Removal of malware disabled IE7

[sparky55]

Hi,

On 4/5/10 I contracted some malware from, I believe, AVsoft. I ran a full malwarebytes scan in safe-mode and 7 items were found. I removed the items and re-booted windows normally. Ever since then my IE7 will only open to a blank page and you can't search the web at all. Also my OE6 will now not display images or pictures. All you get are boxes with red X's in them. I downloaded and re-installed IE7 but this made no difference. I'm really hoping that someone can help me solve this problem. Thanks in advance for your help with this.

Monty

[Maniac]

Hello Monty!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

• The process of cleaning your system may take some time, so please be patient.
  
• Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  
• Instructions that I give are for your system only!
  
• If you don't know or can't understand something please ask.
  
• Do not install any software or hardware, while work on.
  

Step 1:

Download DDS and save it to your desktop from here or here or here.

Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
     
  2. Attach.txt
     

  [*]Save both reports to your desktop. Post them back to your topic.

Step 2:

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
  
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  
• Now click the Scan button. If you see a rootkit warning window, click OK.
  
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  
• Click the Copy button and paste the results into your next reply.
  
• Exit GMER and re-enable all active protection when done.
  

-- If you encounter any problems, try running GMER in Safe Mode.

In your next reply, please include these log(s):

* GMER log

* DDS log with Attach.txt

[sparky55]

Hi Borislav,

Thanks for your help with this problem. I downloaded the programs you recommended, ran them and have attached the logs below. I'll look forward to hearing back from you and thanks again!

Monty

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-04-13 23:57:21

Windows 5.1.2600 Service Pack 3

Running: 0gvrxlzf.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kfrorpob.sys

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\nvax.sys entry point in "init" section [0xBA54F392]

.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xB9026360, 0x24BB1D, 0xE8000020]

.text C:\Program Files\CyberLink\PowerDVD9\000.fcl section is writeable [0xAE1B2000, 0x2892, 0xE8000020]

.vmp2 C:\Program Files\CyberLink\PowerDVD9\000.fcl entry point in ".vmp2" section [0xAE1D5050]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[1672] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 sr.sys (System Restore Filesystem Filter Driver/Microsoft Corporation)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 sr.sys (System Restore Filesystem Filter Driver/Microsoft Corporation)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 sr.sys (System Restore Filesystem Filter Driver/Microsoft Corporation)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 sr.sys (System Restore Filesystem Filter Driver/Microsoft Corporation)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 sr.sys (System Restore Filesystem Filter Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \FileSystem\Fastfat \Fat tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E393298B-796B-5E42-419C-1C07D5EF91CA}

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E393298B-796B-5E42-419C-1C07D5EF91CA}@hakfpgojjnjhmlcm 0x6E 0x61 0x62 0x69 ...

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E393298B-796B-5E42-419C-1C07D5EF91CA}@jalfmgigmgnalcokmeji 0x65 0x62 0x63 0x69 ...

---- EOF - GMER 1.0.15 ----

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 12/6/2009 6:39:23 AM

System Uptime: 4/13/2010 9:54:02 AM (6 hours ago)

Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | MS-6570

Processor: AMD Athlon XP 1700+ | Socket A | 1470/133mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 149 GiB total, 83.364 GiB free.

D: is FIXED (NTFS) - 56 GiB total, 12.24 GiB free.

E: is Removable

F: is CDROM ()

G: is FIXED (NTFS) - 298 GiB total, 125.766 GiB free.

H: is FIXED (FAT32) - 29 GiB total, 20.291 GiB free.

I: is FIXED (NTFS) - 269 GiB total, 12.544 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}

Description: PS/2 Compatible Mouse

Device ID: ACPI\PNP0F13\3&13C0B0C5&0

Manufacturer: Microsoft

Name: PS/2 Compatible Mouse

PNP Device ID: ACPI\PNP0F13\3&13C0B0C5&0

Service: i8042prt

==== System Restore Points ===================

RP111: 2/19/2010 6:55:49 PM - System Checkpoint

RP112: 2/20/2010 6:58:20 PM - System Checkpoint

RP113: 2/21/2010 3:59:34 AM - RegZooka Safe Scan Backup

RP114: 2/22/2010 5:00:11 AM - System Checkpoint

RP115: 2/23/2010 5:05:14 AM - System Checkpoint

RP116: 2/24/2010 5:26:27 AM - System Checkpoint

RP117: 2/25/2010 7:08:52 AM - System Checkpoint

RP118: 2/26/2010 7:38:06 AM - System Checkpoint

RP119: 2/27/2010 8:41:33 AM - System Checkpoint

RP120: 2/28/2010 9:03:22 AM - System Checkpoint

RP121: 3/1/2010 10:18:15 AM - System Checkpoint

RP122: 3/2/2010 10:46:02 AM - System Checkpoint

RP123: 3/3/2010 11:01:28 AM - System Checkpoint

RP124: 3/4/2010 11:47:49 AM - System Checkpoint

RP125: 3/5/2010 12:46:38 PM - System Checkpoint

RP126: 3/6/2010 1:46:39 PM - System Checkpoint

RP127: 3/7/2010 2:19:21 PM - System Checkpoint

RP128: 3/8/2010 3:19:20 PM - System Checkpoint

RP129: 3/9/2010 4:19:21 PM - System Checkpoint

RP130: 3/10/2010 5:19:21 PM - System Checkpoint

RP131: 3/11/2010 6:19:21 PM - System Checkpoint

RP132: 3/12/2010 7:18:40 PM - System Checkpoint

RP133: 3/13/2010 9:18:41 PM - System Checkpoint

RP134: 3/14/2010 9:42:42 PM - System Checkpoint

RP135: 3/16/2010 2:28:29 AM - System Checkpoint

RP136: 3/16/2010 9:02:45 AM - Avg8 Update

RP137: 3/16/2010 9:05:40 AM - Avg Update

RP138: 3/17/2010 8:18:02 AM - Avg Update

RP139: 3/18/2010 8:54:06 AM - System Checkpoint

RP140: 3/19/2010 9:51:47 AM - System Checkpoint

RP141: 3/20/2010 10:19:44 AM - System Checkpoint

RP142: 3/21/2010 11:19:44 AM - System Checkpoint

RP143: 3/22/2010 12:19:43 PM - System Checkpoint

RP144: 3/23/2010 1:19:43 PM - System Checkpoint

RP145: 3/24/2010 2:19:44 PM - System Checkpoint

RP146: 3/25/2010 2:32:11 PM - System Checkpoint

RP147: 3/27/2010 8:31:26 AM - System Checkpoint

RP148: 3/28/2010 9:12:12 AM - System Checkpoint

RP149: 3/29/2010 9:21:59 AM - System Checkpoint

RP150: 3/30/2010 11:14:17 AM - System Checkpoint

RP151: 3/31/2010 11:15:07 AM - System Checkpoint

RP152: 4/1/2010 9:58:42 AM - Avg Update

RP153: 4/1/2010 10:00:17 AM - Avg Update

RP154: 4/2/2010 12:39:35 PM - System Checkpoint

RP155: 4/3/2010 12:49:56 PM - System Checkpoint

RP156: 4/5/2010 6:33:56 AM - System Checkpoint

RP157: 4/6/2010 7:34:14 AM - System Checkpoint

RP158: 4/7/2010 8:33:42 AM - System Checkpoint

RP159: 4/7/2010 11:35:26 AM - Restore Operation

RP160: 4/7/2010 11:38:47 AM - Restore Operation

RP161: 4/7/2010 11:41:50 AM - Restore Operation

RP162: 4/7/2010 11:51:26 AM - Avg Update

RP163: 4/7/2010 11:54:57 AM - Restore Operation

RP164: 4/8/2010 8:40:12 AM - Avg Update

RP165: 4/9/2010 9:02:43 AM - System Checkpoint

RP166: 4/10/2010 10:04:33 AM - System Checkpoint

RP167: 4/11/2010 10:14:05 AM - System Checkpoint

RP168: 4/12/2010 7:23:36 AM - Software Distribution Service 3.0

RP169: 4/12/2010 7:39:52 AM - Software Distribution Service 3.0

RP170: 4/13/2010 8:18:10 AM - System Checkpoint

RP171: 4/13/2010 9:50:46 AM - Installed Windows NLSDownlevelMapping.

RP172: 4/13/2010 9:51:17 AM - Installed Windows IDNMitigationAPIs.

RP173: 4/13/2010 9:51:36 AM - Installed Windows Internet Explorer 7.

==== Installed Programs ======================

DDS.txt

[Maniac]

Step 1:

Please uninstall the following applications:

Adobe Acrobat 8 Professional - English, Fran

[sparky55]

Hi Borislav,

Thanks for your reply. For some reason I didn't receive an email notification even though I have that option checked. The only programs I have the option to remove in Control Panel-Add Remove programs are Ask Toolbar, Adobe Acrobat 8.1.6 Professional and Search Settings v1.2.3. The other 2 Adobe items aren't listed. I'm curious why these programs are causing my IE7 and OE6 problems. Are they corrupted somehow or malware? If I'm not able to remove the other 2 programs will this still be a problem? Thanks for your help and as soon as I hear back from you I'll proceed.

Monty

[Maniac]

Monty, The goal of the hackers are basically programs that are most used. Top of their list is software Adobe - Adobe Acrobat and Adobe Reader. To further protect you from infected need to clean the most important programs, while then you can download and install the latest version of the program if you wish. Older versions of Adobe are very serious vulnerabilities.

Continue onwards. After finishing work, you can manually clean the software of Adobe.

http://kb2.adobe.com/cps/400/kb400658.html

[sparky55]

Hi Borislav,

OK, I've deleted everything you suggested. Attached are the 2 logs you requested. I did try both IE7 and OE6 after removing the programs, but there's still no change. Hopefully we can work through this. Thanks again for your help with this.

Monty

P.S. - I'm still not receiving email notifications for some reason. I've checked my webmail spam filter but there's nothing there from malwarebytes.

DDS.txt

protection_log_2010_04_15.txt

[Maniac]

I don't want the log file of Protection module, but the scan log.

[sparky55]

Sorry about that. Here's the scan log below. Thanks again for your help.

Monty

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3991

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

4/15/2010 10:41:43 AM

mbam-log-2010-04-15 (10-41-43).txt

Scan type: Quick scan

Objects scanned: 124425

Time elapsed: 13 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[Maniac]

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

1. If you are using Firefox, make sure that your download settings are as follows:
   
   • Open Tools -> Options -> Main tab
     
   • Set to Always ask me where to Save the files.
     

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  

  -----------------------------------------------------------

  
  

• Close any open browsers.
  
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

[sparky55]

Hi Borislav,

I've attached the combo-fix log.txt file as you instructed. Thanks again for all your help and I'll look forward to hearing back from you.

Monty

log.txt

[Maniac]

Open Notepad and copy and paste the text in the code box below into it:

KillAll::

DirLook::
c:\documents and settings\Administrator\Local Settings\Application Data\xjfulsucg
c:\documents and settings\Administrator\Local Settings\Application Data\qttwlwfff

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

[sparky55]

Hi Borislav,

Thanks for getting back to me. To be honest I don't understand your instructions. Could you please elaborate / expalin. Sorry!

Monty

[Maniac]

What exactly do you not understand?

[sparky55]

Hi Borislav,

To be honest I don't understand at all what you're asking me to do. I thought that I'd already done what you'd ask me to do. I ran combo-fix as instructed. Wasn't the log file I attached the right one? When I ran combo-fix and when it finsihed the only log file that presented itself was the file I copied and attached. Did I do something wrong? Please advise and thanks again for your help and patience.

Monty

[sparky55]

Hi Borislav,

OK, I finally got it through my head what you wanted me to do. I copied and pasted the lines you posted into notepad, saved it to the desktop and drug it into combofix. Attached is the resulting log. Thanks again for your patience and I'll look forward to hearing back from you.

Monty

combofix.txt

[Maniac]

Thanks!

Please go and delete the following folders:

c:\documents and settings\Administrator\Local Settings\Application Data\qttwlwfff

c:\documents and settings\Administrator\Local Settings\Application Data\xjfulsucg

Let me know how are things now.

[sparky55]

Hi Borislav,

All right!!!!! I can now open IE7 and perform web searches and images in OE6 work now. What an ordeal! I can't thank you enough for your help with this malware removal. You take care and have a great weekend!

Best regards,

Monty

P.S. - As soon as I ran combofix I started receiving email notifications from your replies to this post. Seems kind strange.

[Maniac]

Good work, Monty!

Here some final steps:

Step 1:

* Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step 2:

Please manually delete DDS and JavaRa.

Step 3:

Some malware preventions:

http://miekiemoes.blogspot.com/2008/02/how...nt-malware.html

Safe surfing!

[sparky55]

Hi Borislav,

OK, I deleted combofix, DDS and GMER as well as the associated log files. I'm a little confused about JavaRa. I don't remember that as being part of this process. Do I need to do a search, find it and delete it? Also thanks for the link to how to prevent malware. There appears to be a wealth of information there. Let me know about the JavaRa and thanks again for all your help.

Monty

P.S. - I didn't get an email notification again for your last post. It must be a bug in malwarebytes?????

[Maniac]

About JavaRa - my mistake. Sorry!

Maybe the problem is due to our forum system. I'll report about it!

[sparky55]

Thanks, Borislav! You take care!!!!!

Monty

[Maniac]

You're welcome, Monty!