Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent browser hijacking - resisting removal


  • This topic is locked This topic is locked
9 replies to this topic

#1 gwilsonb

gwilsonb

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 18 November 2010 - 05:59 PM

Hi,

After about a day and a half I'd be very grateful (definitely happy to make a donation) for any help on this one.

It's got me stumped.

Got an XP machine with a bunch of viruses on it which all seemed to be removed with various scanners I ran (the user originally installed the Thinkpoint virus which is what caused them to give the machine to me to check although reviewing the patches in Add/remove programs it looks like no Windows patches have been installed since mid October).

I have run Malwarebytes, Spybot S&D, Windows Defender and AVG.

I have even uninstalled and reinstalled IE8, and reinstalled Service Pack 3.

I disabled / deleted anything which I thought looked obviously suspicious for example bzvsdnhz.sys in /system32.

Symptoms are:

- cannot access windowsupdate.microsoft.com (get a 'site not found' error in both IE and Chrome although if I do an nslookup the domain is resolved fine - I've even hardcoded valid DNS server addresses into the network connection)

- use of IE intermittently triggers various popups and redirects to parked domains etc

Attached are logs from both GMER Attached File  rootkit-analysis.log   27.33KB   4 downloads
and Hijack this Attached File  hijackthis.log   10.21KB   0 downloads

Cheers,

Geoff

Edited by gwilsonb, 18 November 2010 - 06:05 PM.


BC AdBot (Login to Remove)

 


#2 gwilsonb

gwilsonb
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 20 November 2010 - 03:05 AM

Attached File  RKunhooker-eport.txt   30.65KB   0 downloadsAttached File  rootkit-analysis2.log   18.62KB   0 downloadsAttached File  hijackthis.log   9.85KB   0 downloads Have tried a few more things so new versions of logs attached which I've just re-run (plus rootkitunhooker log)

#3 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:12:18 PM

Posted 20 November 2010 - 03:34 AM

Hello, and :welcome: to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

In the upper right hand corner of the topic you will see a button called Watch Topic. By clicking this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. :)

  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the "Custom Scans/Fixes" section paste in the below in bold


    netsvc
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav

  • Push the Posted Image button.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and paste them into the body of your next reply.

~Blade


In your next reply, please include the following:
OTL.txt
Extras.txt

Edited by Blade Zephon, 20 November 2010 - 03:34 AM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#4 gwilsonb

gwilsonb
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 20 November 2010 - 04:01 AM

Thanks Blade.

Files attached.Attached File  Extras.Txt   37.77KB   0 downloadsAttached File  OTL.Txt   94.91KB   1 downloads

#5 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:12:18 PM

Posted 20 November 2010 - 04:09 AM

Hello.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC may be compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you wish to format and reinstall please stop here and let me know. If you wish to continue cleaning, read on and complete the following steps, but please acknowledge that you have read this in your next reply.

***************************************************

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double click on renamed.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade


In your next reply, please include the following:
ComboFix log

Edited by Blade Zephon, 20 November 2010 - 04:11 AM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#6 gwilsonb

gwilsonb
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 20 November 2010 - 07:33 AM

Hi Blade,

Sorry, combofix seemed to fall over when trying to remove MBR malware.

Disabled all virus protection (uninstalled AVG, removed Spybot S&D etc). Even disabled the Windows firewall (am running behind one anyway).

Got through the Windows Recovery console install ok and then after the scan started got to a message (dialog coming up in ComboFix) that there was a Master Boot Record infection.

After hitting the prompt to continue when it asks whether all security is disabled there is some disk activity and then nothing - I waited about 15minutes after the MBR msg came up and there was no disk activity (and when I then tried to do anything the machine becomes unresponsive eventually requiring a hard power down).

It reboots but after trying to run ComboFix several times the same thing happens every time.

Checked for the presence of c:\combofix.txt but it has not been written.

Have to head off to bed now but will check first thing in the morning. Acknowledge your health warning about backdoor trojans but happy to continue with this process anyway rather than doing a reformat/reinstall.

Attached by the way is a screenshot of the 'generic host process error window' that came up in case that is any use. As well as that I took a copy of part of the logAttached File  manifest.txt   1.75KB   1 downloadsAttached File  appcompat.txt   15.91KB   1 downloads it was sending to MSFT attached.
Attached File  generic host process error.jpg   37.83KB   2 downloads

Edited by gwilsonb, 20 November 2010 - 07:35 AM.


#7 gwilsonb

gwilsonb
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 20 November 2010 - 05:48 PM

Tried this morning temporarily disabling a lot of services and processes but same thing happens with ComboxFix.

I note however based on your identifying that one of the problems is TDL4 from the GMER log (and this is also borne out by the page I've linked to below where the same 'generic host process' error occurs) that there is a Kaspersky killer for TDSS variants which might work if ComboFix didn't:

http://forums.techguy.org/virus-other-malware-removal/962607-possible-tdl4-rootkit-infection.html

(I have not run it though :whistle: as per your instructions and on the basis that you probably have a better idea.)

Finally, I ran a port check (just netstat - won't have changed anything). Results attached.Attached File  netstat-output.txt   2.63KB   3 downloads

Cheers,

Geoff

Edited by gwilsonb, 20 November 2010 - 10:16 PM.


#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:12:18 PM

Posted 21 November 2010 - 01:46 AM

Hello Geoff

Yes. . . TDSSKiller is our next step.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

~Blade


In your next reply, please include the following:
TDSSKiller Log

Edited by Blade Zephon, 21 November 2010 - 01:48 AM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#9 gwilsonb

gwilsonb
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 21 November 2010 - 06:05 AM

Cripes, I read a tech evaluation of TDSS style rootkits. These are very nasty pieces of software. :killcomp: What you are doing in helping people out with these is really great.

Yep, found it and says it has been killed. Attached File  TDSSKiller.2.4.8.0_21.11.2010_21.51.45_log.txt   36.23KB   3 downloads I suspect the next thing this machine will automatically try and do is connect to Windows update (actually yep it's done it!) but I'll take it offline after sending this to stop this actually being installed for the moment.

Cheers,

Geoff

Edited by gwilsonb, 21 November 2010 - 06:31 AM.


#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:12:18 PM

Posted 22 November 2010 - 10:03 PM

Topic closed at OP request.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users