Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirects and Trojan Warnings


  • This topic is locked This topic is locked
8 replies to this topic

#1 Pewima

Pewima

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 21 March 2011 - 02:18 PM

All,

I was wondering if you could maybe help me out / provide some expert advice. Yesterday evening I noticed that somehow 'Antimalware Doctor' managed to install itself. Since I removed it some months ago for a friend, I recognized it as malware so I downloaded Super Antispyware to remove it. SAW detected Antimalware and removed it, along with some tracking cookies but nothing serious. When scanning with Microsoft Security Essentials this evening; two additional infections were found and removed:

- Trojandownloader:Win32/Renos.KC
- Trojan:Win32/NEOP
- Trojan:Win32/Dynamer!DTC
- Trojan:Delf
- Trojan:Hiloti
- Trojan:Meredrop

What was strange was that during the scan, I found out that Meredrop was installed in c:\users\mark\appdata\local. During the scan I removed all files from this folder (after MSE already deleted Meredrop), so the directory was now completely empty. However, 10 minutes later MSE again detected and removed Meredrop from the same folder; showing I think that at least one other trojan or dropper is still active.

After I completed the full scan, I executed an additional quick scan to ensure nothing was in memory. All seemed fine, and I rebooted my computer, hoping that everything was solved now. However, after reboot I got browser redirects (opening link through google would redirect to random spam-sites) and Microsoft Security Essentials opened and directly closed. After another reboot everything seems fine again (this is when posting this message), but I guess something is definitely still active. Could you help me out on how to proceed?

Some additional info: using Windows 7 pro, 32bit, and consider myself a quite advanced user (usually I'm the one helping out others ;-)); however, I ran a Hijacklog check myself and couldn't find anything strange.

Edited by Pewima, 21 March 2011 - 02:20 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:03 AM

Posted 21 March 2011 - 10:24 PM

Hello,this sounds like Rootkit actiity.
Lets take another look.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


Run TFC by OT (Temp File Cleaner)
Please download TFC by Old Timer and save it to your desktop.
alternate download link

Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.


Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Pewima

Pewima
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 22 March 2011 - 01:46 PM

Thanks for your reply!

I executed a full scan with Malwarebytes yesterday after my initial posts, resulting in some detections and deletions of Trojan.Fakealert.Gen. However, nothing else was found

After reading your post:

1. Unfortunately, TDSSKiller didn't find any backdoors.
2. I used the tool to clean my temp files
3. I executed another full scan with Malwarebytes, this time resulting in the detection of a new trojan:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6133

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

22-3-2011 19:44:25
mbam-log-2011-03-22 (19-44-25).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 339963
Time elapsed: 45 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Mark\AppData\Roaming\apphlpdmi.dll (Trojan.FakeMS) -> Quarantined and deleted successfully.

It goes without saying that this one definitely wasn't there yesterday, so something should still be active on the background. Any more ideas?? Thanks!!

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:03 AM

Posted 22 March 2011 - 02:04 PM

Hello, we'll do an online scan next to see if theres anything else.

ESET Online Scan
Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Pewima

Pewima
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 23 March 2011 - 02:09 PM

Thanks again :). Just finished the ESET online scan, and 'unfortunately' no results:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=270c4c8f9047cb49966789ccdf7dc234
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-03-23 07:05:03
# local_time=2011-03-23 08:05:03 (+0100, W. Europe Standard Time)
# country="Netherlands"
# lang=1033
# osver=6.1.7600 NT 
# compatibility_mode=5893 16776574 100 94 12975313 53351799 0 0
# compatibility_mode=8192 67108863 100 0 68636 68636 0 0
# scanned=264237
# found=0
# cleaned=0
# scan_time=7895

Will now perform another Malwarebytes scan, to see if anything new pops-up.. but in any case I have the feeling that something should still be there, based on the reappearing trojan of yesterday. Any more ideas maybe?

#6 Pewima

Pewima
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 23 March 2011 - 02:49 PM

Results of this third Malwarebytes scan: nothing found. Still: don't trust it at all

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:03 AM

Posted 23 March 2011 - 02:54 PM

Ok it looks clean to me but to be certain you can post a DDS log.
Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Pewima

Pewima
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 23 March 2011 - 03:41 PM

Thanks again. Please find the log-files at http://www.bleepingcomputer.com/forums/topic386670.html.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:03 AM

Posted 23 March 2011 - 03:45 PM

You're welcome. A Malware Team expert will review and reply in a day or two and let you know for sure.

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users