Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirect & Trojan:JS/Medfos.B


  • This topic is locked This topic is locked
34 replies to this topic

#1 freedom eagle

freedom eagle

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 19 December 2012 - 05:53 PM

I am severely infected with a Browser redirect virus and Trojan:JS/Medfos.B plus there could be other hidden infections like zero access. I have installed MSE and did a complete scan and I deleted and removed the history results (which may have been a mistake) but it still shows continuous pop ups that its cleaning the Trojan:JS/Medfos.B infection but its still there. I will be honest, I have tried running adwcleaner.exe, roguekiller.exe, tdsskiller(wont run even after I renamed it) and combofix(it never completed, stalled even going overnight)that were outlined on previous forums. I need help as I don't believe that MSE has actually removed it. Thanks.

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:35 PM

Posted 19 December 2012 - 09:33 PM

what operating system are you using?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 freedom eagle

freedom eagle
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 20 December 2012 - 12:57 PM

I am using windows XP Professional SP3

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:35 PM

Posted 20 December 2012 - 01:20 PM

Please do the following:

  • Download RogueKiller and save it to your desktop.
  • Quit all other programs
  • Start RogueKiller.exe
  • Wait until the Prescan has finished ...
  • Click on Scan
    Posted Image
  • Wait for the end of the scan
  • A report will be created on your desktop.
  • Click on the Delete button
    Posted Image
  • Next click on the ShortcutsFix
    Posted Image
  • another report will be created on your desktop.

Please post: All RKreport.txt text files located on your desktop.

Edited by CatByte, 20 December 2012 - 01:21 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 freedom eagle

freedom eagle
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 20 December 2012 - 03:54 PM

Thanks for the assistance. I have ran roguekiller as directed. I have posted the 3 reports.
Thanks for the help. I think I posted the reports correctly. I have never done this before so I attached the file and selected "add to post". Thanks.

Attached File  RKreport1_S_12202012_02d1210.txt   5.24KB   2 downloads

Attached File  RKreport2_D_12202012_02d1211.txt   5.05KB   4 downloads

Attached File  RKreport3_SC_12202012_02d1213.txt   1.74KB   2 downloads

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:35 PM

Posted 20 December 2012 - 03:59 PM

Please run the following:

Download ComboFix from the following location:
Link

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 freedom eagle

freedom eagle
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 20 December 2012 - 04:36 PM

Should I run combofix in safemode or normal mode? Once it starts how long should it take to complete? As I indicated in my first posting I did attempt to run combofix a few days ago and it froze and never completed.
Thanks.

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:35 PM

Posted 20 December 2012 - 08:12 PM

please run it in normal mofe, it can take an hour on some infected machines, so be patient with it and wait till it produces a log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 freedom eagle

freedom eagle
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 20 December 2012 - 09:17 PM

Thanks for the clarification. I have been running combofix for nearly 2 hours now and all it shows is the blinking cursor. No stages have been completed. Since this is a work computer I am going home for the night and will let it run all night and see if it produces a log. I will reply back in the morning.
Thanks.

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:35 PM

Posted 20 December 2012 - 09:20 PM

ok, I thought after running Rogue Killer it may have helped, but if you find that it stalled

then boot into safe mode and run it from safe mode.

if it still wont run in safe mode run the following instead:


Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.
Note: Further documentation can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit folder.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 freedom eagle

freedom eagle
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 21 December 2012 - 12:13 PM

Here's what happened, combo fix in normal mode froze, I disabled symantec and have tried to run combo fix in safe mode but suddenly a defwatch active scan popped up and it froze as well. , the defwatch scan found 18 threats, I closed defwatch without removing threats as I was not directed to run this type of scan, however, when I reboot I get the blue screen with physical dumping. Blue screen has happened 3 times. I never got to run malware bytes anti-root kit. Should I try and run malware bytes root-kit in safe mode as I can't boot the machine in normal mode right now. Thanks

#12 freedom eagle

freedom eagle
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 21 December 2012 - 12:20 PM

Update: 4th reboot finally made it to the desktop I will proceed with malware bytes rootikit and will post when finished.

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:35 PM

Posted 21 December 2012 - 12:29 PM

ok

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 freedom eagle

freedom eagle
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 21 December 2012 - 01:32 PM

I successfully ran malwarebytes anti-rootkit, the first scan found 5 threats that were cleaned and the second scan found no threats. I have posted the requested system log and both mbar logs. FYI-Internet Explorer is showing boxes with a red x on websites. When I right click the properties it looks like they are png images. These images are visible when I use chrome. Thanks for the continued help.

Attached File  system-log.txt   340.73KB   2 downloads

Attached File  mbar-log-2012-12-21 (09-47-51).txt   3.3KB   2 downloads

Attached File  mbar-log-2012-12-21 (10-12-02).txt   1.81KB   2 downloads

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:35 PM

Posted 21 December 2012 - 01:52 PM

please give ComboFix another try (you may need to download a fresh copy and make certain your security programs are disabled)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users