Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Nastiness


  • Please log in to reply
13 replies to this topic

#1 masfonos

masfonos

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 20 October 2010 - 09:23 PM

Sorry for the huge post, it ended up much longer than I thought it would...

Nightmare Backstory

Starting a couple weeks ago, I started getting the bad google organic search results that redirected through doubleclick.net when using Mozilla Firefox (and maybe MSIE, can't remember). Opera et al do not have the problem. Flushing my DNS, hosts file and running MBAM seemed to fix the problem, at least for a while, but the same thing would sometimes recur. MBAM and the like generally took care of the problem. I'm not sure if the rest of the nastiness stemmed from the search result redirects or what, but it's been pretty ugly. It's been a long drawn out process, so the order of stuff might be a little out of whack, but I think it's mostly right.

I started getting the fake MS Security Essentials alert thing going on. I knew immediately that it wasn't real since I don't use MSSE for my AV software, so I didn't follow any of the "scan online" business or install any new AV software, etc. (but I did click the "apply actions" and "close" buttons). I'm getting the fake alert so I figure, run MBAM and get rid of it, so I run MBAM and it finds something like 9 bad things between executables and registry entries during the scan. I tell MBAM to clean the bad things and it tries, but it hangs up (probably because the bad stuff is still running) so I end up doing a hard restart.

I think it was at this point that Win XP stopped booting (last thing loaded is giveio.sys; it would have been mup.sys, but speedfan added on giveio.sys). I go into recovery console, run CHKDSK (which finds and repairs errors), system still wont boot into safe or normal mode, but "last good config" boots but is very slow and eventually starts the fake Security Essentials alerts again.


Current Situation

So after going through this whole process that involves a barrage of rkill, MBAM, avast, Spybot S&D, avast and AdAware, CHKDSK, /flushdns, cleaning host files, tdsskiller, etc., all scans seem to be coming up clean and the system appears to be booting into Windows XP ok, but...

After XP boots, it's VERY slow and explorer seems to be unresponsive for 5-10 minutes. After that period, the PC seems to be functioning fine. During this ordeal, I found a thread of someone who had this problem, but now I can't find it. What could be causing this? The scanners seem to think my system is clean. I'm not getting the MSSE alert anymore. Firefox just now did the doubleclick.net redirect thing again though (I've temporarily stopped using FF for now).

What are good next steps? I plan on running the most up to date versions of each of MBAM, S&D, AdAware and Avast! several times each. Should I just do that and hope for the best, or is there something else I should do. I want to get some of my work done and run these scans now, while the PC seems to be working OK, so I haven't restarted again after the latest scans to see if it's still slow.

What is your advice for action to take in either case (still-slow or back-to-normal after reboot)? I want to get some advice now before I go restarting in case something goes south before/during/after the reboot.


Edit to add:

FF doesn't seem to be redirecting me to doubleclick.net at the moment, but search results seem to take a LONG time to come up after clicking on them (if they come up at all). I'm still wary of using google on FF though, since I don't have the little happy certificate icon that says it's genuine plus search suggestions don't pop up when I type a query (which I've notice seems to happen when the redirect thing is going).

Edited by masfonos, 20 October 2010 - 09:30 PM.


BC AdBot (Login to Remove)

 


#2 masfonos

masfonos
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 21 October 2010 - 12:57 PM

I ran MBAM and AdAware again last night and they removed a couple more things (mostly cookies, a couple trojans). Also ran Avast and I got the dreaded explorer.exe and winlogon.exe infection by Win32:Bamital-AF. I ran HitManPro 3.5.7.116 (which I gather replaces both of those files with clean ones). Both files show clean now from Avast and AdAware.

At this point, the computer seems to boot normally, go through the windows start up screen normally, then it shows my wallpaper, desktop icons and taskbar, but the taskbar is unresponsive. Clicking icons, folders, etc. on the desktop behaves normally, I can run programs from desktop folders, etc. but when I mouse-over the taskbar teh cursor turns to a hourglass. The clock stops at the time the taskbar appears. After 30 or so minutes, the windows start-up sound plays, the clock shows the correct time, the taskbar, start menu, etc. become responsive and the computer appears to behave normally.

I'm going to continue to run successive scans with various security software for a while to see if that clears it up.

Ideas?

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:03 AM

Posted 21 October 2010 - 03:16 PM

Hello, let's see what ESET shows,
Please perform a scan with Eset Online Antiivirus Scanner.
This scan requires Internet Explorer to work. Vista/Windows 7 users need to run Internet Explorer as Administrator.
To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 masfonos

masfonos
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 21 October 2010 - 07:33 PM

ESET log. Will restart in a few minutes and see what happens. Will be back with a report.


C:\Documents and Settings\All Users\Documents\Server\hlp.dat Win32/Bamital.EK trojan cleaned by deleting - quarantined
C:\Documents and Settings\UserName\Local Settings\Temp\jar_cache1119169169991213419.tmp multiple threats deleted - quarantined
C:\Documents and Settings\UserName\Local Settings\Temp\jar_cache2611673457341778255.tmp multiple threats deleted - quarantined
C:\Documents and Settings\UserName\Local Settings\Temp\jar_cache3308270330264254860.tmp Java/TrojanDownloader.Agent.NBL trojan deleted - quarantined
C:\Documents and Settings\UserName\Local Settings\Temp\jar_cache365593784126718216.tmp probably a variant of Win32/Agent.YUPEXU trojan deleted - quarantined
C:\Documents and Settings\UserName\Local Settings\Temp\jar_cache3682178491988004700.tmp multiple threats deleted - quarantined
C:\Documents and Settings\UserName\Local Settings\Temp\jar_cache4293802904663990876.tmp Java/TrojanDownloader.Agent.NBM trojan deleted - quarantined
C:\Documents and Settings\UserName\Local Settings\Temp\jar_cache4580570062220127162.tmp OSX/Exploit.Smid.B trojan deleted - quarantined
C:\Documents and Settings\UserName\Local Settings\Temp\jar_cache5020471247089879421.tmp multiple threats deleted - quarantined
C:\Documents and Settings\UserName\Local Settings\Temp\jar_cache5040975955981934519.tmp Java/TrojanDownloader.Agent.NBK trojan deleted - quarantined
C:\Documents and Settings\UserName\Local Settings\Temp\jar_cache556415684983448858.tmp multiple threats deleted - quarantined
C:\Documents and Settings\UserName\Local Settings\Temp\jar_cache5636084260847344771.tmp probably a variant of Win32/Agent.DYXWUMY trojan deleted - quarantined
C:\Documents and Settings\UserName\Local Settings\Temp\jar_cache801627119811040166.tmp multiple threats deleted - quarantined
C:\Documents and Settings\UserName\Local Settings\Temp\jar_cache835187681820412861.tmp a variant of Java/TrojanDownloader.Agent.NAN trojan deleted - quarantined
C:\Documents and Settings\UserName\Local Settings\Temp\plugtmp-41\plugin-pdf.php JS/Exploit.Pdfka.NYC trojan cleaned by deleting - quarantined
C:\Documents and Settings\UserName\Local Settings\Temporary Internet Files\Content.IE5\71M7Y0L2\tkbvqkfdls[1].htm a variant of Win32/Kryptik.HNT trojan cleaned by deleting - quarantined



#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:03 AM

Posted 21 October 2010 - 08:23 PM

Hello, Exploit:JS/Pdfka, Adobe Reader and Acrobat versions 8.1.2 and earlier are affected by the vulnerabilities exploited by this malware.
This means you should update these two applications. From control Panel add/Remove,(tick the small box that says show updates.
highlght each and there should be a choice for updating.




What version of JAVA is running?
Go into Control Panel>Add Remove Programs. Be sure the 'Show Updates' box is checked. Go down the list and tell me what Java applications are installed and their version. (Highlight the program to see this).
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 masfonos

masfonos
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 21 October 2010 - 11:46 PM

Hello, Exploit:JS/Pdfka, Adobe Reader and Acrobat versions 8.1.2 and earlier are affected by the vulnerabilities exploited by this malware.
This means you should update these two applications. From control Panel add/Remove,(tick the small box that says show updates.
highlght each and there should be a choice for updating.

I did have 9.1.0 but I just did the update to 9.4.0.


What version of JAVA is running?
Go into Control Panel>Add Remove Programs. Be sure the 'Show Updates' box is checked. Go down the list and tell me what Java applications are installed and their version. (Highlight the program to see this).

Had Java 6 update 11, just updated to Java 6 update 22.


Long boot time persists.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:03 AM

Posted 22 October 2010 - 09:43 AM

Hello, be sure to remove older versions in control panel. The new Java installer will now remove older versions but the older ones didn't,,just check. If there remove and reboot.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal/regular mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


How is it doing now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 masfonos

masfonos
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 22 October 2010 - 04:54 PM

Old versions were already gone from Add/Remove dialog.

AdAware was running earlier and it finished up. Results:Posted Image
and it wanted rebooted to "completely remove the threats." After reboot, the machine looked like it was going to be normal, but then the start button/taskbar/etc. became unresponsive for roughly 30 minutes (although, as before, desktop icons are still usable including folder navigation, program execution, etc.).

MBAM reports a clean bill of health:

Scan type: Quick scan
Objects scanned: 154511
Time elapsed: 16 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:


Firefox is still being bad. Google search results being redirected (to 66.230.188.67)

Next steps? Run AAW, Avast! or something else again? I seem to recall using the gorred tool in the past when this problem was manifesting; thoughts on that?

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:03 AM

Posted 22 October 2010 - 07:57 PM

Yes, I think we may get it all with these 2 now

Please read and follow all these instructions.
  • Please download GooredFix and save it to your Desktop.
  • Double-click GooredFix.exe to run it.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).


Please run the tool here How to remove Google Redirects

When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 masfonos

masfonos
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 22 October 2010 - 09:12 PM

GooredFix by jpshortstuff (03.07.10.1)
Log created at 22:08 on 22/10/2010 (UserName)
Firefox version 3.6.11 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{BCAE1694-108B-4558-8369-5E10B1DC12FF} -> Success!
Deleting C:\Documents and Settings\UserName\Local Settings\Application Data\{BCAE1694-108B-4558-8369-5E10B1DC12FF} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [01:12 19/01/2009]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [01:03 06/02/2009]
{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [04:37 22/10/2010]

C:\Documents and Settings\UserName\Application Data\Mozilla\Firefox\Profiles\0pmexsih.default\extensions\
reverseiplookup@bordella.com [00:57 26/08/2010]
snaplinks@snaplinks.mozdev.org [03:52 07/09/2010]
{195A3098-0BD5-4e90-AE22-BA1C540AFD1E} [02:22 25/03/2010]
{20a82645-c095-46ed-80e3-08825760534b} [05:44 26/07/2010]
{21cfaec0-dbb3-11dc-95ff-0800200c9a66} [00:02 29/05/2009]
{49f3fc85-dcfe-4e42-9301-226ebe658509} [03:52 07/09/2010]
{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} [22:38 31/01/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [23:48 31/01/2009]
"smartwebprinting@hp.com"="C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3" [21:42 17/08/2010]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [01:02 06/02/2009]

-=E.O.F=-



TDSSKiller showed clean.

I'll try restarting now and report back on the resulting behavior.

#11 masfonos

masfonos
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 22 October 2010 - 09:21 PM

Restarted and it's the same story. Taskbar/start button/clock is stuck, desktop icons, folder navigation, application execution are all still functional. I don't really understand that; I thought that both the taskbar and the folder navigation were explorer.exe. Why would one work but not the other?

It's between 30-40 minutes before it becomes responsive every time. After that, it acts perfectly normal.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:03 AM

Posted 22 October 2010 - 09:35 PM

Please run System File Checker sfc /scannow... For more information on this tool see How To Use Sfc.exe To Repair System Files

NOTE for Vista users..The command needs to be run from an elevated Command Prompt.
Click Start, type cmd into the Start/Search box,
right-click cmd.exe in the list above and select 'Run as Administrator'


You will need your operating system CD handy.

Open Windows Task Manager....by pressing CTRL+SHIFT+ESC

Then click File.. then New Task(Run)

In the box that opens type sfc /scannow ......There is a space between c and /

Click OK
Let it run and insert the XP CD when asked.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 masfonos

masfonos
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 22 October 2010 - 11:04 PM

OK, will try that after this current scan completes. Will it cause additional headaches that the disc is the original SP1 and I'm now at SP3? Will it hose everything up if it finds missing/bad files and replaces them with old ones?

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:03 AM

Posted 22 October 2010 - 11:11 PM

It should only repair what it can and I believe tell if ut cannot.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users