Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Engine hijack malware


  • This topic is locked This topic is locked
10 replies to this topic

#1 choltonit

choltonit

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 22 June 2010 - 07:56 AM

This is for a client's machine. Have tried MalwareBytes, Super Anti Spyware, MS Security Essentials, and it has McAfee AV Enterprise installed on it. Nothing glaringly malicious, just sends her google search result clicks to sites like blueseek.com, ind.in, etc. User has tried IE 7, IE 8, and Firefox. User's machine is a pizza-box desktop running WinXPsp3. Will attach logs.

Attached Files



BC AdBot (Login to Remove)

 


#2 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:33 AM

Posted 28 June 2010 - 12:46 PM

Hi choltonit, and welcome to Bleeping Computer.

QUOTE
Nothing glaringly malicious, just sends her google search result clicks to sites like blueseek.com, ind.in, etc.

Well, if something was hiding on my machine and was causing strange bahaviour, I would certainly call it malicious...

Ok, while I can understand that you were trying to run different tools to clean that machine (and get paid probably), I'm not sure why you use highly special tools, which you know little about - here: ComboFix... Attaching this log would speed up things a little...

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer.

Please do the following:
Delete your current version of ComboFix (delete a file from the Desktop), then download a new version from one of the links below:
Link 1
Link 2

Run as instructed in the guide: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Post the log from ComboFix when you've accomplished that.

Then,
Please go to http://www.virustotal.com/ , click on Browse, and upload the following file for analysis:

c:\windows\system32\ffda.sys

Then click Send File. Allow the file to be uploaded and scanned. Then, please post a link to the results page for me to see.
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#3 choltonit

choltonit
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 28 June 2010 - 01:10 PM

QUOTE(snemelk @ Jun 28 2010, 12:46 PM) View Post
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


This is a problem. This computer is part of an organization that employs McAfee Enterprise, and the powers that be decided not to allow me to disable the McAfee tools. I have used Combofix before, and I only download it from bleepingcomputer.com. If using that amazing tool is in violation of their EULA, I will cease and desist immediately.

My only other option is to reimage her PC, but there's always the chance that her personal data will be infected as well.

Any advice at this point?

#4 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:33 AM

Posted 28 June 2010 - 04:22 PM

Hi again choltonit!!.. smile.gif

QUOTE(choltonit @ Jun 28 2010, 08:10 PM) View Post
This is a problem. This computer is part of an organization that employs McAfee Enterprise, and the powers that be decided not to allow me to disable the McAfee tools.

So they don't want to allow you to disable that "wonderful" antivirus program to remove an infection that it missed??.. Strange... wacko.gif
Anyway, McAfee "likes" causing a trouble with ComboFix - in some cases we even do recommend uninstalling it before running CF...

QUOTE
Any advice at this point?

As I instructed in my last post, I need a scan of one file (c:\windows\system32\ffda.sys) on VirusTotal - it's suspicious, as the file name gets no hits on Google and it's been recently created...

Also, did ComboFix install Recovery Console on that computer??.. If yes, would you be able to access it (as I'm not sure if you have physical access to that machine) and run a batch from it??..
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#5 choltonit

choltonit
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 30 June 2010 - 07:44 AM

QUOTE(snemelk @ Jun 28 2010, 04:22 PM) View Post
As I instructed in my last post, I need a scan of one file (c:\windows\system32\ffda.sys) on VirusTotal - it's suspicious, as the file name gets no hits on Google and it's been recently created...


I finally got the password to unlock the McAfee control panel, but I had to offer my services as a car washer/waxer to the Sr. Admin. Punk-@$$-bizznitch that he is.

I am unable to do anything with c:\windows\system32\ffda.sys because any time I try to attach it, rename it, etc. it says "Someone or something is using this file". Any idea what might be holding it hostage?

#6 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:33 AM

Posted 30 June 2010 - 10:11 AM

Hi again choltonit!!.. smile.gif

QUOTE(choltonit @ Jun 30 2010, 02:44 PM) View Post
I finally got the password to unlock the McAfee control panel, but I had to offer my services as a car washer/waxer to the Sr. Admin. Punk-@$$-bizznitch that he is.

Good... Running ComboFix would be helpful - it would save us a little time...

QUOTE
I am unable to do anything with c:\windows\system32\ffda.sys because any time I try to attach it, rename it, etc. it says "Someone or something is using this file". Any idea what might be holding it hostage?

Well, to be honest, no idea... ;)

Are you a qualified IT technician (as you're helping with your client's machine)??.. If yes, you'll probably know how to load a Windows Recovery Console (if ComboFix installed it, that's very easy)... From there, you can easily copy that ffda.sys file as ffda.old, which you'll easily upload to VirusTotal...
I took a quick look at your DDS log again and noticed one other suspicious file - c:\windows\system32\IE7_RegChanges.exe... Please upload it to VirusTotal for me... If it resists uploading, please use Recovery Console to copy/rename it...

How to start the Recovery Console

Once in Recovery Console, execute the following commands (watch the spaces) in bold - click Enter after every one of them:

copy c:\windows\system32\ffda.sys c:\windows\system32\ffda.old
copy c:\windows\system32\IE7_RegChanges.exe c:\windows\system32\IE7_RegChanges.old
exit


It should reboot automatically - boot into Normal Mode...

Then you can upload c:\windows\system32\ffda.old file to http://www.virustotal.com/ ... If it comes back as malicious, we can easily delete it with one of our tools (or you can do it easily yourself in the Recovery Console but first you need to disable the ffda Service Driver; or safer: just disable a Service Driver and delete a file in Normal Mode)...

Please confirm you can use ComboFix; if not we'll use a different tool...

Apart from doing above, please do the following for me:
- attach c:\ComboFix.txt to your next reply
- run the following tool:

* Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
* Execute the file TDSSKiller.exe by double-clicking on it.
* Wait for the scan and disinfection process to be over.
* When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).
The log is like UtilityName.Version_Date_Time_log.txt.
for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#7 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:33 AM

Posted 02 July 2010 - 05:48 AM

Hi again!.. smile.gif

How is it going??.. That file (c:\windows\system32\ffda.sys) is malicious and this is a probable cause of redirects - I see this infection has started appearing on forums...
Have you managed to perform the instructions above??.. If not, we'll just script that file and Service out...
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#8 choltonit

choltonit
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 02 July 2010 - 07:39 AM

Sorry, no I haven't gotten to it yet. I'm managing IT for five sites while my boss is on vacation (perfect timing), three of which are on the Gulf Coast, so I've been a tad busy. smile.gif I'll try to get to it today, but if you have a fancy script you want to try, I'm all ears.

#9 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:33 AM

Posted 02 July 2010 - 06:06 PM

Hi again choltonit!!.. smile.gif

QUOTE(choltonit @ Jul 2 2010, 02:39 PM) View Post
I'll try to get to it today, but if you have a fancy script you want to try, I'm all ears.

Ok, let's do it my way - it should be faster!!.. ;)

Firstly,
Download The Avenger by Swandog46, and save it to your Desktop.
  • Extract avenger.exe from the Zip file and save it to your Desktop.
  • Run avenger.exe by double-clicking on it.
  • The Do not change any check box options!!
  • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    QUOTE
    Drivers to delete:
    ffda
    Files to delete:
    c:\windows\system32\ffda.sys

  • Now click the Execute button.
  • Click Yes to the prompt to confirm you want to execute.
  • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
  • Your PC should reboot, if not, reboot it yourself.
  • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
  • Please post the content of the logfile.

Secondly,
Download OTL.exe by OldTimer to your Desktop.
  • Close all windows and double click OTL.exe.
  • In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold:

    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90

  • Click Run Scan and let the program run uninterrupted.
  • When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Post both logs in this thread.
  • You may need to use two posts to get it all.

Thirdly,
Please go to http://www.virustotal.com/ , click on Browse, and upload the following file for analysis:

c:\windows\system32\IE7_RegChanges.exe

Then click Send File. Allow the file to be uploaded and scanned. Then, please post a link to the results page for me to see.
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#10 choltonit

choltonit
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 06 July 2010 - 03:42 PM

Hey I really appreciate all your hard work in trying to help me out, but my boss got tired of me trying to solve the problem myself. I had to nuke the drive and reimage it. sad.gif

#11 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:33 AM

Posted 06 July 2010 - 04:51 PM

Hi again choltonit!!.. smile.gif

I see, thanks for letting me know... This infection was (very) far from being hard to remove or deal with... Anyway, now you've got a clean system again... thumbup2.gif
Take a look at my page: After removing malware - make sure you update outdated programs on that client's machine - if not, this system may quickly get reinfected...

Good luck!.. smile.gif

----------

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, just send me a PM (Send message from my profile) with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users