16 replies to this topic

[Hixton]

Hi,

My wifes computer was infected by one of those viruses that creates a fake login page for her online banking site. Unfortunately, she's filled those out a couple of times. We just got a call from our bank saying there's a fraud alert and her online accounts are frozen (yay!).

The virus also prevents her from visiting anti-virus sites by redirecting her to a fake "microsoft login site" (including lavasoft.com). I had to download all install files on my computer and transfer them to hers.

I installed Ad-Aware 10.2 free (however it says I'm up to date, then says I'm not and the About info says it's version 9.0.7, even though I downloaded it yesterday)

I ran it and it went on for 18 hours, seemingly to have stopped in the same folder for the last 15 of those. I had the impression something was making files for it to scan, but I could be wrong.

I ended it and had it quarenteen the 30 issues it did find. But, the redirection virus is still there. I'm posting the DDS and Attach files as well as the log after the scan if that helps.

***Edit*** I just realized I should attach the files rather than copy them into the message, I'll attach in a reply***

Thank you.

Edited by Hixton, 14 August 2012 - 04:37 PM.

[Hixton]

Files.

Attached Files

•  Attach.txt   6.71K   66 downloads
•  DDS.txt   16.01K   63 downloads
•  log.txt   56.95K   81 downloads

[Hixton]

Update:

This is awesome. So I installed Ad-Aware on my computer and, apparently, the layout is completely different. I then used the same install file to install it on my wifes computer and it "installed" the same old one that was one hers. Looks like some virus recognizes the installation and installs a dummy instead.

Amusingly enough, the REAL toolbar did install and is now allowing her to access all of the sites that were previously being redirected, so that's good.

But the actual Ad-Aware software will not install.

Do I try Safe mode? Or do I try to find some online scan?

[Blade81]

Hi,

Download aswMBR to your desktop. Double click the aswMBR.exe to run it
Click the Scan button to start scan

On completion of the scan click save log, save it to your desktop and post in your next reply.

[Hixton]

Thank you for getting back to me.

Attached is the log.

Attached Files

•  aswMBR.txt   1.92K   65 downloads

[Blade81]

Hi


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingc...to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
  Remember to re-enable them afterwards.
  
  
• Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

[Hixton]

Hi,

I downloaded ComboFix and ran it. It gave me an error about a file not being able to be written. The only thing I could do was to hit "ignore". At which point the loading bar went to the end and the program shut down with no report or option to scan for malware.

Attached Thumbnails

• 

Edited by Hixton, 14 August 2012 - 08:05 PM.

[Hixton]

Scratch that. It's now more than 20 minutes since I first ran ComboFix and a window just popped up.

Here's where it 's at (stage 3 complete now).

I don't know how or why it started up so long after it was run. But it seems to be going.

Attached Thumbnails

• 

[Hixton]

Ok, ComboFix Log and DDS Logs attached:

Attached Files

•  Attach2.txt   6.7K   53 downloads
•  combolog.txt   14.35K   56 downloads
•  DDS2.txt   18.96K   58 downloads

[Blade81]

Hi again,


Get Adobe Reader update 10.1.4 here or get Foxit Reader here. Make sure you don't (unless you want to) install toolbar if choose Foxit Reader! You may also check free readers introduced here.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 7 Update 5.
• Click the
  Download
  button to the right.
• Select Windows on platform combobox and check the box that says:
  Accept License Agreement. Click continue.
  
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-7u5-windows-i586.exe to install the newest version.

* Go here to run an online scanner from ESET.

• Note: You will need to use Internet explorer for this scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
• Click Scan
• Wait for the scan to finish.

Post back its report & fresh DDS logs.

[Hixton]

The log it left had little information. I'm assuming I was supposed to copy the list of threats found. I attached that as list.txt and the "log" ESET desrcibes on their help page as log2.txt.

And, of course, the DDS files. Sorry it took so long to repost.

Attached Files

•  Attach3.txt   6.54K   63 downloads
•  DDS3.txt   15.96K   63 downloads
•  list.txt   3.96K   92 downloads
•  log2.txt   126bytes   46 downloads

[Blade81]

No problem with the delay


Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Users\Sara\Downloads\cnet_registry-cleaner-setup_exe.exe
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\08LXR1BT\platotv_com[1].txt
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5KQ241Y6\index1[1].htm
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5KQ241Y6\index1[2].htm
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5KQ241Y6\platotv_com[1].txt
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\939BCFW9\firstload_com[1].txt
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\939BCFW9\fw_dnslink_com[4].txt
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\939BCFW9\getbookinghotels_org[1].htm
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AFJ29XAG\firstload_com[1].txt
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AFJ29XAG\mx_nan_a[1].txt
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AFJ29XAG\mx_nan_a[2].txt
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AFJ29XAG\results[3].php
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EED7U3Y1\iframe3CAK63RKN.htm
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EED7U3Y1\index1[1].htm
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EED7U3Y1\platotv_com[1].txt
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OBX46DMC\firstload_com[1].txt
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RABZ8W9H\firstload_com[1].txt
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RABZ8W9H\iframe3CA2718B1.htm
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RABZ8W9H\index1[3].htm
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RABZ8W9H\index1[5].htm
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RABZ8W9H\mx_nan_a[1].txt
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RABZ8W9H\mx_nan_a[2].txt
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SMBS8VTX\iframe3CA28JJY8.htm

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log. Any issues left?

[Hixton]

Awesome! Thank you!

I don't know if it got rid of everything, but the phishing virus is gone (turned of ad-aware toolbar and went to affected sites, no problems) and I was able to uninstall the dummy ad-aware and set up the real one (which is running a full scan as we speak).

Thank you so much!

I'm attaching the final ComboFix log.

Attached Files

•  ComboFix2.txt   17.66K   58 downloads

[Blade81]

Good. Let's see the final steps then


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

A To disable the System Restore feature:

1. Click on the Start button.
2. Hover over the Computer option, right click on it and then click Properties.
3. On the left hand side, click Advanced Settings.
4. If asked to permit the action, click on Allow.
5. Click on the System Protection tab.
6. Select c: drive and click Configure...
7. Select Turn off protection
8. Press OK.
Repeat steps 6-8 for each hard drive.

B. Reboot.

C Turn ON System Restore.
Follow the steps like you did when disabling system restore but on step 7. select Restore system settings and previous versions of files -option.


Now lets uninstall ComboFix:

• Click START then RUN
• Now copy-paste Combofix /uninstall in the runbox and click OK

UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

Download and run Secunia Personal Software Inspector (PSI) and fix its findings. Leave the program installed so you'll stay alarmed about vulnerable components in future too.


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade

[Hixton]

Hey Blade,

Thank you so much again for all of the help.

Her computer is running much better now.

However, it seems like it has been too compromised to be fixed. The windows updater is unable to install any updates. Plus, her Ad-Aware scan takes 16 hours at this point.

On top of that, I was getting some issues on my machine as well (being redirected whenever I click a google search link and having i-explorer windows pop up randomly). Ad-Aware found some issues, but it did nothing about the pop ups or redirects. I went to update my Windows and found out my computer no longer has windows update on it (???) The service is gone and neither computer has the BITS service either.

I'm guessing the best bet is to back up all the files on both computers, wipe 'em and reinstall windows from scratch.

[Blade81]

Hi,

ZeroAccess infection may cause a havoc in Windows services. What was the error message Windows Update showed? If you haven't reformatted systems yet I can try to assist with this system we've been working. For other case you have to create a separate topic for it (after this current case is finished).

[Blade81]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Thank You !