[dickiesw]

Hello,

I am using Internet Explorer 8 on Windows XP Professional SP3, and am having an issue with redirects and pop-ups when using Internet Explorer. I have run scans with BitDefender 2010, Ad-Aware and Malwarebytes Anti-Malware that have not turned up anything. I am attaching a HijackThis log to this thread. Any help will be greatly appreciated!

[dickiesw]

bump

[NeonFx]

Hello there Welcome to the Tech Support Guy forums.
My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.

Please note the following:

• The fixes are specific to your problem and should only be used on this machine.
• Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
• It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.

Step 1

Download OTS to your Desktop

• Close ALL OTHER PROGRAMS.
• Double-click on OTS.exe to start the program.
• Check the box that says Scan All Users
• Under Additional Scans check the following:
  
  • Reg - Desktop Components
  • Reg - Disabled MS Config Items
  • Reg - NetSvcs
  • Reg - Shell Spawning
  • Reg - Uninstall List
  • File - Lop Check
  • File - Purity Scan
  • Evnt - EvtViewer (last 10)
  
  
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post. To do so click on the blue "Reply" button or "Go Advanced" and click on the "Manage Attachments" button

To ensure that I get all the information this log will need to be attached. If it is too large to attach then upload it to Dropio and post the sharing link/url (The Drop's URL will be similar to : http:://drop.io/daerk)

Step 2

Download RootRepeal from one of the following locations and save it to your desktop:

Link 1
Link 2
Link 3

• Double click to start the program
• Click on the Report tab at the bottom of the program window
• Click the button
• In the Select Scan dialog, check:
  
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
  • Shadow SSDT
  
  
• Click the OK button
• In the next dialog, select all drives showing
• Click OK to start the scan

  Note: The scan can take some time. DO NOT run any other programs while the scan is running
  

• When the scan is complete, click the button and save the report to your Desktop as RootRepeal.txt
• Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

[dickiesw]

OK - I am attaching my OTS log.

I have downloaded and have tried to run RootRepeal, however it gets stuck on the initializing screen and freezes. After several hours I get a message that my virtual memory is being increases, but nothing happens.

[NeonFx]

Alright. Could you do the following for me instead?

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

[dickiesw]

OK - I have tried to run the GMER tool several times with no success. The scan will run for a couple of hours, then I get an error message such as the following:

Windows - Delayed Write Failed
Windows was unable to save all the data for the file \$Directory. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

Once this message appears, my computer freezes up and needs to be restarted. The location where the error message references changes each time - for example, once it was:

Windows was unable to save all the data for the file \Device\HarddiskVolume1\Windows\system32\config\AppEvent.evt

I have tried to run this software several times, and get a similar result each time. I am not running anything else while running the GMER scan. Any ideas as to how to get the scan to work? Is there another scanning tool I can try?

[NeonFx]

Yeah let's try a different tool. This bugger is hiding really well.

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.

• Click on the Log tab.
• In the Write to log box select all items.
• Click on the Create Log button on the bottom right.
• After a few seconds a new Window should appear.
• Make sure Scan all drives is selected and click on the Start button.
  (Unless you have a floppy drive. In this case, please use "Scan Root Drive Only" and press Start)
• When it is complete a new Window will appear to indicate that the scan is finished.
• The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.

[dickiesw]

OK - the scan ran - the results were too long to copy/paste, so I am attaching the log to the post.

[NeonFx]

Alright, let's do the following:


NOTE: ComboFix should NOT be used without supervision by someone trained in its use. It does a whole lot more to a system than just remove infected files.

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Disabling Security Programs
• Double click on ComboFix.exe & follow the prompts.
  
  Note: Combofix will run without the Recovery Console installed.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you please let me know. A increasing number of infections are spreading using Autoplay and leaving it disabled is a good idea.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

[dickiesw]

OK - I have run ComboFix. It detected rootkit activity, removed it, and rebooted my machine, then detected some other things that it removed and my machine rebooted again. The log is attached to this post.

[NeonFx]

Good. Let's do the following:

1. Close any open open programs before running the fix.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad (Start > Programs > Accessories) and copy/paste the text in the codebox below into it:

Code:

KillAll::

File::
c:\windows\system32\rezumatenoi.dat
c:\windows\Lribo.dat
c:\windows\Ujoyomejesuxito.bin
c:\windows\system32\drivers\bdfndisf.sys
c:\windows\system32\85.tmp 
c:\windows\system32\drivers\rootrepeal.sys 

Driver::
MEMSWEEP2
rootrepeal

NOTE: Make sure WordWrap is unchecked in Notepad by clicking on the "Format" menu icon.

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[dickiesw]

OK - here is the new ComboFix log file. A new problem has come up; I can no longer connect to the internet from the affected computer. My network adaptor is enabled, and in my device manager the network is installed. Under the network adapter category there are three entries that are not working - all three are named as related to BitDefender firewall. Also, I cannot activate my BitDefender firewall - I assume that this is a related issue.

[NeonFx]

That was my mistake, I apologize for that. please do the following:

Please do the following:

1. Close any open open programs before running the fix.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad (Start > Programs > Accessories) and copy/paste the text in the codebox below into it:

Code:

DEQUARANTINE::
C:\Qoobox\Quarantine\C\windows\system32\drivers\bdfndisf.sys.vir
QUIT::

NOTE: Make sure WordWrap is unchecked in Notepad by clicking on the "Format" menu icon.

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Let me know if that fixed the problem.

[dickiesw]

OK - I ran the last fix, but it didn't solve the problem. When I ran the fix, a windows dialog popped up that said pev.cfxxe has encountered a problem and needs to close. I stupidly did not write this down when I first ran the fix. There was also a DeQuarantine.txt file that was created - it was a one line entry that listed the location of the bit defender driver. Since I did not write down the information about the pev.cfxxe, I re-ran the script, which allowed me to write down the info, but resaved the DeQuarantine.txt as a blank file (SORRY!!).

[NeonFx]

No no, if anything this is all my fault and I'm terribly sorry about that. Can we temporarily uninstall BitDefender and then reinstall it once we're sure you're clean? That would be the easiest way to solve this problem. That is, only if you still have the activation key somewhere.

To uninstall it go to Start > Control Panel > Add/Remove Programs.


Could you attach the following for me? C:\QooBox\ComboFix-quarantined-files.txt