exploit.drop.9

[cmjohns]

I need some help. Malwarebytes detected exploit.drop.9 and quarantined it. I then deleted the quarantined file and subsequent scans come up negative however my Internet Explorer is still hijacked. I downloaded Malwarebytes Pro and the scan was negative however IE is still being redirected but Malwarebytes is stopping it from going to the incorrect sites. I have switched to waterfox but want to remove this problem as I don't know what else it is doing on my PC. Any help would be appreciated. I am attaching the DDS.txt and attach .txt files. Thanks.

Attach.txt

DDS.txt

[CatByte]

Hi,

Please do the following:

Please download TDSSKiller.zip

• Extract it to your desktop
  
• Double click TDSSKiller.exe
  
• when the window opens, click on Change Parameters
  
• under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  
• click OK
  
• Press Start Scan
  
  • If Malicious objects are found then ensure Cure is selected
    
  • If TDLFS File System is found then ensure Delete is selected
    
  • Then click Continue > Reboot now
    

  [*]Copy and paste the log in your next reply

  • A copy of the log will be saved automatically to the root of the drive (typically C:\)
    

NEXT

Please download aswMBR to your desktop.

• Double click the aswMBR.exe icon to run it
  
• When asked if you want to download Avast's virus definitions please select Yes.
  
• Click the Scan button to start the scan
  
• On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
  
• You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well
  

[cmjohns]

I just ran TDSSKiller. It found 1 threat. Locked File. Service: sptd, Suspicious object, medium risk. My only choices are Skip, Copy to Quarantine, Delete. Please advise before I click continue. I will then download and run the aswMBR.exe. Thanks.

[CatByte]

Please "skip" that entry

thanks

[cmjohns]

OK, here are the TDS Killer and MBR files.

TDSSKiller.2.7.36.0_01.06.2012_18.56.42_log.txt

MBR.zip

[cmjohns]

Forgot one file, sorry.

aswMBR.txt

[CatByte]

Hi,

Please do the following:

Refer to the ComboFix User's Guide

1. Download ComboFix from one of these locations:
   Link 1
   Link 2
   * IMPORTANT !!! Place ComboFix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   You can get help on disabling your protection programs here
   
3. Double click on ComboFix.exe & follow the prompts.
   
4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
5. When finished, it shall produce a log for you. Post that log in your next reply
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   ---------------------------------------------------------------------------------------------
   
6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

[cmjohns]

Here is the ComboFix log.

Combofix.txt

[CatByte]

Hi,

Please do the following:

• Please open your MalwareBytes AntiMalware Program
  
• Click the Update Tab and search for updates
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish, so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected. <-- very important
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

NEXT

Go here to run an online scanner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
  
• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the activeX control to install
  
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  
• Click Scan
  
• Wait for the scan to finish
  
• When the scan completes, press the LIST OF THREATS FOUND button
  
• Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  
• Include the contents of this report in your next reply.
  
• Press the BACK button.
  
• Press Finish
  

NEXT

Please advise how the computer is running now and if there are any outstanding issues

[cmjohns]

Here is the MBAM log, I will be running the ESET shortly.

Malwarebytes Anti-Malware (PRO) 1.61.0.1400

www.malwarebytes.org

Database version: v2012.06.01.07

Windows 7 x64 NTFS

Internet Explorer 9.0.8112.16421

Christine :: CHRISTINE-PC [administrator]

Protection: Enabled

6/1/2012 9:13:27 PM

mbam-log-2012-06-01 (21-13-27).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 235918

Time elapsed: 6 minute(s), 35 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

[cmjohns]

Here is the ESET Scan log. I am a little confused because you had me uncheck the Remove Found Threats box. Please advise on these new threats found. Thanks.

ESET Scan.txt

[CatByte]

Hi,

yes I had you uncheck "remove threats" as ESET is very thorough and often alerts to the "type" of file that shows similar attributes of known malware files but isn't actually a threat, so we don't want it to remove anything necessary from the machine.

ESET has reported an item already in quarantine (which we will remove when we uninstall ComboFix (at the end cleanup) and two items in Java cache, which we can clean by emptying Java cache > use the Temp File Cleaner

Download TFC to your desktop

Mirror

• Close any open windows.
  
• Double click the TFC icon to run the program
  
• TFC will close all open programs itself in order to run,
  
• Click the Start button to begin the process.
  
• Allow TFC to run uninterrupted.
  
• The program should not take long to finish it's job
  
• Once its finished it should automatically reboot your machine,
  
• if it doesn't, manually reboot to ensure a complete clean
  

NEXT

Your Java is also out of date:

Please go to Start > Control Panel > Programs and Features

uninstall the Java Program(s) installed, then download the latest Java version 7 update 4 from the following link

http://java.com/en/download/index.jsp

NEXT

Please advise how the computer is running now and if there are any outstanding issues.

Please post a fresh DDS Log

[cmjohns]

Good Morning.

Thanks for the explanation, I panicked a little when I saw new threats.

I downloaded & ran TFC, uninstalled Java & downloaded the latest, and ran a new DDS scan. Logs are posted below.

Attach.txt

DDS.txt

[cmjohns]

So far, Internet Explorer seems to be working as it should.

[CatByte]

Hi,

Please do the following:

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  
• They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

DDS::
uStart Page = hxxp://my.iwon.com/
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
TB-X64: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
EB-X64: {21347690-EC41-4F9A-8887-1F4AEE672439} - No File

Folder::
C:\Users\Christine\AppData\Local\{10CC237D-2DDB-42CE-86EC-419A8AB67765}
C:\Users\Christine\AppData\Local\{CBB367AF-1454-4244-9440-AF450F683F3E}
C:\Users\Christine\AppData\Local\{375F3B24-3A2E-4157-980C-D1FA48C3BB55}
C:\Users\Christine\AppData\Local\{A41A0C8A-7719-41B9-951B-3DBCB9303D3C}
C:\Users\Christine\AppData\Local\{B1DCC4A8-4E53-4F90-A274-8C41D5BCF1DC}
C:\Users\Christine\AppData\Local\{9CEC86FF-6C33-48F1-A701-8E7516D30359}
C:\Users\Christine\AppData\Local\{6A1441DE-516F-4F18-9263-3DD96D4DDB48}
C:\Users\Christine\AppData\Local\{14EAB824-E476-4A60-A959-698CB8E29FB3}
C:\Users\Christine\AppData\Local\{962AB884-D141-4999-BF9E-D4CCEDD4103A}
C:\Users\Christine\AppData\Local\{71A700E6-DFF4-4AF4-8711-231E50B2AF9F}
C:\Users\Christine\AppData\Local\{D8EB3D28-4E8A-4D1B-9B02-9167AB439A41}
C:\Users\Christine\AppData\Local\{B0D9CBBC-4CD2-4B13-9000-9DA338CA4686}
C:\Users\Christine\AppData\Local\{E6DFCE42-4A04-4DE6-AD0F-9DF633F0346D}
C:\Users\Christine\AppData\Local\{62130FB6-7EF1-41D6-B675-42D6A8E455B3}
C:\Users\Christine\AppData\Local\{57574B0C-60BC-482A-9CDC-C9FD07FDC6AC}
C:\Users\Christine\AppData\Local\{254E7386-16E7-4C57-ADCD-32C7B57B6692}
C:\Users\Christine\AppData\Local\{A6D345ED-F4F8-4E45-A94C-209A7F8014B2}
C:\Users\Christine\AppData\Local\{1784368F-06B8-43AC-9BFC-AEAD4D44B5AA}
C:\Users\Christine\AppData\Local\{E33F6B60-ADA5-45E2-8037-DE8DCE1B96D5}
C:\Users\Christine\AppData\Local\{9C830E55-54A3-49AD-9AF5-3DD381504530}
C:\Users\Christine\AppData\Local\{8FD15050-8FEA-48CC-94F6-91397959B70C}
C:\Users\Christine\AppData\Local\{9337F9E6-B434-488E-926A-C7FC3095B8F9}
C:\Users\Christine\AppData\Local\{F35F09E7-8003-47CA-BDD8-99951FA1DE26}
C:\Users\Christine\AppData\Local\{6B17E1AF-503C-4E0C-BF56-A1E5D6D2D1EB}
C:\Users\Christine\AppData\Local\{8A5E8629-C1B3-440B-B40D-241EA5843A4B}
C:\Users\Christine\AppData\Local\{FF9CAD44-19CE-4AEC-A303-108F384E7053}
C:\Users\Christine\AppData\Local\{AF95A8CB-23A1-4104-94C9-E7B4378222D8}
C:\Users\Christine\AppData\Local\{D13315F0-C0B6-4D43-8A70-507EE2B4B663}
C:\Users\Christine\AppData\Local\{DFE68BED-534E-4537-BEF9-83AE16AB1686}
C:\Users\Christine\AppData\Local\{09CD1969-C769-4440-86EA-449A4420B145}
C:\Users\Christine\AppData\Local\{95D06170-52DE-49A6-8636-B993C87F2BBD}
C:\Users\Christine\AppData\Local\{6D45FD36-2FBF-4942-9315-08193463462B}
C:\Users\Christine\AppData\Local\{3B7A0EF4-73A9-40A0-A06C-97488F3541B1}
C:\Users\Christine\AppData\Local\{017AB0D9-847F-48AD-8073-E4372B955B52}
C:\Users\Christine\AppData\Local\{354BE484-E11D-4AFF-ADE7-BA3081F28FEE}
C:\Users\Christine\AppData\Local\{1A654F62-0708-4388-B7CA-CEBF494BCFE6}
C:\Users\Christine\AppData\Local\{DA47620A-7539-4251-91E4-1C813AF0845C}
C:\Users\Christine\AppData\Local\{70B406E2-C09A-47D6-9546-F8CE9A86658A}
C:\Users\Christine\AppData\Local\{BB549602-0852-44C7-B79E-BD39DBF0612B}
C:\Users\Christine\AppData\Local\{5CF180E2-1561-4E18-B9D7-F11DFA8491E9}
C:\Users\Christine\AppData\Local\{52924163-8B2A-40C9-88B3-A531900D134A}
C:\Users\Christine\AppData\Local\{4D79F46B-AE06-4709-8DE1-CA6299F379BB}
C:\Users\Christine\AppData\Local\{70175766-4CDB-4F1C-A532-A3D679AB9097}
C:\Users\Christine\AppData\Local\{8353D3B2-E2B2-4835-AAB8-7ECB1778FADE}
C:\Users\Christine\AppData\Local\{18477E83-1CE3-4091-AF3D-7E085499A3AF}
C:\Users\Christine\AppData\Local\{D6C28042-B079-419F-B4FC-DF1F8EDCE5F3}
C:\Users\Christine\AppData\Local\{E5923A1F-0778-4A36-837A-EE6533802578}
C:\Users\Christine\AppData\Local\{8B17C11B-53D1-48A3-A0A9-94529F65FA26}
C:\Users\Christine\AppData\Local\{E27D3E2E-5AAB-4B45-AAF8-DDD29034B6FD}
C:\Users\Christine\AppData\Local\{B82278D1-6DDF-4F0F-A71D-3748CEE3CE19}
C:\Users\Christine\AppData\Local\{99ABB571-B3EA-42AA-940A-7C8A7F4B8E8C}
C:\Users\Christine\AppData\Local\{94DD15D5-30E9-4CED-8FB6-3162CD0E9F49}
C:\Users\Christine\AppData\Local\{E206C4F3-B182-4F85-91D4-3A70397639EA}
C:\Users\Christine\AppData\Local\{3A7B3068-3351-4E54-88E2-436ACDB6A1CE}
C:\Users\Christine\AppData\Local\{C2496C84-4CF2-4F11-A856-1BA9AF013D4F}
C:\Users\Christine\AppData\Local\{9EDE0DEB-05C9-48BD-A39D-DF8BA17A934C}
C:\Users\Christine\AppData\Local\{F15F2D6C-26FD-4740-B550-E25E0980FC5B}
C:\Users\Christine\AppData\Local\{EBD3F5B1-68D6-4D4E-B9D3-DB1DE5765554}
C:\Users\Christine\AppData\Local\{B20E40EE-98F2-4904-A273-27FD19B7BA4F}
C:\Users\Christine\AppData\Local\{0AC1DEA2-7ED8-47F3-AAFC-E73C565B8760}
C:\Users\Christine\AppData\Local\{BA897125-3E61-420E-B761-2C649B8094FD}
C:\Users\Christine\AppData\Local\{6E7CF504-E7E9-4011-8E31-FC40FE73D02C}
C:\Users\Christine\AppData\Local\{7D461EBF-6017-4F9A-A7DC-F47F13407394}
C:\Users\Christine\AppData\Local\{F52D1BCF-30B0-4045-AEE5-BEF1CF747940}
C:\Users\Christine\AppData\Local\{E23DBE8D-634C-477A-8A75-655B153BFE3D}
C:\Users\Christine\AppData\Local\{CD89AF7C-B978-464C-A2A2-8A10C53593D7}
C:\Users\Christine\AppData\Local\{2B99B2E4-0265-4B59-AC4B-97B56EBF1263}
C:\Users\Christine\AppData\Local\{99BE00E4-64C7-4699-BCDC-838F8867AA05}
C:\Users\Christine\AppData\Local\{6C9E8BE3-C943-45C5-A3DD-4E7C7E449CBB}
C:\Users\Christine\AppData\Local\{C75EC04A-D2BA-4761-994B-FAADC7FD28FF}
C:\Users\Christine\AppData\Local\{65755D99-C4B2-4A75-B30C-19DFDFD3ACE0}
C:\Users\Christine\AppData\Local\{B81D1E7A-96CF-486A-BC95-795A78B5C70A}
C:\Users\Christine\AppData\Local\{94B0F2BC-BCE5-46B6-94DD-ADC4754D9AD7}
C:\Users\Christine\AppData\Local\{5718CAB5-3AEC-479D-B0E4-2289C3C915C1}
C:\Users\Christine\AppData\Local\{A90F09F6-3354-43E5-B82F-CAC2328C3471}
C:\Users\Christine\AppData\Local\{D61637E8-9F1E-4EE2-AA74-D7CF8B13452B}
C:\Users\Christine\AppData\Local\{99071221-24C6-4DD1-91D7-AD397F7853E7}
C:\Users\Christine\AppData\Local\{B3746C97-A019-4081-88A1-163465EF4437}
C:\Users\Christine\AppData\Local\{452977DD-994C-471C-9F0D-82823AAD07C0}
C:\Users\Christine\AppData\Local\{F920D8F3-6426-450D-BFD9-FF0F0815391B}
C:\Users\Christine\AppData\Local\{A4F63660-A7AB-4020-8D8E-A6600C8C16E6}

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix may request an update; please allow it.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  
• When finished, it shall produce a log for you.
  
• Copy and paste the contents of the log in your next reply.
  

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

[cmjohns]

Here is the Combofix log.

Combofix.txt

[CatByte]

Hi

Just some housekeeping to do now,

Please do the following:

You can delete the DDS, aswMBR and TDSSKiller logs and programs from your desktop.

NEXT

Follow these steps to uninstall Combofix

• Make sure your security programs are totally disabled.
  
• Click START then RUN
  
• Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.
  

If there are any logs/tools remaining on your desktop > right click and delete them.

NEXT

Below I have included a number of recommendations for how to protect your computer against malware infections.

• It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
  Strong passwords: How to create and use them Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.
  
• Keep Windows updated by regularly checking their website at :
  http://windowsupdate.microsoft.com/
  This will ensure your computer has always the latest security updates available installed on your computer.
  
• Make Internet Explorer more secure
  
  • Click Start > Run
    
  • Type Inetcpl.cpl & click OK
    
  • Click on the Security tab
    
  • Click Reset all zones to default level
    
  • Make sure the Internet Zone is selected & Click Custom level
    
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
    

  [*]Download TFC to your desktop

  • Close any open windows.
    
  • Double click the TFC icon to run the program
    
  • TFC will close all open programs itself in order to run,
    
  • Click the Start button to begin the process.
    
  • Allow TFC to run uninterrupted.
    
  • The program should not take long to finish it's job
    
  • Once its finished it should automatically reboot your machine,
    
  • if it doesn't, manually reboot to ensure a complete clean
    

  It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  [*]WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
    
  • Yellow for caution
    
  • Red to stop
    

  WOT has an addon available for both Firefox and IE

  [*]Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  [*]ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  [*]In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:

  PC Safety and Security--What Do I Need?.

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

[cmjohns]

Thank you so much for all of your help. Your time and patience is appreciated.

[CatByte]

you are welcome

stay safe

~CB

[LDTate]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!