Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Needed with Browser Hijack/Virus Downloader


  • Please log in to reply
15 replies to this topic

#1 pc-pin-nc

pc-pin-nc

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 05 January 2014 - 09:13 AM

Hi,

 

I have been battling a slew of trojans and viruses for the past week and can't get the root of the problem resolved.  Between a combination of Hitman Pro, Stopzilla, Malware Bytes, MS Security Essentials, Spybot and several others, I have been finding and identifying many viruses and trojans and quarantining them.  However, there is still at least one more on my Windows 7 machine that keeps redirecting my browser and downloading new ones.  One of the deadliest that it keeps downloading is Rootkit.boot.pihar.c, but fortunately I have a Kaspersky boot disk that I have been booting from and removing that rootkit virus when it occurs.

 

My current situation, and the behavior that I began seeing a week ago when this all started, is a browser hack that keeps displaying ads that pop up in the lower left-hand corner of the browser and random periodic redirects to an unwanted page when I click a normal link while doing my regular browsing.  These redirects are taking me to a page that downloads additional viruses and trojans.  One common URL for these redirects is all-aboutgames.net and these lower left popup ads are displaying images with sources similar to this: http://content.yieldmanager.edgesuite.net/atoms/0e/8f/35/cc/0e8f35ccc2179f67045046f82874fe67.jpg       

 

Any suggestions or assistance that you could give me in cleansing my machine would be greatly appreciated!

 

Thanks,

 

Phil

 



BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,039 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:06 PM

Posted 05 January 2014 - 01:51 PM

Hi Phil,
 
Run these for me:

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters
     
     
    tds2.jpg
  • Check Loaded Modules, Verify Driver Digital Signature, and Detect TDLFS file system
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now
     
     
    2012081514h0118.png
  • Click Start Scan and allow the scan process to run
     
     
    tds4-1.jpg
  • If threats are detected select Skip or Cure (if available) for all of them unless otherwise instructed.
    ***Do NOT select Delete!
  • Click Continue
     
     
    tds6.jpg
  • Click Reboot computer
  • Please copy the TDSSKiller.[Version]_[Date]_[Time]_log.txt file found in your root directory (typically c:\) and paste it into your next reply

 

----------
 
Update Malwarebytes and run a scan for me:
 
----------

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • Click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

 

----------

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

xXToffeeXx~


Edited by xXToffeeXx, 05 January 2014 - 01:53 PM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 pc-pin-nc

pc-pin-nc
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 05 January 2014 - 05:50 PM

xXToffeeXx~,

 

Thanks for replying and for your assistance.  I completed each of your recommended steps and here are the result logs:

 

PLEASE NOTE: When JRT ran, it gave an error "Could not find file C:\windows\regedit.exe", but I just checked and that file is there.  Plus, I just ran it independently of JRT and it opened.

 

 

-------- TDSSKiller Log: --------------

 

IMPORTANT:  This log made my reply TOO LARGE TO POST.   Can I email this log file to you separately?  The text file for this log is 543K.
 

 

 

-------- MalwareBytes Log: --------------    NOTE: I did not "clean/remove" these objects

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.01.05.04

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
philc2 :: PHILLAPTOP [administrator]

1/5/2014 3:18:10 PM
MBAM-log-2014-01-05 (16-50-25).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 312305
Time elapsed: 15 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|6476 (Trojan.Agent) -> Data: C:\PROGRA~3\LOCALS~1\Temp\mshtuow.bat -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\PChapman\AppData\Local\Temp\vxxble.exe (Trojan.Inject.ED) -> No action taken.

(end)

 

 

 

-------- ADWCleaner Log: --------------

 

 

# AdwCleaner v3.016 - Report created 05/01/2014 at 17:00:07
# Updated 23/12/2013 by Xplode
# Operating System : Windows 7 Professional  (64 bits)
# Username : philc2 - PHILLAPTOP
# Running from : C:\Users\PChapman\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Search Protection
Folder Deleted : C:\ProgramData\SpeedyPC Software
Folder Deleted : C:\Program Files (x86)\Toolbar Cleaner
Folder Deleted : C:\Users\PChapman\AppData\LocalLow\adawaretb
Folder Deleted : C:\Users\PChapman\AppData\Roaming\DriverCure
Folder Deleted : C:\Users\PChapman\AppData\Roaming\SpeedyPC Software

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\adawarebp_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\adawarebp_rasmancs
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{6C97A91E-4524-4019-86AF-2AA2D567BF5C}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Value Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{6C97A91E-4524-4019-86AF-2AA2D567BF5C}]
Key Deleted : HKCU\Software\SpeedyPC Software
Key Deleted : HKCU\Software\AppDataLow\Software\adawaretb
Key Deleted : HKLM\Software\adawaretb
Key Deleted : HKLM\Software\SpeedyPC Software
Key Deleted : HKLM\Software\Toolbar Cleaner
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adawaretb
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Toolbar Cleaner

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16476

-\\ Mozilla Firefox v3.5.5 (en-US)

[ File : C:\Users\PChapman\AppData\Roaming\Mozilla\Firefox\Profiles\q6snhsym.default\prefs.js ]

[ File : C:\Users\PChapman\AppData\Roaming\Mozilla\Firefox\Profiles\q6snhsym.default\prefs.js ]

[ File : C:\Users\PChapman\AppData\Roaming\Mozilla\Firefox\Profiles\q6snhsym.default\prefs.js ]

[ File : C:\Users\PChapman\AppData\Roaming\Mozilla\Firefox\Profiles\q6snhsym.default\prefs.js ]

[ File : C:\Users\PChapman\AppData\Roaming\Mozilla\Firefox\Profiles\q6snhsym.default\prefs.js ]

-\\ Google Chrome v32.0.1700.41

[ File : C:\Users\PChapman\AppData\Local\Google\Chrome\User Data\Default\preferences ]

[ File : C:\Users\PChapman\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [6845 octets] - [28/12/2013 13:15:45]
AdwCleaner[R1].txt - [1804 octets] - [28/12/2013 23:40:52]
AdwCleaner[R2].txt - [4258 octets] - [05/01/2014 16:53:27]
AdwCleaner[S0].txt - [5599 octets] - [28/12/2013 13:21:43]
AdwCleaner[S1].txt - [1683 octets] - [28/12/2013 23:42:59]
AdwCleaner[S2].txt - [3440 octets] - [05/01/2014 17:00:07]

########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [3500 octets] ##########

 

 

 

-------- JRT Log: --------------

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.9 (01.01.2014:1)
OS: Windows 7 Professional x64
Ran by philc2 on Sun 01/05/2014 at 17:11:51.99
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\adawarebp
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\adawarebp_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\adawarebp_rasmancs

 

~~~ Files

 

~~~ Folders

Successfully deleted: [Folder] "C:\Users\PChapman\appdata\local\adawarebp"

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 01/05/2014 at 17:21:28.63
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

PLEASE NOTE:   When JRT ran, it gave an error "Could not find file C:\windows\regedit.exe", but I just checked and that file is there.  Plus, I just ran it independently of JRT and it opened.

 

Thanks again for your help and I will hold tight until I hear back from you.

 

Phil



#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,039 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:06 PM

Posted 06 January 2014 - 11:05 AM

Hi Phil,

 

Upload the TDSSKiller log here then, and copy the link into your next reply.

 

Also please re-run Malwarebytes and delete anything found.

 

How is the computer running now? Any redirects, or ads?

 

-------------

 

  • Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2
Download Mirror #3 For 64-bit users

  • Double-click SystemLook.exe to run it.
  • Vista\Windows 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following codebox into the main textfield:
:filefind 
 regedit.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

 

xXToffeeXx~


Edited by xXToffeeXx, 06 January 2014 - 11:05 AM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 pc-pin-nc

pc-pin-nc
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 06 January 2014 - 11:40 AM

xXToffeeXx,

 

OK, the TDSSKiller Log has been uploaded to http://www.filedropper.com/tdsskiller2816005012014151019log  

 

Now, I am going to perform those other tasks then I will reply again.

 

Thanks,

 

Phil



#6 pc-pin-nc

pc-pin-nc
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 06 January 2014 - 12:48 PM

xXToffeeXx,

 

I re-ran Malwarebytes and it found and deleted one of the prior infections it found.

 

Also, when I rebooted, Stopzilla ran a scan and found and quarantined the following:

 

Block/Extraction  General  2014-01-06 11:51:07 Extracted package System Policies.DisableTaskMgr
Block/Extraction  General  2014-01-06 11:51:07 Extracted package System Policies.DisableRegistryTools
Warning/Detection  General  2014-01-06 11:50:20 Detected malicious registry entry DisableTaskMgr in hkus\S-1-5-21-1956048121-1778976855-758530457-1000\software\microsoft\windows\currentversion\policies\system
Block/Extraction  General  2014-01-06 11:50:20 Deleted registry value DisableTaskMgr in hkus\S-1-5-21-1956048121-1778976855-758530457-1000\software\microsoft\windows\currentversion\policies\system
 

 

Here are the results of the SystemLook:

SystemLook 30.07.11 by jpshortstuff
Log created at 12:45 on 06/01/2014 by philc2
Administrator - Elevation successful

========== filefind ==========

Searching for "regedit.exe"
C:\temp\syswow64\regedit.exe --a---- 398336 bytes [20:03 27/10/2011] [01:14 14/07/2009] 8A4883F5E7AC37444F23279239553878
C:\temp\Win_Backup\SysWOW64\regedit.exe --a---- 398336 bytes [20:07 27/10/2011] [01:14 14/07/2009] 8A4883F5E7AC37444F23279239553878
C:\Windows\regedit.exe --a---- 427008 bytes [23:27 13/07/2009] [01:39 14/07/2009] 2E2C937846A0B8789E5E91739284D17A
C:\Windows\erdnt\cache86\regedit.exe --a---- 427008 bytes [00:44 30/12/2013] [01:39 14/07/2009] 2E2C937846A0B8789E5E91739284D17A
C:\Windows\winsxs\amd64_microsoft-windows-registry-editor_31bf3856ad364e35_6.1.7600.16385_none_5023a70bf589ad3e\regedit.exe --a---- 427008 bytes [23:27 13/07/2009] [01:39 14/07/2009] 2E2C937846A0B8789E5E91739284D17A
C:\Windows\winsxs\wow64_microsoft-windows-registry-editor_31bf3856ad364e35_6.1.7600.16385_none_5a78515e29ea6f39\regedit.exe ------- 398336 bytes [23:17 13/07/2009] [01:14 14/07/2009] 8A4883F5E7AC37444F23279239553878

-= EOF =-

 

 

Also, I am still encountering redirects and popup ads the same as before.  Perhaps you may find something in that TDSSKiller log I uploaded earlier.

 

I will await further instruction from you.

 

Thanks again for your help!

 

Phil



#7 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,039 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:06 PM

Posted 06 January 2014 - 02:43 PM

Hi Phil,

 

TDSSKiller found some indications of a rootkit infection still there, so do this for me:

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  • Put a checkmark beside Detect TDLFS file system.
  • Click the Start Scan button.
  • The scan should take no longer than 2 minutes.
  • From the drop-down menu choose delete ONLY for TDSS File System (if present):
    qpUmw.jpg
  • Post the log at pastebin and post the link to the log in your next reply.

 

---------

 

  • Double-click SystemLook.exe to run it.
  • Vista\Windows 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following codebox into the main textfield:

:filefind
qagentRT.dll
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

See how the computer is running now.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#8 pc-pin-nc

pc-pin-nc
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 06 January 2014 - 03:58 PM

xXToffeeXx,

 

OK, here's what happened.  I ran TDSSKILLER as you suggested, it found the TDSS File System and I deleted it.  Then I ran SystemLook and it found that file (see log below).   Then I opened a new IE browser (IE ver 9 btw) session and the first link I clicked on in Yahoo caused the redirect to kick in, it took to to an unknown page that immediately re-infested with the Rootkit.boot.pihar.c virus.  So, as it auto-rebooted me (immediately), I switched to boot back up into my Kaspersky recovery disk and removed that virus yet AGAIN!

 

So, I'm thinking I need to do a deep file cleaning from that Kaspersky boot disk but it looks like it will take several hours, so I'll need to do that from home tonight, and I will.  I'm thinking this may allow me to remove the TDSS File System through an external boot device for more permanent removal.  Do you agree?

 

In the meantime, do I need to be concerned about this DLL below and what actions should I take with it?

 

SystemLook 30.07.11 by jpshortstuff
Log created at 15:48 on 06/01/2014 by philc2
Administrator - Elevation successful

========== filefind ==========

Searching for "qagentRT.dll"
C:\Windows\System32\QAGENTRT.DLL --a---- 475648 bytes [00:08 14/07/2009] [01:41 14/07/2009] C571BDBF773DD7081FFD84B3D5F449D1
C:\Windows\winsxs\amd64_microsoft-windows-n..essprotection-agent_31bf3856ad364e35_6.1.7600.16385_none_628d26c50731fdaa\QAGENTRT.DLL --a---- 475648 bytes [00:08 14/07/2009] [01:41 14/07/2009] C571BDBF773DD7081FFD84B3D5F449D1

-= EOF =-

 

 

Thank You,

 

Phil



#9 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,039 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:06 PM

Posted 06 January 2014 - 04:28 PM

Hi Phil,

The boot disk scan sounds like a good idea, and yes it might be best to let it run overnight. Hopefully it should allow you to remove any traces of the rootkit, but it may be best to do some scans again after.

Nothing should be done with the dll, I was checking something and might want to look into something else with it. Best to leave it for the time being whilst you do the other scan.

xXToffeeXx~

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#10 pc-pin-nc

pc-pin-nc
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 06 January 2014 - 04:33 PM

Thanks.  I'll do the deep scan tonight and send a reply tomorrow.

 

Phil



#11 pc-pin-nc

pc-pin-nc
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 07 January 2014 - 10:27 AM

Hi xXToffeeXx,

 

I ran that deep scan from the Kaspersky Recovery Disk last night and it found a lot of rootkit and trojan viruses and said that it removed them.  Here is the log from that:

 

1/7/14 7:53 AM Task completed   
1/7/14 7:53 AM Deleted: Rootkit.Win64.TDSS.o sda2/TDSSKiller_Quarantine/06.01.2014_23.29.00/tdlfs0000/tsk0007.dta  
1/7/14 7:53 AM Detected: Rootkit.Win64.TDSS.o sda2/TDSSKiller_Quarantine/06.01.2014_23.29.00/tdlfs0000/tsk0007.dta  
1/7/14 7:53 AM Deleted: Rootkit.Win32.TDSS.gq sda2/TDSSKiller_Quarantine/06.01.2014_23.29.00/tdlfs0000/tsk0006.dta  
1/7/14 7:53 AM Detected: Rootkit.Win32.TDSS.gq sda2/TDSSKiller_Quarantine/06.01.2014_23.29.00/tdlfs0000/tsk0006.dta  
1/7/14 7:53 AM Deleted: Rootkit.Win64.TDSS.q sda2/TDSSKiller_Quarantine/06.01.2014_23.29.00/tdlfs0000/tsk0003.dta  
1/7/14 7:53 AM Detected: Rootkit.Win64.TDSS.q sda2/TDSSKiller_Quarantine/06.01.2014_23.29.00/tdlfs0000/tsk0003.dta  
1/7/14 7:53 AM Deleted: Rootkit.Boot.Pihar.b sda2/TDSSKiller_Quarantine/01.01.2014_23.14.34/mbr0000/mbr0000/tsk0000.dta  
1/7/14 7:53 AM Untreated: Rootkit.Boot.Pihar.b sda2/TDSSKiller_Quarantine/01.01.2014_23.14.34/mbr0000/mbr0000/tsk0000.dta/HDDImage Cannot be disinfected 
1/7/14 7:53 AM Detected: Rootkit.Boot.Pihar.b sda2/TDSSKiller_Quarantine/01.01.2014_23.14.34/mbr0000/mbr0000/tsk0000.dta/HDDImage  
1/7/14 7:52 AM Detected: HEUR:Trojan.Win32.Generic sda2/Qoobox/Quarantine/C/Users/PChapman/AppData/Roaming/verison.dll.vir  
1/7/14 7:52 AM Detected: HEUR:Exploit.Script.Generic /mnt/MountedDevices/PD-2169E425-000000000C800000/Users/PChapman/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/45/18c6dfed-1035cfc3  
1/7/14 7:52 AM Deleted: Trojan-Spy.Win32.Zbot.rdgo /mnt/MountedDevices/PD-2169E425-000000000C800000/Users/PChapman/AppData/Local/Temp/vxxxle.exe  
1/7/14 7:52 AM Detected: Trojan-Spy.Win32.Zbot.rdgo /mnt/MountedDevices/PD-2169E425-000000000C800000/Users/PChapman/AppData/Local/Temp/vxxxle.exe  
1/7/14 7:52 AM Deleted: Trojan-Dropper.Win32.Necurs.ssd /mnt/MountedDevices/PD-2169E425-000000000C800000/ProgramData/Microsoft/Microsoft Antimalware/LocalCopy/{5B018CFF-E683-0884-A884-CE2DA7F55930}-syshost.exe  
1/7/14 6:44 AM Detected: Trojan-Dropper.Win32.Necurs.ssd /mnt/MountedDevices/PD-2169E425-000000000C800000/ProgramData/Microsoft/Microsoft Antimalware/LocalCopy/{5B018CFF-E683-0884-A884-CE2DA7F55930}-syshost.exe/PE-Crypt.XorPE  
1/7/14 6:33 AM Untreated: Rootkit.Win64.TDSS.o sda2/TDSSKiller_Quarantine/06.01.2014_23.29.00/tdlfs0000/tsk0007.dta Postponed 
1/7/14 6:33 AM Detected: Rootkit.Win64.TDSS.o sda2/TDSSKiller_Quarantine/06.01.2014_23.29.00/tdlfs0000/tsk0007.dta  
1/7/14 6:33 AM Untreated: Rootkit.Win32.TDSS.gq sda2/TDSSKiller_Quarantine/06.01.2014_23.29.00/tdlfs0000/tsk0006.dta Postponed 
1/7/14 6:33 AM Detected: Rootkit.Win32.TDSS.gq sda2/TDSSKiller_Quarantine/06.01.2014_23.29.00/tdlfs0000/tsk0006.dta  
1/7/14 6:33 AM Untreated: Rootkit.Win64.TDSS.q sda2/TDSSKiller_Quarantine/06.01.2014_23.29.00/tdlfs0000/tsk0003.dta Postponed 
1/7/14 6:33 AM Detected: Rootkit.Win64.TDSS.q sda2/TDSSKiller_Quarantine/06.01.2014_23.29.00/tdlfs0000/tsk0003.dta  
1/7/14 6:33 AM Untreated: Rootkit.Boot.Pihar.b sda2/TDSSKiller_Quarantine/01.01.2014_23.14.34/mbr0000/mbr0000/tsk0000.dta/HDDImage Postponed 
1/7/14 6:33 AM Detected: Rootkit.Boot.Pihar.b sda2/TDSSKiller_Quarantine/01.01.2014_23.14.34/mbr0000/mbr0000/tsk0000.dta/HDDImage  
1/7/14 6:28 AM Processing error sda2/Users/Public/Downloads/WindowsXPMode_en-us.exe/PE_Patch/CAB/sources/xpm Read error 
1/7/14 6:28 AM Processing error sda2/Users/Public/Downloads/WindowsXPMode_en-us.exe/PE_Patch/CAB/sources/xpm/VirtualXPVHD Read error 
1/7/14 6:22 AM Untreated: Trojan-Spy.Win32.Zbot.rdgo /mnt/MountedDevices/PD-2169E425-000000000C800000/Users/PChapman/AppData/Local/Temp/vxxxle.exe Postponed 
1/7/14 6:22 AM Detected: Trojan-Spy.Win32.Zbot.rdgo /mnt/MountedDevices/PD-2169E425-000000000C800000/Users/PChapman/AppData/Local/Temp/vxxxle.exe  
1/7/14 6:04 AM Untreated: HEUR:Exploit.Script.Generic sda2/Users/PChapman/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/45/18c6dfed-1035cfc3 Postponed 
1/7/14 6:04 AM Detected: HEUR:Exploit.Script.Generic sda2/Users/PChapman/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/45/18c6dfed-1035cfc3  
1/7/14 6:00 AM Untreated: Trojan-Spy.Win32.Zbot.rdgo sda2/Users/PChapman/AppData/Local/Temp/vxxxle.exe Postponed 
1/7/14 6:00 AM Detected: Trojan-Spy.Win32.Zbot.rdgo sda2/Users/PChapman/AppData/Local/Temp/vxxxle.exe  
1/7/14 2:59 AM Untreated: Trojan-Dropper.Win32.Necurs.ssd /mnt/MountedDevices/PD-2169E425-000000000C800000/ProgramData/Microsoft/Microsoft Antimalware/LocalCopy/{5B018CFF-E683-0884-A884-CE2DA7F55930}-syshost.exe/PE-Crypt.XorPE Postponed 
1/7/14 2:59 AM Detected: Trojan-Dropper.Win32.Necurs.ssd /mnt/MountedDevices/PD-2169E425-000000000C800000/ProgramData/Microsoft/Microsoft Antimalware/LocalCopy/{5B018CFF-E683-0884-A884-CE2DA7F55930}-syshost.exe/PE-Crypt.XorPE  
1/7/14 2:53 AM Untreated: Trojan-Dropper.Win32.Necurs.ssd sda2/ProgramData/Microsoft/Microsoft Antimalware/LocalCopy/{5B018CFF-E683-0884-A884-CE2DA7F55930}-syshost.exe/PE-Crypt.XorPE Postponed 
1/7/14 2:53 AM Detected: Trojan-Dropper.Win32.Necurs.ssd sda2/ProgramData/Microsoft/Microsoft Antimalware/LocalCopy/{5B018CFF-E683-0884-A884-CE2DA7F55930}-syshost.exe/PE-Crypt.XorPE  
1/7/14 2:42 AM Untreated: HEUR:Trojan.Win32.Generic sda2/Qoobox/Quarantine/C/Users/PChapman/AppData/Roaming/verison.dll.vir Postponed 
1/7/14 2:42 AM Detected: HEUR:Trojan.Win32.Generic sda2/Qoobox/Quarantine/C/Users/PChapman/AppData/Roaming/verison.dll.vir  
1/7/14 1:26 AM Processing error /mnt/MountedDevices/PD-2169E425-000000000C800000/Users/Public/Downloads/WindowsXPMode_en-us.exe/PE_Patch/CAB/sources/xpm Read error 
1/7/14 1:26 AM Processing error /mnt/MountedDevices/PD-2169E425-000000000C800000/Users/Public/Downloads/WindowsXPMode_en-us.exe/PE_Patch/CAB/sources/xpm/VirtualXPVHD Read error 
1/7/14 1:20 AM Untreated: Trojan-Spy.Win32.Zbot.rdgo /mnt/MountedDevices/PD-2169E425-000000000C800000/Users/PChapman/AppData/Local/Temp/vxxxle.exe Postponed 
1/7/14 1:20 AM Detected: Trojan-Spy.Win32.Zbot.rdgo /mnt/MountedDevices/PD-2169E425-000000000C800000/Users/PChapman/AppData/Local/Temp/vxxxle.exe  
1/7/14 1:02 AM Untreated: HEUR:Exploit.Script.Generic /mnt/MountedDevices/PD-2169E425-000000000C800000/Users/PChapman/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/45/18c6dfed-1035cfc3 Postponed 
1/7/14 1:02 AM Detected: HEUR:Exploit.Script.Generic /mnt/MountedDevices/PD-2169E425-000000000C800000/Users/PChapman/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/45/18c6dfed-1035cfc3  
1/7/14 12:59 AM Untreated: Trojan-Spy.Win32.Zbot.rdgo /mnt/MountedDevices/PD-2169E425-000000000C800000/Users/PChapman/AppData/Local/Temp/vxxxle.exe Postponed 
1/7/14 12:59 AM Detected: Trojan-Spy.Win32.Zbot.rdgo /mnt/MountedDevices/PD-2169E425-000000000C800000/Users/PChapman/AppData/Local/Temp/vxxxle.exe  
1/7/14 12:45 AM Untreated: Trojan-Dropper.Win32.Necurs.ssd /mnt/MountedDevices/PD-2169E425-000000000C800000/ProgramData/Microsoft/Microsoft Antimalware/LocalCopy/{5B018CFF-E683-0884-A884-CE2DA7F55930}-syshost.exe/PE-Crypt.XorPE Postponed 
1/7/14 12:45 AM Detected: Trojan-Dropper.Win32.Necurs.ssd /mnt/MountedDevices/PD-2169E425-000000000C800000/ProgramData/Microsoft/Microsoft Antimalware/LocalCopy/{5B018CFF-E683-0884-A884-CE2DA7F55930}-syshost.exe/PE-Crypt.XorPE  
1/7/14 12:30 AM Processing error sda2/dev/latest_beta/BIG_LOGS.zip Read error 
1/7/14 12:30 AM Processing error sda2/dev/latest_beta/BIG_LOGS.zip/ifaxerr.log Read error 
1/6/14 11:37 PM Processing error sda2/dev/clients/ebi/farchive/LPBACKUP.FPT.zip Read error 
1/6/14 11:37 PM Processing error sda2/dev/clients/ebi/farchive/LPBACKUP.FPT.zip/LPBACKUP.FPT Read error 
1/6/14 11:34 PM Task started   
 

 

However, upon re-boot, Stopzilla did an automatic scan and still found a Trojan:

 

Information  General  2014-01-07 08:35:03 Completed system scan.
Information  General  2014-01-07 08:35:02 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information  General  2014-01-07 08:35:01 Inspecting WinSock registry (LSP Chain)
Block/Extraction  General  2014-01-07 08:32:46 Terminated service: WSearch - Windows Search
Information  General  2014-01-07 08:32:46 Started system scan.
Block/Extraction  General  2014-01-07 08:32:44 Terminated service: SysMain - Superfetch
Information  General  2014-01-07 08:30:23 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information  General  2014-01-07 08:30:23 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information  General  2014-01-07 08:30:21 Inspecting registered Internet Explorer toolbars
Information  General  2014-01-07 08:30:14 Inspecting registered Explorer bars
Information  General  2014-01-07 08:30:14 Checking homepage... OK
Information  General  2014-01-07 08:30:14 Inspecting WinSock registry (LSP Chain)
Information  General  2014-01-07 08:28:55 Inspecting registered Browser Helper Objects (BHOs)
Information  General  2014-01-07 08:28:32 Starting process watcher
Block/Extraction  General  2014-01-07 08:26:56 Extracted package Trojan.Win32.Agent.gen
Block/Extraction  General  2014-01-07 08:26:55 Extracted package Cookies (Not Restorable)
Information  General  2014-01-07 08:26:37 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information  General  2014-01-07 08:26:37 Inspecting WinSock registry (LSP Chain)
Information  General  2014-01-07 08:26:35 Completed system scan.
Information  General  2014-01-07 08:01:46 Inspecting registered Internet Explorer toolbars
Information  General  2014-01-07 08:00:20 Inspecting registered Explorer bars
Information  General  2014-01-07 07:59:44 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information  General  2014-01-07 07:59:44 Checking homepage... OK
Information  General  2014-01-07 07:59:44 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information  General  2014-01-07 07:59:22 Inspecting WinSock registry (LSP Chain)
Information  General  2014-01-07 07:58:40 Started scheduled scan.
Block/Extraction  General  2014-01-07 07:58:40 Terminated service: SysMain - Superfetch
Information  General  2014-01-07 07:58:28 Inspecting registered Browser Helper Objects (BHOs)
Information  General  2014-01-07 07:58:02 Starting process watcher
 

 

So, I told Stopzilla to remove that.

 

I also ran TDSSKILLER one more time and checked the option to Detect TDLFS File System and it ran through without finding anything.

 

 

However, when I run my browser and start clicking on links, the pop-up ads continue and the redirects do as well.

 

Any suggestions on what to check next?

 

Thanks,

 

Phil



#12 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,039 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:06 PM

Posted 07 January 2014 - 11:26 AM

Hi Phil,
 
What browser are you using?
 
Also run these for me:
 
I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

 

----------

Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#13 pc-pin-nc

pc-pin-nc
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 07 January 2014 - 03:43 PM

xXToffeeXx,

 

I am running IE9 and Chrome Version 32.0.1700.41 m Aura and I get the pop-up ads and redirects in both.  I am not opposed to upgrading to IE10, but IE11 still has too many issues.  I tried to find a download/upgrade for IE10 but could only find IE11.

 

Here are the results of the last requested scans.  ESET found and deleted 18 threats, but they look to all be from quarantined areas.

 

Results of ESET Scan:

 

C:\AdwCleaner\Quarantine\C\Users\PChapman\AppData\Roaming\Mozilla\Firefox\Profiles\q6snhsym.default\user.js.vir JS/SecurityDisabler.A.Gen application cleaned by deleting - quarantined
C:\Program Files (x86)\Lavasoft\AdAware SecureSearch Toolbar\adawareDx.dll a variant of Win32/Toolbar.Visicom.B application cleaned by deleting - quarantined
C:\Program Files (x86)\Lavasoft\AdAware SecureSearch Toolbar\adawaretb.dll a variant of Win32/Toolbar.Visicom.A application cleaned by deleting - quarantined
C:\Program Files (x86)\Lavasoft\AdAware SecureSearch Toolbar\dtUser.exe a variant of Win32/Toolbar.Visicom.C application cleaned by deleting - quarantined
C:\Program Files (x86)\Win7codecs\Tools\Settings32.exe Win32/Packed.Autoit.C.Gen application cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\01.01.2014_23.14.34\mbr0000\tdlfs0000\tsk0000.dta Win32/Olmarik.AZF trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\01.01.2014_23.14.34\mbr0000\tdlfs0000\tsk0001.dta Win64/Olmarik.BG trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\01.01.2014_23.14.34\mbr0000\tdlfs0000\tsk0002.dta Win32/Olmarik.AWO trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\06.01.2014_14.57.10\tdlfs0000\tsk0000.dta Win32/Olmarik.AZF trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\06.01.2014_14.57.10\tdlfs0000\tsk0001.dta Win64/Olmarik.BG trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\06.01.2014_14.57.10\tdlfs0000\tsk0002.dta Win32/Olmarik.AWO trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\06.01.2014_23.29.00\tdlfs0000\tsk0000.dta Win32/Olmarik.AZF trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\06.01.2014_23.29.00\tdlfs0000\tsk0001.dta Win64/Olmarik.BG trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\06.05.2013_21.42.56\tdlfs0000\tsk0002.dta Win64/Olmarik.BC trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\06.05.2013_21.42.56\tdlfs0000\tsk0003.dta a variant of Win32/Rootkit.Kryptik.UK trojan cleaned by deleting - quarantined
C:\temp\Win_Backup\registrybooster.exe Win32/RegistryBooster application cleaned by deleting - quarantined
C:\temp\Win_Backup\System32\drivers\etc\hosts Win32/Qhost trojan cleaned by deleting - quarantined
C:\Users\Public\Downloads\CuteWriter.exe a variant of Win32/Bundled.Toolbar.Ask.A application cleaned by deleting - quarantined
 

 

SecurityCheck Log:

 

 Results of screen317's Security Check version 0.99.78 
 Windows 7  x64 (UAC is disabled!) 
 Out of date service pack!!
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Microsoft Security Essentials  
STOPzilla                      
Ad-Aware Antivirus             
 Antivirus out of date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
 Spybot - Search & Destroy
 12Ghosts Replace   
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Java 7 Update 45 
 Adobe Flash Player 10 Flash Player out of Date!
 Adobe Reader 9 Adobe Reader out of Date!
 Mozilla Firefox (3.5.5) Firefox out of Date! 
 Google Chrome 31.0.1650.57 
 Google Chrome 32.0.1700.41 
````````Process Check: objlist.exe by Laurent```````` 
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
 Spybot Teatimer.exe is disabled!
 Lavasoft Ad-Aware Antivirus Ad-Aware Antivirus 11.1.5152.0\AdAwareService.exe
 Lavasoft Ad-Aware Antivirus Ad-Aware Antivirus 11.1.5152.0\AdAwareTray.exe
 Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
 

 

Thanks,

 

Phil



#14 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,039 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:06 PM

Posted 07 January 2014 - 04:14 PM

Hi Phil,

Reset Chrome and see if that makes a difference: https://support.google.com/chrome/answer/3296214?hl=en-GB
I'm testing to see whether this will help the problem or whether you will need more specfic work than I can provide here.

xXToffeeXx~

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#15 pc-pin-nc

pc-pin-nc
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 07 January 2014 - 04:33 PM

xXToffeeXx,

 

I did the Chrome reset and after clicking a couple of links, I got the redirect again.

 

Thanks,

 

Phil






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users