Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SystemFix, IEXPLORE.EXE Hijack, TDSS


  • Please log in to reply
4 replies to this topic

#1 DevOneGlitter

DevOneGlitter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 06 December 2011 - 09:29 PM

Windows XP 32bit

After duking it out with this virus for the past 2 days (14 hours yesterday) I have to succumb to some pro help. I've tried everything I could find online. I did get the SystemFix removed, was able to restore desktop icons and functionality but still have this browser hijack that will just not die. My host file is normal so how it's redirecting I have no idea. No proxy running. netstat says everything is fine. I notice that there is a pervasive IEXPLORE.EXE that keeps coming back (after a few minutes) no matter how many times I kill it. Messed up part is I don't use Internet Explorer at all. I use Firefox but even Firefox is redirecting and/or taking over google search priorities with some pink box at the top of every search I do.

I couldn't run combofix or TDSSKiller in normal or safemode. After about 10 hours yesterday I was finally able to run ComboFix without it stalling. Still can't run TDSSKiller. Tried
Malwarebytes, AVP Tool, Spybot, Antivir, Ad-Aware, ESET, SuperAntiSpyWare, rkill, fixexe, exehelper, atfcleaner, hijackthis, and windows malicious removal tool. Combofix didn't like Ad-Aware or Anti-vir so I removed them. I used to have trend micro av but that obviously didn't work for crap or I wouldn't have gotten the virus right? I'd like to use Anti-vir as my AV but removed it temporarily just to run combofix. Uninstalled Java, ran JavaRA to clean, reinstalled Java.

At this point the hair on my head is gone and I've thrown up my hands in the air wtf. This is the worst virus I've ever tried to deal with. I'm pretty good with computers but this one is bad bad mojo.

Here are the mbam logs for the first 2 scans when it detected and removed something. Every scan since then it says is clean which is soooo not true. Still getting redirects.

------------------------------------------------------------

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7622

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/5/2011 10:27:21 PM
mbam-log-2011-12-05 (22-27-21).txt

Scan type: Full scan (C:\|)
Objects scanned: 237113
Time elapsed: 20 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

------------------------------------------------------------

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8320

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

12/6/2011 12:19:25 AM
mbam-log-2011-12-06 (00-19-25).txt

Scan type: Full scan (C:\|)
Objects scanned: 239677
Time elapsed: 11 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\dom\application data\microsoft\Protect\hqauwf.lb (Backdoor.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\dom\application data\microsoft\Protect\yhsb.ul (Backdoor.Agent) -> Quarantined and deleted successfully.

Edited by DevOneGlitter, 06 December 2011 - 09:50 PM.


BC AdBot (Login to Remove)

 


#2 DevOneGlitter

DevOneGlitter
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 06 December 2011 - 11:10 PM

Hmm I seem to have stopped the redirects using SysInternals "AutoRuns" program. No idea which entry did it as of now. I'm going to go through a process of elimination and will report back what did the trick. The only entry I outright deleted was called CatchMe.sys in HKLM/system/currentcontrolset/services. I disabled quite a lot of other entries, still narrowing it down using process of elimination.

After process of elimination I've figured out CatchMe.sys was causing the redirects or maybe I got lucky with ComboFix on another run. I re-enabled everything with sysinternals autorun program a couple at a time and the redirects never returned. Leads me to believe CatchMe.sys was the culprit the whole time and I got lucky on the first shot.

Had a "My Web Search" provider in the search engine toolbar options in IE worth noting. Removing it did nothing for the redirects so went through the registry manually to remove all instances. Seems to be attached to "YourLocalLotto Toolbar" entries for whatever reason. So far so good. No idea if TDSS is there but the redirects stopped and computer functions normally enough to take a long term approach as it's in much better health now to do so.

Yeah I solved my own issue but who knows if this might help someone in the future. Toodles.

Edited by DevOneGlitter, 07 December 2011 - 04:24 AM.


#3 izombie73

izombie73

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 17 December 2011 - 06:02 PM

Thank you, Thank you, Thank you!!!
I had the exact same thing on a pc that came in to the shop. Pulled my hair out trying everything, just like you.
The kicker for me is TDSSKiller wouldn't run at all and even though combofix and rkill looked like they were trying to run, they never did.

Unbelievably I booted into the pc with Hirens Boot Cd and loaded the remote registry for the infected hard drive. I couldn't find the item you described below exactly (CatchMe.sys) in the registry.

I tried some variations, I searched for me.sys simply and the catchme folders showed up.
I deleted 2 of them and rebooted. Everything runs now TDSS, ComboFix, RKill, etc... Still testing the system with a few other av-spyware checkers but its looking good.

I'll post back when I know for sure... Thanks so much for the follow up to your own post. So many folks seek help and then never complete their own post, your never sure what worked or didn't.

#4 izombie73

izombie73

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 17 December 2011 - 06:59 PM

Ok, just a follow up. So far so good. There were 2 trojans removed by TDSS. Combofix fixed a bunch of stuff also. Subsequent scans are showing nothing. Google and other webpages redirecting is not happening anymore. Completing a batch of Windows updates. Will test some more and post back.

#5 izombie73

izombie73

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 19 December 2011 - 05:49 PM

Well it seems to have done the trick quite nicely. Thanks again, hope this helps someone down the line.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users