[AGS]

Hi Guys,

I'm stumped by this one -- usually I'm the malware-slayer
It's my boss's home computer. His wife told me that it was redirecting IE, displaying pop-ups, and that she had been prompted to buy "some security program" and had tried to do so!
The system is WXP Pro SP2, running free AVG.

I used ComboFix, which found and cleaned things, and appeared to stabilize the system.
I then ran Malwarebytes, which caught some other stuff.
I ran GMER, which came up clean except for refering the the AVG network interface components.
I then noticed that:
I couldn't get to any of the Windows update sites without being in Safe mode;
I was only able to apply SP3 in Safe Mode;
IE will still spawn windows spontaneously and go to various websites;
Google searches are intercepted;
NETSTAT reveals all sorts of connections to various websites even when no web-based programs are running;
AVG wasn't responsing to any of this activity.

I reran ComboFix and Malware bytes, which both came up clean
I installed PrevX, to run concurrently with AVG, and it didn't find anything.
I ran your tool, please see attached files.
I can give you other logs if you would like.

Any suggestions would be greatly appreciated.

Alan

Attached Files

•  Extras.Txt   57.33KB   75 downloads
•  OTL.Txt   212.71KB   65 downloads

[Advertisements]

You are running logmein which will connect to the logmein server whenever the PC is on line so that may account for some of your network connections.

Let's see your last combofix log. Do not ATTACH! Just copy and paste.

Also do

• Go to this page and Download TDSSKiller.zip to your Desktop.
• Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
• Start >All Programs> Accessories> Command Prompt. Copy the following bolded command, then right click and Paste then hit Enter.
  
  "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  
• If TDSSKiller alerts you that the system needs to reboot, please consent.
• When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Download

http://ad13.geekstogo.com/MBRCheck.exe

Save it and run it. Does it say it found the xp mbr? If not what PC (make and model is this)

Start, All Programs, Accessories, Command Prompt.

Close all programs including your browser. Type each line in the code box followed by an Enter. (I use 2 spaces so you can see where 1 space goes.)

netstat  -an  >>  junk.txt

nslookup  google.com  >>  junk.txt

nslookup  

server  4.2.2.1

google.com

(You should get something like:

Non-authoritative answer:
Name:    google.com
Addresses:  74.125.155.147
          74.125.155.99
          74.125.155.103
          74.125.155.104
          74.125.155.105
          74.125.155.106

Do you? )

exit

notepad  junk.txt

(Copy and paste the text from notepad into a reply.)

Ron

[RKinner]

You are running logmein which will connect to the logmein server whenever the PC is on line so that may account for some of your network connections.

Let's see your last combofix log. Do not ATTACH! Just copy and paste.

Also do

• Go to this page and Download TDSSKiller.zip to your Desktop.
• Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
• Start >All Programs> Accessories> Command Prompt. Copy the following bolded command, then right click and Paste then hit Enter.
  
  "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  
• If TDSSKiller alerts you that the system needs to reboot, please consent.
• When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Download

http://ad13.geekstogo.com/MBRCheck.exe

Save it and run it. Does it say it found the xp mbr? If not what PC (make and model is this)

Start, All Programs, Accessories, Command Prompt.

Close all programs including your browser. Type each line in the code box followed by an Enter. (I use 2 spaces so you can see where 1 space goes.)

netstat  -an  >>  junk.txt

nslookup  google.com  >>  junk.txt

nslookup  

server  4.2.2.1

google.com

(You should get something like:

Non-authoritative answer:
Name:    google.com
Addresses:  74.125.155.147
          74.125.155.99
          74.125.155.103
          74.125.155.104
          74.125.155.105
          74.125.155.106

Do you? )

exit

notepad  junk.txt

(Copy and paste the text from notepad into a reply.)

Ron

[AGS]

Perfect Ron! TDSSKiller got it on the first pass. I guess that my GMER result was not a false positive. I wonder why ComboFix and MalwareBytes didn't catch it. I have replaced AVG with Norton. I've been seeing things get through AVG lately; it's too bad, it was a good free alternative for a while. THANK YOU for your prompt and effective attention to my problem. How can I make a donation to GeeksToGo? Alan

[AGS]

I found the donation link ... thanks again! AGS

[RKinner]

We need to clean up System Restore. Follow Jim's procedure here:
http://forum.aumha.o...581099691bf108f


You can uninstall or delete any tools we had you download and their logs.

To hide hidden files again:

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.

You do not have the latest Java. Get the latest (6 update 21) at:

http://www.java.com/...nload/index.jsp

Do not let them install the Yahoo toolbar.

Once you install it, go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)
I see:
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 16

"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9

"{7148F0A8-6813-11D6-A77B-00B0D0142000}" = Java 2 Runtime Environment, SE v1.4.2


Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat. Adobe is fond of foisting GetPlus on you. You can let them install it and then afterwards, go into Control Panel, Add/Remove Software and remove it. It probably doesn't hurt to leave it but I don't see the need for it and it has caused problems in the past.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

I recommend you install the free WinPatrol 2010 from http://www.winpatrol.com/download.html

It's a small program that will sit in your systray and warn you if something tries to make changes to your system.

If you use USB drives you might want to install Autorun Eater v2.4.
http://oldmcdonald.w...orun-eater-v24/
Another small program which will stay resident and prevent an infected USB drive from infecting your PC.

If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) and No Script are two others you might want to try.

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox. It seems to work best if you reboot right after running it. You can run it any time that Firefox seems slow.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you install the MVP Hosts file:
http://www.mvps.org/...p2002/hosts.htm
it will keep you from going to most bad sites. You do not need Spybot's Immunize which does the same thing.

If you have a router, log on to it today and change the default password!

Ron

Edited by RKinner, 24 July 2010 - 06:37 PM.

[AGS]

Top-flight service Ron. I appreciate the "beyond the call of duty" follow-up -- not only for this situation, but so that I can share it with the other people who I support. I made another donation to GTG. Regards, Alan