hello, see if this will work ..
Follow ALL the steps in the Automated Removal Instructions section of our Tutorial..
How to remove XP Security Tool 2010, XP Defender

If successful,post the MBAM log from there.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


How are things now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 edwardsgang

edwardsgang
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 16 April 2010 - 06:57 AM

I followed the instructions but not sure if it all worked. When I rebooted I did get a pop-up screen that looked like a windows alert and it said "a removal of spyware was only partially successful, windows needs to run a full scan which may take several hours, do you want to run this scan?" I exited out without running it fearing it was some leftover junk from the trojan. Here is my log file, let me knpw if there is something else I should do:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3994

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/16/2010 7:39:30 AM
mbam-log-2010-04-16 (07-39-30).txt

Scan type: Full scan (C:\|)
Objects scanned: 274582
Time elapsed: 1 hour(s), 51 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Robert Edwards\Local Settings\Application Data\ave.exe" /START "iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:40 PM

Posted 16 April 2010 - 09:35 AM

Ok, we'll run these next and we should see some improvement.

Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 edwardsgang

edwardsgang
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 17 April 2010 - 05:01 PM

I followed the directions you supplied to run ATF and SAS. SAS had gotten through roughly 80,000 files when it hung up scanning a .dll in one of my application folders. After 19 hours I finally had to reboot th ecomputer so SAS didn't save the. I will try running SAS again and see if it makes it through this time. I'll post the log if it works.

Stand by for another day.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:40 PM

Posted 17 April 2010 - 05:10 PM

You are in Safe MOde?? I 'll be here.. Sometimes they are long/
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 edwardsgang

edwardsgang
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 18 April 2010 - 08:13 PM

I was in Safe Mode but I tried running SAS three times in Safe Mode and it kept freezing each time after 17 or more hours. Not sure if that's normal but the scanning progress line at the top was no longer updating, it was showing that SAS was scanning the same path & filename for several hours before I decided to reboot. So finally I decided to see if I could get through a scan in normal windows mode - well, the XP defender trojan started popping up during the scan. So I'm now waiting for the scan to finish but I'm infected again :-} SAS has scanned over 60 thousand files, and it never got past 30,000 files when scanning in safe mode.

I'll post the log once SAS completes but I doub't I'm out of the woods yet.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:40 PM

Posted 18 April 2010 - 08:36 PM

Ok if you still are having trouble with that try running RKill....

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
Do not reboot your computer after running rkill as the malware programs will start again.

Run SAS in normal if needed first.

Edit:If you get an alert that Rkill is "infected", ignore it. The alert is just a fake warning given by the rogue software which tries to terminate programs that try to remove it. If you see such a warning, leave the warning on the screen and then run Rkill again. By not closing the warning, this sometimes allows you to bypass the malware's attempt to protect itself so that Rkill can perform its routine.

Edited by boopme, 18 April 2010 - 08:41 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 edwardsgang

edwardsgang
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 19 April 2010 - 11:57 AM

OK, this is not working. I ran RKill and I tried running SAS and it froze again. I clicked the "Reset Program Options" button on SAS to reset the "Scanning Control" checkboxes and re-ran SAS and it finally completed. HOWEVER, now my computer doesn't recognize any applications when I try to run them I get the "Open With" windows window and it complains the file must have been moved or re-named. There fore, I can't view the log in SAS because the text editor is not found.

Is there anything else we can try? it seems the SAS approach is a dead-end. Perhaps a Combo-Fix Log or something?

I really appreciate your help.

Thanks,
Bob

Edited by edwardsgang, 19 April 2010 - 12:15 PM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:40 PM

Posted 19 April 2010 - 12:41 PM

Actually it is working ,the malware doesn't like that you are removing it.

Go here to Doug KNox's Windows® XP File Association Fixes
Run 9th down on left... EXE File Association Fix ... the EXE not EML one.

See if we can get the SAS log.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 edwardsgang

edwardsgang
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 19 April 2010 - 10:04 PM

OK. File associations are back. I am going to post two logs: Before your last post I was able to run a MBAM Full Scan from Safe Mode. So I will post the successful SAS log I mentioned in my last post and I will also post my MBAM Safe Mode FULL SCAN log. After you look them over, if you want me to re-run any scans just let me know. Thanks.

--------------SAS LOG---------------------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/19/2010 at 09:44 AM

Application Version : 4.29.1004

Core Rules Database Version : 4820
Trace Rules Database Version: 2632

Scan type : Complete Scan
Total Scan Time : 02:04:09

Memory items scanned : 224
Memory threats detected : 0
Registry items scanned : 7137
Registry threats detected : 0
File items scanned : 27502
File threats detected : 7

Adware.Tracking Cookie
C:\Documents and Settings\Robert Edwards\Cookies\robert_edwards@nextag[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@realmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@smartadserver[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adbrite[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adserver.adtechus[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@revsci[1].txt


----------------MBAM Log------------------------------

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4007

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

4/19/2010 6:46:23 PM
mbam-log-2010-04-19 (18-46-23).txt

Scan type: Full scan (C:\|)
Objects scanned: 255457
Time elapsed: 2 hour(s), 10 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


------------------- END LOGS---------------------------------------------------

Edited by edwardsgang, 19 April 2010 - 10:06 PM.


#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:40 PM

Posted 19 April 2010 - 10:26 PM

Excellent!! A bit about MBAM. Scanning with MBAM in safe or normal mode will work but removal functions are not as powerful in safe mode. MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, it loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM.

If you had to install it from Safe Mode we should reinstall it in Normal also.

I would also like tio do one more scan... Online type with ESET
Please perform a scan with Eset Online Antiivirus Scanner.
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista users need to run Internet Explorer as Administrator. Right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Click the green ESET Online Scanner button.
  • Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?"".
  • Answer Yes to download and install the ActiveX controls that allows the scan to run.
  • Click Start.
  • Check Remove found threats and Scan potentially unwanted applications.
  • Click Scan to start. (please be patient as the scan could take some time to complete)
  • If offered the option to get information or buy software. Just close the window.
  • When the scan has finished, a log.txt file will be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
  • Click Posted Image > Run..., then copy and paste this command into the open box: C:\Program Files\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad. Copy and paste the contents of log.txt in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.


I have to leave soon,but will check back. Tell me how it's running after these.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 edwardsgang

edwardsgang
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 20 April 2010 - 10:28 PM

I tried to run the scanner but I'm getting this annoying popup with all my applications that says:

"SECURITY WARNING The file xxxx.xxx is infected. Do you want to run security software now? Yes No"

I believe this is the same old hijack problem since I have been seeing it spoiradically since the original infection.

Any ideas?

#14 edwardsgang

edwardsgang
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 21 April 2010 - 11:18 AM

Today I booted and I have an entirely new hijack scanner page popping up and doing a fake scan on my computer.

Also, it won't let me visit any web pages at all. It blocks me from visiting Yahoo and displays a message that "Internet Explorer cannot display the webpage"

I am sending this message on a different computer because mine is rendered useless.

I had a hijack once a long time ago and I received help here before but in that case someone named schrauber was having me scan the computer with combofix, hijackthis and DDS and other programs and he was sending me code snippets to drag into combofix and re-run. That method was very effective and got rid of these persistent litte buggers.

Can we try that? (Not trying to tell you your business, obviously if I were so smart I wouldn't be in this predicament:-)

Edited by edwardsgang, 21 April 2010 - 11:20 AM.


#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:40 PM

Posted 21 April 2010 - 02:45 PM

Hello yes we can post there .. Try this first tho.

If you get an alert that Rkill is "infected", ignore it. The alert is just a fake warning given by the rogue software which tries to terminate programs that try to remove it. If you see such a warning, leave the warning on the screen and then run Rkill again. By not closing the warning, this sometimes allows you to bypass the malware's attempt to protect itself so that Rkill can perform its routine.


If no joy we move on.
Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users