Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't clean malware that causes IE8 redirect:


  • Please log in to reply
No replies to this topic

#1 JXP

JXP

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 04 May 2010 - 04:28 PM

I can't clean the malware that causes an IE8 redirecting problem:
I use this computer for internet searches reading email, and creating web page content. None of the sites I regularly visit are known to be dangerous, and I open email only from expected sources. I manually cleaned the junk from my Windows XP Home registry and orphaned directories a month ago, so this computer was running as fast as a new install for websurfing and desktop work. I have not had any virus problems for a couple of years until yesterday when virus alerts began and the computer slowed down.

Note: I installed and tried uTorrent a week ago, then uninstalled it and deleted the orphaned download directory, as I have little use for file sharing. Utorrent may have been a portal for malware, but there have been no problems before or after I removed uTorrent a week ago. I think the malware most likely came from some website I surfed yesterday, as the problems only started yesterday during a google search session that took me to a lot of anti-malware sites. The first symptoms came when I saw popups from Avira Antivirus warning of virus files trying to connect to a remote website: "hosted-by.madet.info", and trying to modify the memory for IE Explorer. I responded asking Avira to deny access and to delete the files. But the virus alerts continued with new filenames from the same locations. At the same time my IE8 browser began redirecting when I clicked on google links to antivirus sites, taking me to a bogus search engines like www.findstuff.com instead of the antivrus site I requested. This also happened for any other search engines or links I clicked in IE8. Sometimes new IE windows also magically opened for these bogus sites. The computer also slowed down noticeably, with a few seconds lag when trying to re-size browser and directory windows on the desktop.

I noticed that all attempts to navigate to a Microsoft support site failed. Any links to a Microsoft support page or hand-typed Microsoft URL also results in a redirect to some bogus search engines or directory link pages. When I click Windows update from the XP start menu, IE8 opens to a page that says "Internet Explorer cannot display the webpage".

I ran SuperAntispyware and Avira scans where virus files were found and quarantined and deleted, but this did not stop the IE8 browser from continuing to redirect and more virus warnings from coming. Apparently, Avira antivirus and SAS cannot remove the malware that is causing this redirecting in IE. Luckily the SRWare Iron browser was not redirecting, so I could use it navigate the net and arrive here.

Here is a chronology of the events when the problem started and I attempted to remove the virus:

Info from my Avira Antivirus event log:
Virus or unwanted program 'TR/Crypt.PEPM.Gen [trojan]' 5/3/10 11:00
detected in file 'C:\Documents and Settings\J\Local Settings\Temp\exsoarncmw.tmp.
Action performed: Delete file

Virus or unwanted program 'TR/Crypt.PEPM.Gen [trojan]' 5/3/10 11:01
detected in file 'C:\Documents and Settings\J\Local Settings\Temp\exsoarncmw.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.PEPM.Gen [trojan]' 5/3/10 11:06
detected in file 'C:\Documents and Settings\J\Local Settings\Temp\exsoarncmw.tmp.
Action performed: Deny access

At this time I ran a scan with Super Anti-spyware with a new definitions file and found "agent/gen-cdesc[pz]"
C:\Documents and Settings\J\Local Settings\Temp\OQW.EXE <-- quarantined
C:\WNDOWS\OJURAA.EXE <-- quarantined
I also deleted cookies and the IE cache, then I rebooted

After re-boot, more Avira antivirus alerts came within minutes of IE browsing:
Virus or unwanted program 'HTML/Infected.WebPage.Gen [virus]' 5/3/10 14:54
detected in file 'C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6K02ED0G\2[1].php.
Action performed: Deny access

Virus or unwanted program 'HTML/Crypted.Gen [virus]' 5/3/10 14:55
detected in file 'C:\Documents and Settings\J\Local Settings\Temporary Internet Files\Content.IE5\EEJS4XJB\comm-test._V212784757_[1].js.
Action performed: Delete file

Virus or unwanted program 'HTML/Crypted.Gen [virus]' 5/3/10 14:55
detected in file 'C:\Documents and Settings\J\Local Settings\Temporary Internet Files\Content.IE5\EEJS4XJB\comm-test._V212784757_[1].js.
Action performed: Delete file

Virus or unwanted program 'HTML/Crypted.Gen [virus]' 5/3/10 14:55
detected in file 'C:\Documents and Settings\J\Local Settings\Temporary Internet Files\Content.IE5\EEJS4XJB\comm-test._V212784757_[1].js.
Action performed: Delete file

Virus or unwanted program 'HTML/Crypted.Gen [virus]' 5/3/10 14:58
detected in file 'C:\Documents and Settings\J\Local Settings\Temporary Internet Files\Content.IE5\EEJS4XJB\comm-test._V212784757_[1].js.
Action performed: Delete file

Virus or unwanted program 'TR/Crypt.PEPM.Gen [trojan]' 5/3/10 16:33
detected in file 'C:\Documents and Settings\J\Local Settings\Temp\exsoarncmw.tmp.
Action performed: Deny access

I stopped OQX.exe from running from a program called whatsrunning (similar to task manager) then I deleted OQX.exe from C:\Documents and Settings\J\Local Settings\Temp\
OQX.exe was no longer running and the computer desktop was back to normal speed, but IE continued redirecting.
Some online research says the virus is a call-home type, and possibly a keylogger, depending on where you check.

Then more virus alerts from Avira antivirus:
Virus or unwanted program 'HTML/Infected.WebPage.Gen [virus]' 5/4/10 2:41
detected in file 'C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0KL4CVPE\2[1].php.
Action performed: Deny access

Virus or unwanted program 'HTML/Infected.WebPage.Gen [virus]' 5/4/10 4:45
detected in file 'C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0KL4CVPE\2[1].php.
Action performed: Deny access

Virus or unwanted program 'HTML/Infected.WebPage.Gen [virus]' 5/4/10 6:00
detected in file 'C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0KL4CVPE\2[1].php.
Action performed: Deny access

Next, I cleared the IE cache and deleted cookies, then I reinstalled the latest Super Antispyware and downloaded the current definitions file. I ran a full scan that found this malware:
C:\Documents and Settings\J\Cookies\ [The usual tracking cookies with no serious problems]
Trojan.Agent/Gen-FakeAlert
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E8EB6664-8A0D-4036-A527-4DC7C2168107}\RP3\A0000088.EXE

I clicked next to quarantine and delete the cookies and trojan, then rebooted.
After reboot, I still get redirected on IE8, and cannot access windowsupdate.

Another virus alert:
Virus or unwanted program 'HTML/Infected.WebPage.Gen [virus]' 5/4/10 9:27
detected in file 'C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0KL4CVPE\2[1].php.
Action performed: Deny access

Virus or unwanted program 'HTML/Infected.WebPage.Gen [virus]' 5/4/10 12:37
detected in file 'C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6K02ED0G\2[2].php.
Action performed: Deny access

-----
My computer details:

  • XP home SP3 and IE8 with all updates. Last update was 4/17/10 - (included 7 security updates)
  • Freeware security: Avira Antivirus, Outpost Firewall, SAS Spyware scan
  • Direct ADSL modem connection - no router or network
  • P4 2.8 Ghz 2x512Mb RAM on an Asus P4P800 Deluxe board
  • Asus V9999GT (Geforce 6800) video
  • Samsung P2770 display
  • Creative audigy 2ZS platinum sound
  • WD 120GB SATA
  • LITE-ON DVDRW
  • No printer or other periferals except keyboard and mouse

What should I do to fix the redirecting problem?


Thank you in advance for the help,
JXP

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users