Malware hijacking IE and search engines

Some malware has taken control of my Internet Explorer and any search engine I try to use. I have IE8 and Windows XP home edition, SP3.

When I open IE it seems normal at first, but in a few minutes a second session opens on top of the first one, taking me to some strange web site, usually with a sales pitch. I can close that second window, with some difficulty, and continue. Then if I try to use a search engine, it lists proper search results, but when I click on a site I am taken to some other site, apparently at random. I can click on the same site over and over, and be directed to a different site each time, not apparently bad sites, just having nothing to do with the search. But if there is a complete address in the listing that I can copy and paste into the IE address bar, then I can get to the proper site.

On the System Information display for Internet Settings, the security level for Internet Zone shows “unavailable.” I have it set at medium-high. If I go to Add/Remove Programs and click on IE8, it says it is used “occasionally” and was last used 2/3/2010. In reality I use it nearly every day.

Avast does not find any problems. I downloaded the free version of Malwarebytes, v1.46, and it found and eliminated several things avast missed, but it did not solve the problem. From the forum post “Logs to assist in cleaning malware” I learned about OTL and downloaded and ran it per the instructions.

There may be other issues involved. Just before the IE problem began, Windows automatically increased my virtual memory size, and also, I used System Restore when Outlook Express wouldn’t open any more after a freeze-up made me turn off the computer and reboot. After the IE problem began, Windows automatically ran CHKDSK and deleted some index entries.

I am attaching MBAM and OTL logs. Does anyone have any recommendations? Thank you.

while you are waiting for Essexboy you can try this

Hitman Pro 3 - Second Opinion Malware Scanner http://www.surfright.nl/en/hitmanpro

the free version have 30 days of free removal from the day you register

Hi it is a hidden file somewhere that I need to find, it will be by a process of elimination

http://www.geekstogo.com/misc/guide_icons/gmer.png
GMER Rootkit Scanner - Download - Homepage
[] Download GMER
[
] Extract the contents of the zipped file to desktop.
[*] Double click GMER.exe.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif

[*] If it gives you a warning about rootkit activity and asks if you want to run a full scan…click on NO, then use the following settings for a more complete scan…
[*] In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
[] IAT/EAT
[
] Drives/Partition other than Systemdrive (typically C:)
[*] Show All (don’t miss this one)

http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg

Click the image to enlarge it

[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [Save…] button, and in the File name area, type in “ark.txt”
[*]Save the log where you can easily find it, such as your desktop.
CautionRootkit scans often produce false positives. Do NOT take any action on any “<— ROOKIT” entries
Please copy and paste the report into your Post.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thank you very much for the help. I ran Hitman Pro 3 and it did not find any problems.

I ran GMER and the first scan showed one “suspicious modification” but there was no warning about rootkit activity. I wasn’t sure from the instructions whether I was still supposed to run the full scan, but I did do that. It showed 2 suspicious modifications.

Combofix detected rootkit activity and rebooted the machine. It deleted some things.

Reports are attached. Thanks again.

Search engines are working again now, and I have not had any more 2nd IE sessions opening. Also, I am getting automatic updates again now, that had not been working lately either.

Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected Restored copy from - Kitty had a snack :p
GMER showed this file to be infected and Combofix finished it off

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following


:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS] 
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

SPRING CLEAN

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[*]SpywareBlaster to help prevent spyware from installing in the first place.

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave:

Everything still seems to be working fine at this point.

One more question: One of the programs I ran (I’m assuming it was Combofix) changed my IE security setting for Internet Zone from Medium-high to Custom. I doubt I’m smart enough to figure out if the custom settings are more or less restrictive than before, and I’m wondering if I should leave it like it is or change it back.

I’m also curious why I shouldn’t just leave OTL, Combofix, and GMER in place. Is it because they change often and a new version should be downloaded for each use?

Again, I’m very grateful for the help.

OTL and GMER do not change that often but it is always best to use a fresh version. Combofix is updated frequently so it is not a good idea to keep it

If you do not like the IE settings after while then just reset to default, but you probably will not notice ;D