Jump to content

Trojan.Agent & Browser Hijacker problem


Recommended Posts

I suspected there was a possible virus/malware/spyware problem on my computer when my browser would constantly redirect me to another website (usually something where I see google analytics in the address bar as it is loading). Not only that but I'd be constantly annnoyed by a false request Microsoft warning for an "online protection tool" that my computer needed. The AVG I was using failed to detect anything wrong. It got worse when I realized my Windows Update would simply not update generating an error code. I tried my usual methods but no luck. It's gotten so bad that now my internet won't even allow me to access any antivirus/antimalware sites at all. It's simply blocked. I don't understand. The only way I'm gaining access to sites like this is through ninja cloak (that disguises IP?)

I've followed the instructions outlined in another post by a user with a similar problem. My results are as folllows.

MBAM did detect 3 traces of trojan.agent the other and successfully removed them from what my logs tell me. The most recent MBAM scan I dd (which I had to redownload and rename in order for it to run/update) came out clean. The log is as folllows:

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3947

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18882

02/04/2010 3:39:14 PM

mbam-log-2010-04-02 (15-39-14).txt

Scan type: Quick scan

Objects scanned: 104762

Time elapsed: 5 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I ran DeFogger without any problems so CD Emulation is currently disabled

DDS came out with the following

DDS (Ver_10-03-17.01) - NTFSx86

Run by Judy at 3:25:52.36 on 02/04/2010

Internet Explorer: 8.0.6001.18882

Microsoft

Link to post
Share on other sites

Hi, it's been over 48 hours now. Can someone PLEASE help me? I still haven't re-enabled DeFogger because there was a warning not to until my comp was fixed and malware free? Any assistance would be greatly appreciated.

I simply don't understand how sites can be blocked and Windows isn't updateable anymore. MBAM and AVG both don't detect anything. :)

Link to post
Share on other sites

Hello CompConfusion! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install any software or hardware, while work on.

  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Thank you so much for responding! After my most recent scan with MBAM, the results were as follows.

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3967

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18882

08/04/2010 2:47:30 AM

mbam-log-2010-04-08 (02-47-30).txt

Scan type: Quick scan

Objects scanned: 105596

Time elapsed: 6 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Step 1:

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Step 2:

Please locate to:

C:\Qoobox\

find Add or Remove Programs.txt and post its content in your next reply with ComboFix log.

Link to post
Share on other sites

I've run and downloaded Combo-Fix without any problems. However, I was unable to locate the C:\Qoobox\ on my computer. It doesn't seem to have been created by ComboFix? This is my C\Combo-Fix.txt. Let me know if there would be another name for this "Qoobox"...

ComboFix 10-04-07.04 - Judy 08/04/2010 17:07:21.1.2 - x86

Microsoft

Link to post
Share on other sites

I know how to "zip" up files but for whatever reason, when I'm on this site, I can't find anywhere to put attachments for my posts. In case it matters, I am accessing the forums through ninjacloak. Otherwise, this site is completely blocked off for me (along with all anti-malware/virus sites)

Link to post
Share on other sites

Step 1:

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

Step 2:

I also see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.


  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player

Step 3:

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Now click on Advanced Settings and select the following:

    • Remove found threats
    • Scan archives
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

In your next reply, please include these log(s):

* JavaRa log

* ESET Online Scanner log

Link to post
Share on other sites

Step 1:

I originally ran Java.Ra and it deleted older version but then no log popped up and I could not find it anywhere. I ran it again as administrator and ths time there was a log but there were no older versions to delete so the Java.Ra log is as follows

JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Fri Apr 09 16:25:30 2010

------------------------------------

Finished reporting.

Step 2: Successfully removed ViewPoint Media Player with no problems. The other two were not present.

Step 3: I was unable to complete this step possibly because of the malware that is blocking all anti-malware sites..

I got as far as clicking the Yes, I accept the terms of use, clicked on START and then nothing... the window that popped up remained a light blue/grey color with a yellow exclamation mark on the bottom left hand side of my browser. Clicking on that, all it said was something about an EOS error... can't remember the exact words. I tried to re-do step 3 but now I can't even reach the accepting of terms of use screen. (this is all through using NinjaCloak)

Without NinjaCloak, the webpage http://www.eset.com/onlinescan/ results in the "Internet Explorer cannot display the webpage" window.

Is there a plan B for step 3?

Link to post
Share on other sites

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

As per instructed, MBAM did not detect anything again just like the last few times. This is the log.

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3975

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18882

10/04/2010 10:17:28 AM

mbam-log-2010-04-10 (10-17-28).txt

Scan type: Quick scan

Objects scanned: 107072

Time elapsed: 6 minute(s), 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

This is giving me a headache. What is going on with my computer? I'm scared eventually this malware will manage to disable my access to the internet completely. :) Too bad, there's such a big time difference for us. It would be nice to coordinate a time when we could both be online at the same time so this could be resolved faster. :) Maniac, Thanks for your attempts at helping thus far. Greatly appreciated. :)

Link to post
Share on other sites

Please download to your Desktop: Dr.Web CureIt

  • After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  • Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click on the Complete scan radio button.
  • Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  • Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  • On the File types tab ensure you select All files
  • Click on the Actions tab and set the following:
    • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    • Infected packages Archive = Move, E-mails = Report, Containers = Move
    • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    • Do not change the Rename extension - default is: #??
    • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    • Leave prompt on Action checked

    [*]On the Log file tab leave the Log to file checked.

    [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

    [*]Log mode = Append

    [*]Encoding = ANSI

    [*]Details Leave Names of file packers and Statistics checked.

    [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

    [*]On the General tab leave the Scan Priority on High

    [*]Click the Apply button at the bottom, and then the OK button.

    [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

    [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

    [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

    [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

    [*]Click 'Yes to all' if it asks if you want to cure/move the files.

    [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

    [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

    [*]Save the report to your Desktop. The report will be called DrWeb.csv

    [*]Close Dr.Web Cureit.

    [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

    [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

    drweb.jpg

Link to post
Share on other sites

Alright, after a super long scan, Dr.WebCureIt came up with nothing! Both Express and Complete scans came up empty. My log for CureIt is super super long though so I'm unable to "copy and paste" the entire thing without my browser crashing.

I'm posting the last chunk of the log here showing that it detected nothing.. If you require the rest, let me know a better way to copy and paste it on here.. My HJT log and dilemna follows the bit from Dr.WebCureIt log.... Let me know what else I can do. It seems whatever this malware is, is literally "taking over my computer". :)

Scan statistics

-----------------------------------------------------------------------------

Scanned: 521904

Infected: 0

Modifications: 0

Suspicious: 0

Adware: 0

Dialers: 0

Jokes: 0

Riskware: 0

Hacktools: 0

Cured: 0

Deleted: 0

Renamed: 0

Moved: 0

Ignored: 0

Scan speed: 198 Kb/s

Scan time: 04:45:27

-----------------------------------------------------------------------------

=============================================================================

Total session statistics

=============================================================================

Scanned: 554700

Infected: 0

Modifications: 0

Suspicious: 0

Adware: 0

Dialers: 0

Jokes: 0

Riskware: 0

Hacktools: 0

Cured: 0

Deleted: 0

Renamed: 0

Moved: 0

Ignored: 0

Scan speed: 4 Kb/s

Scan time: 05:22:03

=============================================================================

I have Vista and for some odd reason when I right clicked HiJack This on my desktop, it did not give me the option to "run as administrator" therefore when I started the scan, within 5 seconds I did get the notification reading:

"For some reason, your system denied write access to the Hosts file. If any hijacked domains are in this file, Hijack This may NOT be able to fix this.

If that happens, you need to edit the file yourself. To do this, click Start, Run and type:

Notepad C:\Windows\System32\drivers\etc\hosts

And press Enter. Find the line(s) Hijack This reports and delete them. Save this file as

Link to post
Share on other sites

Download RootRepeal.zip and unzip it to your Desktop.

  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:

    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services

    [*]Click the OK button

    [*]In the next dialog, select all drives showing

    [*]Click OK to start the scan

    Note: The scan can take some time.
    DO NOT
    run any other programs while the scan is running

    [*]When the scan is complete, the Save Report button will become available

    [*]Click this and save the report to your Desktop as RootRepeal.txt

    [*]Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

Link to post
Share on other sites

Please download GooredFix (by jpshortstuff) from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista or 7).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Link to post
Share on other sites

There were no windows open when I ran the scan. It finished very quick, within 5. Not sure how helpful this will be but the GooredFix log that popped up said this:

GooredFix by jpshortstuff (08.01.10.1)

Log created at 10:39 on 12/04/2010 (Judy)

Firefox version [unable to determine]

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\

(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]

"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [09:16 06/03/2009]

"smartwebprinting@hp.com"="C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3" [23:16 08/01/2010]

-=E.O.F=-

Link to post
Share on other sites

Please download Sysprot Antirootkit

Unzip it into a folder on your desktop.

  • Double-Click Sysprot.exe to start the program.
  • Click on the log tab.
  • In the Write to log box select all items.
  • Click on the Create Log button on the Bottom Right.
  • After a few seconds a new windows should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted too.
  • Open the text file and copy/paste the log here

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.