Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Security Fix 2011 Browser Hijack


  • Please log in to reply
5 replies to this topic

#1 ksund

ksund

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 22 February 2012 - 11:15 AM

Hello,

My firefox seems to be infected with the Security Fix 2011 Hijacks. I keep getting popups that I cant close.

I went through some of the posts in your forum and found others with the same issue. I downloaded and ran combofix after turning off the microsoft security essentials. Its only after running this, I realized that risk of running combofix without help.

When I ran it, it first creates the system restore point successfully and then starts scanning. Its currently stuck in the screen where it says "that combofix typically takes 10 minutes to run, but sometimes....."

I am pretty sure its stuck and wondering if I should restart? Since I ran combofix already, my internet connection seems to be disabled so, I have no way of getting the DDS file to be able to post here.

Please do help removing this malware.

Thanks

BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:34 PM

Posted 25 February 2012 - 01:25 AM

Welcome to the forum, ksund!

If you still need help, please follow the procedure in Item 6, on Manually restoring the Internet connection:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix#restore

Check the Internet connection. If still not working...

Let's do an additional check...
(You may need to download the following programs to a USB flash drive (or other removable media), on a clean computer, and then move it to the Desktop of the computer with the problem.)


Please download Farbar Service Scanner
Save to the USB flash drive

Move the program to the Desktop of the infected computer.

Double-click the downloaded file, and run it on the computer with the issue.
  • Make sure the Include All Files option is checked.
  • Press: Scan
  • When done, the tool creates a log, FSS.txt, on the Desktop.

Please provide the FSS.txt in your reply.


Also, download RogueKiller
It is the dark blue button next to (Download link) Lien de téléchargement

•Save to the Desktop of the infected computer (from the flash drive, if necessary)
•Close all windows and browsers
•XP: Double-click the downloaded file to run it
•Vista/Seven: Right-click the program and select 'Run as Administrator'
•Press: SCAN
•A report opens on the Desktop: RKreport.txt

Please copy/paste the RKreport.txt, and provide it in your reply.

Note:
If RogueKiller is blocked by the malware, try running it again.
If it still fails to run, right-click on the downloaded icon and select: Rename
Then, rename it to winlogon.exe and try again.

Old duck...


#3 ksund

ksund
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 27 February 2012 - 01:29 PM

Aaflac,

Thanks for your reply. Since my posting, the combofix I executed went through to completion. Total time it took to complete was about 2 1/2 hours. During this process I got the exception rootkit.zeroaccess found and it attempted to remove it. I think it was able to remove it because my laptop restarted a few times and now it works fine. There's no sign of the initial infection. Firefox and IE are working now with no issue. Internet connectivity is also normal.

I have attached the logs for combofix, aswMBR, tdsKiller and MalwareBytes Anti-Malware. I ran the rest after I got a successful run from ComboFix. All the other scans came out successful with no issues found. I had to get my system back soon since this was a work laptop and found another thread that recommended running these tools.

Can you please analyze the logs and tell me if everything seems ok? Since its been a couple of days since this issue occurred, I was hoping to run the other tools you recommended after making sure you had an idea of where the issue is at now.

Thanks a lot for your help!

Attached Files



#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:34 PM

Posted 27 February 2012 - 10:12 PM

Since your Internet connection is back in business, there is no need to post the Farbar Service Scanner.

The reports for awsMbr, TDSSKiller, and MBAM look OK, however they are 5 days old.

Still have to take a good look at the ComboFix.txt, and will get back with you after doing so.


Since the machine was infested with a fake rogue, please press on and run RogueKiller.
It analyzes the system for rogue security software.

Two questions for you:
1. On the name of the fake security program the computer was infected with, was it definitely Security Fix 2011? These fake rogues go by many names...

2. Are you experiencing any odd symptoms or behaviors on your computer that give you a reason to believe it is currently infected?


Also, please do the following:

Download Security Check
Save to the Desktop.

Right-click SecurityCheck.exe and select: Run as Administrator
Follow the on-screen instructions (on the black screen)
When done, a Notepad document opens automatically: checkup.txt

Please post the checkup.txt in your reply.

Old duck...


#5 ksund

ksund
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 27 February 2012 - 11:22 PM

Aaflac,

I ran both RogueKiller and Security Fix. Attached both the logs with this reply. Please review.

With regard to your questions:
1) Yes, I am certain it said Security Fix 2011. It came up on one of the tabs I was browsing on. I did not close that tab when it came. I opened another window and was able to log this issue by keeping it open.
2) I don't have any issues that lead me to believe that my computer is currently infected. Performance hasn't slowed down nor have I had that issue pop up again. I am a little concerned since I got the warning for rootkit.zeroaccess. On further reading, I learned that this type of virus is hard to detect and remove from the laptop. Also, when I was running combofix, I got the error "freeware implementation of xcacls has stopped working". But combofix continued to finish successfully and restore the computer. I did notice that my host file got wiped out.

Hope I have provided enough information. Appreciate your help in this.

Attached Files



#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:34 PM

Posted 28 February 2012 - 01:00 AM

Those reports look OK also.

Since the ComboFix report is a few days old, please remove the copy you have, and download a new one:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Save ComboFix.exe to your Desktop!!

Make sure you temporarily disable your Firewall, and any other AntiSpyware applications. They may interfere with the running of CF.

Note: For information on how to disable protective programs, refer to this link:
http://www.bleepingcomputer.com/forums/topic114351.html


Vista/Windows 7 - Right click and select: Run as Administrator

Click on Yes, to continue scanning for malware.

When finished, CF produces a report.

Please provide a copy of the C:\ComboFix.txt in your reply.


Notes:

1. Do not mouse-click the ComboFix window while it is running.
This action may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.

3. CF disconnects your machine from the internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



Also, please download the latest version of: TDSSKiller.exe

Execute the downloaded file:
Vista/Windows 7 - Right click and select: Run as Administrator

In the TDSSKiller Scan prompt, click on: Change parameters
Check the box besides: Detect TDLFS file system
Click: OK

Press the button: Start Scan

The tool scans and detects two object types:
Malicious (where the malware has been identified)
Suspicious (where the malware cannot be identified)

When the scan is over, the tool outputs a list of detected objects (Malicious or Suspicious) with their description.

It automatically selects an action (Cure or Delete) for Malicious objects. Leave the setting as it is.

It also prompts the User to select an action to apply to Suspicious objects (Skip, by default). Leave the setting as it is.

After clicking 'Next/Continue', the tool applies the selected actions.


A Reboot Required prompt may appear after a disinfection. Please reboot.


By default, the tool outputs its log to the system disk root folder (the disk with the Windows operating system, normally C:\).

Logs have a name like:
C:\TDSSKiller.2.4.7_23.02.2012_15.31.43_log.txt

Please post the TDSSKiller log in your reply.

Also need to know whether TDSSKiller needed a reboot.

Thanks.

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users