[RESOLVED] DNSChanger, FSIS Media, Malware-Gen, Rootkit, and a few more.. HELP ?

Viruses and worms
1

I have been fighting this for days and I just found this board. I am running XP SP3, Avast, Malwarebytes, OTL, Hijackthis, etc. Avast cleaned up the DNSChanger and Malware-Gen. SpybotSD got another. Malware found another. I still have hijacked web pages. No porn pages just pages that sell stuff. Lots of them. Happens from any search list. Once and a whiole I will have a mystery popup. Avast runs clean. Malwarebytes runs clean. I will start attaching files… I submitted this once but it was kicked back because the attachments were too big so I will attach them in pieces. It seems like something has control of my network even when it is disabled. I suspect MBR Rootkit is doing a good job hiding.

Thanks for any help…

2

More files… I also installed the Recovery Console just in case… and while I still could !

3

Essexboy is notified. He is usually in here at 8:00pm - 11:59pm uk time

You did update Malwarebytes before you scanned ? latest database is 5716, you scanned with 5691

you may try this, it removes some redirects
Kaspersky TDSSKiller http://support.kaspersky.com/viruses/solutions?qid=208280684

4

I did update MalwareBytes (I thought it did automatically but that was 3 days ago when this all started so I will update it again) and Avast is up to date too …

I am running Combofix right now and will attach the log files when it completes. I had to run Combofix in SAFE MODE since it wouldnt start in normal mode. Combofix seemed to be running fine in SAFEMODE and Completed backups and Stage_49 … deleted some 9 files… deleted 2 folders… took away the desktop… and seems to be stuck there for about 20 minutes or so now … I will leave it be and go have some dinner…

5

ComboFix finally ended… took quite a while… attached is the log fine. Still having web redirection… ran the TDSSKiller (Thanks Pondus!) and it did find TDSS in the MBR. Seems OK so far … Am I done ???

I will see if I have any more web hijack issues and report back.

Thanks for all your help… fantastic resources !!

Here are log files from after the cleanup… OLE did not create and Extra file this time…

6
Seems OK so far ..... Am I done
Essexboy will tell you when he have checked your logs later today.... ;)
7

OK lets clear what remains

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O3 - HKU\S-1-5-21-240586358-1813409509-4289577693-1007\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. O3 - HKU\S-1-5-21-240586358-1813409509-4289577693-1007\..\Toolbar\ShellBrowser: (no name) - {C7768536-96F8-4001-B1A2-90EE21279187} - No CLSID value found. O3 - HKU\S-1-5-21-240586358-1813409509-4289577693-1007\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found. O3 - HKU\S-1-5-21-240586358-1813409509-4289577693-1007\..\Toolbar\WebBrowser: (no name) - {63CC63C6-1AE1-491C-B96A-812A7950A1EC} - No CLSID value found. O3 - HKU\S-1-5-21-240586358-1813409509-4289577693-1007\..\Toolbar\WebBrowser: (no name) - {C7768536-96F8-4001-B1A2-90EE21279187} - No CLSID value found. O3 - HKU\S-1-5-21-240586358-1813409509-4289577693-1007\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O3 - HKU\S-1-5-21-240586358-1813409509-4289577693-1007\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found. O28 - HKLM ShellExecuteHooks: {54697F09-BAF4-422E-8E7A-A563B020B1A5} - Reg Error: Key error. File not found O28 - HKLM ShellExecuteHooks: {F4C8DF5E-1140-4FAF-BB3B-4147A73F664C} - Reg Error: Key error. File not found O30 - LSA: Authentication Packages - (xxyxyx.dll) - File not found [2011/02/04 23:30:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\mNpFcOd15400 [2011/02/07 14:55:23 | 000,010,752 | ---- | M] () -- C:\WINDOWS\System32\gonrrkt.dll [2011/02/04 23:39:48 | 000,003,216 | ---- | M] () -- C:\Documents and Settings\James Adelt\Application Data\EE0A.BB9

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

8

I did the copy / paste and hit Run Fix… took about 30 minutes for the first step (killing processes) to complete now it seems to be processing the ‘03’ records albiet very slowly… about 30 minutes for the first one to finish…I am estimating it may take a few hours… is this normal ?

Thanks for all your help.

9

No that is not normal - something is fighting back… If it does not complete soon then stop it and

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

10

OTL is nearing the end (slowly) it as at the ipconfig /flushdns step… I ran Combox fix yesterday and posted the files earlier in this thread. I will give OTL another hour then if it doesnt finish I will kill it. OTL took away the desktop when it finished killing processes if that gives any clue as to why it is so slow.

How do I kill OTL in case I have to ? Seems like I might have to power down to kill things.

Do you want me to run ComboFix again anyway ?

Thanks again for all your help.

11

As you suggested I killed the PC since OTL was hung… it was doing the last simple file delete so I figured that was the safest place.

Since I ran Combofix yesterday I wasnt sure you wanted me to run it again. The logs are posted above and on this reply…

I just reran the OTL scan and here is the current result. Only one log file was created ths time.

I also ran Malwarebytes and attached that file.

By the way all appears well with my PC so please handle critical folks first… my cleanup can wait. I know how frustrating it is while your PC is dead or dying.

Thanks for all your help.

12

OK there is more to go. When you run combofix again allow it to update if it asks

Also could you upload the following file to Avast virus labs before we proceed c:\windows\system32\gonrrkt.dll

To do this open Avast and go to the Virus chest.
Right click anywhere on the space to the right where any detections were listed and select Add
Navigate to the above mentioned file and select it
When it appears in the Virus chest right click the file and select send to virus lab

OK moving on

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

THEN

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:

File:: c:\windows\system32\gonrrkt.dll

  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt [*]A new OTListit log.
13

hmmmmm…

  1. My Virus Chest is empty and I could not find that dll ( c:\windows\system32\gonrrkt.dll )

EDITED: I right clicked and searched all folders listed and could not find this file

EDITED: When you hade me run OTL it deleted this file before I killed it.

  1. Do you still want me to run Combofix again and TDSSkiller again ?

Thanks

14

Yes run TDSSKiller first and then combofix, If OTL has deleted the file it will be in the quarantine folder C:_OTL\windows\system32

15

TDSSKiller results - nothing found

Should I point ComboFix to the file that it archived in the quarantine folder C:_OTL\windows\system32 ??

File::
C:_OTL\windows\system32\gonrrkt.dll

16

No leave the original script as the file may be hidden, within OTL quarantine it is safe

17

ComboFix and OTL files attached (ComboFix requested and uptade before it ran so I said OK)

18

Just a touch of Vundo to kill now - once done could you let me know of any outstanding problems

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:


Renv::
c:\program files\Adobe\Photoshop Elements 4.0\apdproxy .exe
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\CyberLink\PowerDVD\DVDLauncher .exe
c:\program files\Dell Support Center\bin\sprtcmd .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\program files\Synaptics\SynTP\SynTPLpr .exe
c:\program files\Yoics Inc\Remote Cameras\Remote Cameras .exe
c:\windows\system32\rundll32 .exe

  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt .
19

See attached combofix file

PC seems to be working fine… thank you for all your help.

one odd change… the Avast Icon in the tray is gone until I launch Avast. The settings are correct to display the icon in the tray but they dont seem to work. Not a big deal. If I launch Avast then close it the icon appears in the tray.

EDIT: I changed my DNS entries on my PC and router to the FamilyShield entries 208.67.222.123 - 208.67.220.123.

Observation: when I launch IE I always get two entries in task manager for iexplore.exe. Not sure if that is a problem or normal.

20

If you are running IE8 in protected mode then that is normal

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

[*]Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 23.
[*]Click the “Download” button to the right.
[*]Select your Platform and check the box that says: “I agree to the Java SE Runtime Environment 6 License Agreement.”.
[*]Click on Continue.
[*]Click on the link to download Windows Offline Installation (jre-6u23-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager…
[*]Close any programs you may have running - especially your web browser.
[*]Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
[*]Check any item with Java Runtime Environment (JRE or J2SE) in the name.
[*]Click the Remove or Change/Remove button.
[*]Repeat as many times as necessary to remove each Java version.
[*]Reboot your computer once all Java components are removed.
[*]Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u23-windows-i586-p.exe and select “Run as an Administrator.”)

SPRING CLEAN

Download and run Puran Disc Defragmenter
For the first run I would recommend a boot defrag and disk check

http://i1224.photobucket.com/albums/ee362/Essexboy3/Bootdefrag.jpg

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave: