Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Results Hijacked & Pop-Under Ads


  • This topic is locked This topic is locked
24 replies to this topic

#1 otley

otley

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 31 May 2010 - 12:54 AM

Hello,

I recently noticed that the results from my google search in Firefox were being hijacked and redirected to other sites. Around the same time I received a few pop-under ads, as well. Additionally, I noticed that my System Restore had been disabled, and my firewall had also been turned off.

Please help me if you can. I am running Windows XP and Firefox 3.6.3. I also have IE 6.0.

I have attached the ark.txt file from the GMER scan. I ran the DDS scan, but it did not produce the two .txt files that were supposed to result from that.

Thank you very much.

Attached Files

  • Attached File  ark.txt   3.56KB   13 downloads


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 02 June 2010 - 06:54 PM

Hello and welcome to Bleeping Computer

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.


In your reply, please post both OTL logs.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 otley

otley
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 02 June 2010 - 09:29 PM

Hello -- thank you for your help. I ran the OTL scan and received the two attached logs. Please advise on the next steps.

Attached Files



#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 03 June 2010 - 06:13 PM

Hello, otley.
Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop as otleyCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on otleyCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 otley

otley
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 05 June 2010 - 12:49 AM

Hello,

I downloaded ComboFix from the first link and disabled the Anti-Virus program on my PC.

I then ran ComboFix. It asked to install the Recovery Console and then did so. I got the same message boxes shown in your last message and clicked 'Yes' to continue scanning for malware.

However, it then ran a little more then gave me the message to the effect of "Rootkit activity has been detected. Need to reboot machine." It began the reboot, but now Windows will not load up at all. It never got to the point of giving me the ComboFix log to save since it stopped in my-activity and will not load Windows now.

As I reboot I hit F8 when the title screen comes up. I can get to the option of "Start Windows Normally", but I just end up with a black screen. If I choose "Start with Safe Mode" then I get a 18-item list of things that are getting loaded up and it looks like it is stopping trying to load one of them. The last one it shows is "\WINDOWS\System32\Drivers\MountMgr.sys. I don't know if that was the last piece to successfully run or the piece that isn't running at all.

If you know of solutions to this, please let me know.
Thanks,
-otley

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 05 June 2010 - 05:48 AM

Hello, otley.

OK, you have a rootkit that infected a critical system file. We need to find a suitable replacement. First, don't worry. Your data is there.

We need to find a clean file and replace the infected one.

First, I need to give you this warning.

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.



Next, we can do one of two approaches:
1. Replace the file to fix the computer.
2. Access your data to save it, then reformat.

I'll assume you want to fix. Do you have the Windows Installation CD? Can you get into the recovery console that Combofix should have installed?



Step 1

Enter the Recovery Console, to do that:
  • Insert the Windows XP cd in your computer.
  • Restart your computer so you are booting off of the CD. When you see "press any key to boot off CD ..." press a key. (if you don't get this you have tochange the boot order from the BIOS).
  • When the Welcome to Setup screen appears, press the R button on your keyboard to start the Recovery Console.
  • The Recovery Console will start and ask you which Windows installation you would like to log on to. If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press enter.
  • It will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter. If you do not know your password then see this.
  • If you entered the correct password you will now be presented with a C:\Windows> prompt and you can start using the Recovery Console.
At the C:\windows prompt, please type each bolded line below and press Enter. The italics give you more information about each command.

map
this will give you a listing of your drives. Note the letter of your CD-ROM.

ren c:\windows\system32\drivers\mountmgr.sys mountmgr.old
you'll get a fresh prompt without any notifications

expand e:\i386\mountmgr.sy_ c:\windows\system32\drivers
Replace E with the letter of your CD-ROM drive from the map command above. You should get notified that the file expanded.

exit
your computer will reboot

Then, reboot from your hard drive and not the CD. Does Windows load? If not, I have more ways to replace this file.

etavares

Edited by etavares, 05 June 2010 - 05:49 AM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 otley

otley
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 06 June 2010 - 12:16 AM

Hello,

I followed those instructions and got the notification that the file expanded. However, Windows still does not boot up.

I hope I did not throw you off-course with the mention of the mountmgr file. I don't know what that file is -- Is that a likely culprit that keeps Windows from loading?

Thank you.


#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 06 June 2010 - 05:17 AM

Hello, otley.

It was worth a shot...when this happens, it's a corrupted driver from the rootkit. We just need to identify which one. We need to create a new boot disc.
  • Please download OTLPE Network ISO.
  • Save it to the desktop of a working computer.
  • Insert a blank CD into the CD burner.
  • Doubleclick OTLPENet.exe on your desktop and it will automatically start and burn a bootable CD.

After you have successfully burned the OTLPE ISO to disc you will need to transfer the disc to the CD drive of your sick computer and boot from it.
  • Insert the CD-ROM into the CD-ROM drive, and then restart the computer.
  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
    • Your PC should now boot from your CD.
    • Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
  • Please be patient as "Windows" loads. You may think it's stuck...trust me, it's not. Go get a drink or do something else for a bit then come back.
  • Your system should now display a REATOGO-X-PE desktop.
  • Double click on the icon on your desktop.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.
    • Copy and Paste the following code into the textbox. Do not include the word "code".

      Please note: Double click the Firefox Icon on the desktop to connect to this thread if you have a Wired connection otherwise you can use a flash drive and copy this script into a txt file from a clean computer to transfer to this computer.

      CODE
      netsvcs
      msconfig
      safebootminimal
      safebootnetwork
      activex
      drivers32
      %ALLUSERSPROFILE%\Application Data\*.
      %ALLUSERSPROFILE%\Application Data\*.exe /s
      %systemroot%\system32\drivers\*.sys /90
      %APPDATA%\*.
      %APPDATA%\*.exe /s
      %SYSTEMDRIVE%\*.exe
      /md5start
      userinit.exe
      winlogon.exe
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      nvrd32.sys
      ahcix86s.sys
      symmpi.sys
      adp3132.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
    • Push
    • When finished, the file will be saved in drive C:\OTL.txt
    • Please copy and paste the contents of the C:\OTL.txt file in your next reply.
    • Copy this file to your USB drive if you do not have an internet connection.

etavares

Edited by etavares, 06 June 2010 - 05:19 AM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 otley

otley
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 06 June 2010 - 10:57 PM

Thank you, etavares, for your help so far. I would never have figured this out by myself. I was able to complete that procedure and boot reatogo-x-pe from the CD. I have attached the OTL log that was generated from that process.

-otley

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 07 June 2010 - 06:28 PM

Nailed it. It's this file:
C:\WINDOWS\system32\drivers\Ftdisk.sys

Please follow the instructions in this post from earlier, except replace mountmgr with ftdisk.

So, in the recovery console:

ren c:\windows\system32\drivers\ftdisk.sys ftdisk.old

expand e:\i386\ftdisk.sy_ c:\windows\system32\drivers

Replace E with the letter of your CD-ROM drive from the map command above. You should get notified that the file expanded.

exit

Did it reboot into Windows? If so, please run Combofix again. There's still malware visible in the logs.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 otley

otley
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 08 June 2010 - 01:15 AM

Yes! Replacing that file did work to re-boot windows from the sick machine. ComboFix then ran automatically (since the last running detected the rootkit?) and produced the attached log. I have not yet re-attached that machine to the internet. I wanted to check if you thought it would be safe to do so.

Thank you.
-otley

Attached Files



#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 08 June 2010 - 10:54 PM

Hello, otley.

OK, great! Still some leftovers to take care of before we pllug it back into the internet.


P2P Warning and Request
The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case LimeWire). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. I recommend that you uninstall this program. That is optional, however. If you decide to not uninstall, please refrain from using it until I let you know your computer is clean.










Step 1


I see you have the Freecorder toolbar installed. You may want to remove it as some of that company's toolbars are of ill repute. Please see here:
http://www.systemlookup.com/search.php?typ...f6-b9f15a596612



Step 2

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
driver::
isaxbox
jljff

file::
C:\Documents and Settings\Josh\Local Settings\Temp\hexdump.exe
C:\Documents and Settings\Josh\Local Settings\Temp\winamp.exe
C:\Documents and Settings\Josh\Local Settings\Temp\cmd.exe
C:\Documents and Settings\Josh\Local Settings\Temp\avp32.exe
C:\Documents and Settings\Josh\Local Settings\Temp\Iql.exe
C:\Documents and Settings\Josh\Local Settings\Temp\j2ikf.exe
C:\WINDOWS\System32\isaxbox.sys
c:\windows\system32\drivers\ftdisk.old
C:\WINDOWS\tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job

folder::
C:\Documents and Settings\Josh\Local Settings\Application Data\yifuquwrb

registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000000

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 otley

otley
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 09 June 2010 - 01:12 AM

Hello,

Thank you again for your help.

I uninstalled both Freecorder and Limewire as you recommended. I haven't used Limewire in a long time so it was good to delete that, anyway.

The ComboFix script ran and produced the attached log. Please let me know the next steps.

Thanks again,
-otley

Attached Files



#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 09 June 2010 - 06:35 PM

Hello, otley.

Are you getting popups or redirects now?



Step 1

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push



Step 2

We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 otley

otley
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 10 June 2010 - 12:49 AM

Hello,

I reconnected this PC to the internet, and have not received any more pop-ups or google-result redirects.

The ESET scan ran properly. I am attaching the log for that below. It did find a few things.
OTL only produced one log file as a result, instead of the 2 mentioned in your message. I am also attaching that one.

Thank you again for your help.
-otley

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users