Windows Defender Malware and IE Pop-Up Problems

[bruddahmanmatt]

Ok, where to start. About two weeks or so ago I encountered some malware on my system. A pop-up would appear in the taskbar giving me various "danger" and "warning" messages. I thought it looked bogus so I opened up the task manager, found the odd looking program and closed it. The only lasting effect was that I couldn't open Google Chrome. I had to go into options>LAN settings and turn off proxy settings as apparently the malware was forcing Chrome to use a proxy. Things seemed fine.

A few days after that the pop up appeared again. This time it refused to go away and I tried a system restore which worked for a while, but of course that would not be enough to solve the problem permanently. Today it showed up again and now it's worse than ever. I followed instructions to use mbam and ccsetup232 but the problem has not been solved.

First off, the instructions I followed told me to boot my computer up in safe mode and run mbam which I did. I should note that the problems still occurred while in safe mode however I was able to run a quick scan (not full scan) in mbam. In every instance that I've tried to run a full scan, my computer has turned itself off. I can't tell if this is a hardware/cooling issue (which would be strange because my computer has never done that before) or if the malware is forcing my computer to turn itself off whenever I perform the scan. That being said, mbam found 14 infected files after I performed a quick scan which I instructed it to remove. I then rebooted my computer in normal mode and ran ccsetup232_slim to clear my system of any temporary files. However I'm beginning to wonder if I made a mistake by doing that because now, my system will continually open IE and connect to random ad sites. It'll also download small files to my desktop on occasion.

I have attempted to follow the stickied thread at the top of the page but I am currently running into a few problems. First off, I cannot run mbam right now. My computer is running in normal mode and I'm thinking that the windows defender malware is preventing me from running the program because it's given me pop-ups about mbam being malware which is obviously not true. Secondly, I've ran defogger and saved the DDS and Attach logs to my desktop. I can post those below. Third, I attempted to run GMER Rootkit scanner but was unable to do so. At this point I am lost and have no idea what to do. I shall await a response before posting any logs so as to avoid having too much clutter in my initial post. Thanks in advance and I appreciate the help with this headache.

[Maniac]

Hello bruddahmanmatt! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

• The process of cleaning your system may take some time, so please be patient.
  
• Follow my instructions step by step if there is a problem somewhere, stop and tell me I then I'll tell you what to do.
  
• Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  
• Instructions that I give are for your system only!
  
• If you don't know or can't understand something please ask.
  
• Do not install or uninstall any software or hardware, while work on.
  
• Keep me informed of any changes.
  

Where are the logs?

[bruddahmanmatt]

DDS (Ver_10-03-17.01) - NTFSx86

Run by Hauoli at 13:57:02.57 on Fri 06/11/2010

Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_18

Microsoft

[bruddahmanmatt]

============= SERVICES / DRIVERS ===============

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20081014.001\IDSvix86.sys [2008-10-14 270384]

R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2008-6-25 20384]

R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-4-17 40960]

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-17 149352]

R2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]

R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]

R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-5-5 7168]

R3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\toshiba\smartfacev\SmartFaceVWatchSrv.exe [2008-4-24 73728]

R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2009-2-19 41008]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-19 135664]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-11 23888]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-13 99376]

S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe [2008-6-25 954368]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-6-11 38224]

S3 SVRPEDRV;SVRPEDRV;c:\windows\system32\sysprep\PEDRV.SYS [2008-5-16 9216]

S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-5-5 1245064]

============== File Associations ===============

.exe=secfile

=============== Created Last 30 ================

2010-06-11 18:48:34 54016 ----a-w- c:\windows\system32\drivers\fgrp.sys

2010-06-11 18:29:32 0 d-----w- c:\program files\CCleaner

2010-06-11 18:28:30 0 d-----w- c:\users\hauoli\appdata\roaming\Malwarebytes

2010-06-11 18:28:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-11 18:28:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-11 18:28:21 0 d-----w- c:\programdata\Malwarebytes

2010-06-11 18:28:21 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-11 18:14:09 0 d-----w- c:\users\hauoli\appdata\roaming\Defense Center

2010-05-26 04:50:25 2048 ----a-w- c:\windows\system32\tzres.dll

==================== Find3M ====================

2010-05-12 18:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe

2009-11-25 08:41:31 86016 ----a-w- c:\windows\inf\infstor.dat

2009-11-25 08:41:31 51200 ----a-w- c:\windows\inf\infpub.dat

2009-11-25 08:41:31 143360 ----a-w- c:\windows\inf\infstrng.dat

2008-08-25 21:08:38 665600 ----a-w- c:\windows\inf\drvindex.dat

2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini

2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat

2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat

2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat

2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat

2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat

2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat

2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat

2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

2008-08-22 21:51:10 14 --sh--r- c:\windows\system32\drivers\fbd.sys

2008-08-22 21:51:10 4 --sh--r- c:\windows\system32\drivers\taishop.sys

============= FINISH: 14:00:08.51 ===============

[bruddahmanmatt]

I should also add that my system is now restarting itself approx. every 30-60 minutes on its own. I'll get a message saying that my system is missing some critical files and that it's now restarting and it'll automatically reboot. I didn't make any changes whatsoever and it began doing this sometime yesterday. That being said, I've resorted to shutting down my system if it's not in use. However just now when I shut down my computer, windows automatically updated my system. Does that mean that I need to redo the logs? I don't want to turn on my system again until you reply back to me for fear of further damage/infection so I'll be typing from a different computer until otherwise advised.

[Maniac]

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

1. If you are using Firefox, make sure that your download settings are as follows:
   
   • Open Tools -> Options -> Main tab
     
   • Set to Always ask me where to Save the files.
     

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  

  -----------------------------------------------------------

  
  

• Close any open browsers.
  
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

[bruddahmanmatt]

Ok. I am booting up my infected system and preparing to download combofix. My question for you is, you note that I should close all open browsers. What do I do about the fact that IE keeps on opening on it's own?

[Maniac]

Don't worry about that!

[bruddahmanmatt]

Downloaded ComboFix and renamed it to Combo-Fix BEFORE downloading it just like the instructions stated. Ended the process for my expired Norton AV via the task manager however Combo-Fix still will not run.

[Maniac]

Why? Any error or something else?

[bruddahmanmatt]

I double click on Combo-Fix and nothing happens. I have no AV running that I know of. It seems like when I double click Combo-Fix someone is preventing it from running.

[Maniac]

Okay, please try again in Safe Mode.

http://www.microsoft.com/resources/documen...t_failsafe.mspx

[bruddahmanmatt]

Running it in Safe Mode. Will report back when the scan is complete.

[bruddahmanmatt]

It happened again. My computer shut down in the middle of the scan. It said it had completed up to Stage 7 the last time I looked at it. Turned around to grab a drink from the fridge, came back and my computer had shut down. Do I reboot in safe mode again or normal mode? I'm starting to get very worried here.

[Maniac]

Could you check for:

C:\Combo-Fix.txt

[bruddahmanmatt]

Holy crap. Ok so here's the thing. There's no .txt file but there is a file labeled Combo-Fix. Under "Type" it's simply listed as "File". However, there seems to be no sign of the infections anymore. No more pop-ups in my tray and no more IE automatically opening and trying to connect to random sites. Did this fix everything?

[Maniac]

Let's check:

Please read the following through carefully so that you understand what to do.

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  
• Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)
  "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  
• If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  
• It may ask you to reboot the computer to complete the process. Allow it to do so.
  
• When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.
  

[bruddahmanmatt]

Followed the instructions. Command Prompt window gave me 0 / 0 / 0 for both registry errors and file errors.

[Maniac]

Good!

However, watch your system in three days and let me know.

[bruddahmanmatt]

Is there anything else that you would recommend I do at this point?

[bruddahmanmatt]

Just got the pop-up in my taskbar again. Damn. It was of the fake "AV Security" variety. I was surfing the web when it showed up randomly. I was able to terminate to the process via the task manager so at least this time there are no permanent pop-ups, however the fact that it showed up again is still disconcerting. It also tried to force Google Chrome to use a proxy which I was able to disable. Everything "appears" to be fine but the fact that this issue showed up again probably proves that it's not. I'll be out for a few hours tonight but will check back when I return. Is there a way that I can increase the level of security for my browser or something? I shall await your advice and instructions.

[Maniac]

Try again with TDSSKiller, but now post the entire log.

[bruddahmanmatt]

Came up clean again. 0 / 0 / 0

[Maniac]

• Launch Malwarebytes' Anti-Malware
  
• Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  
• Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

[bruddahmanmatt]

Followed the instructions and performed the Quick Scan. mbam found 41 infected files. Removed them and restarted. Upon startup I now have a message in my taskbar that says "blocked startup programs" Here is a copy of the log file from mbam.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4194

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

6/13/2010 11:57:06 AM

mbam-log-2010-06-13 (11-57-06).txt

Scan type: Quick scan

Objects scanned: 125964

Time elapsed: 7 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 8

Registry Values Infected: 3

Registry Data Items Infected: 1

Folders Infected: 1

Files Infected: 28

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pragmaeqkcxvnmtn (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Defense Center (Rogue.DefenseCenter) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\pragma (Rootkit.TDSS) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iyuvoqoyamukohiy (Trojan.Agent.U) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lviviquwej (Trojan.Agent.U) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\Windows\PRAGMAeqkcxvnmtn (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:

C:\Users\Hauoli\AppData\Local\Temp\eJjD.exe (Malware.Gen) -> Quarantined and deleted successfully.

C:\Users\Hauoli\AppData\Local\Temp\esentutl64.exe (Rogue.DefenseCenter) -> Quarantined and deleted successfully.

C:\Users\Hauoli\AppData\Local\Temp\ICpqPyQoXf.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\Users\Hauoli\AppData\Local\Temp\mschrt20ex.dll (Rogue.FakeAV) -> Quarantined and deleted successfully.

C:\Users\Hauoli\AppData\Local\Temp\tmp2C9B.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Users\Hauoli\AppData\Local\Temp\tmp369.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Users\Hauoli\AppData\Local\Temp\TMP60560.tmp (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

C:\Users\Hauoli\AppData\Local\Temp\tmp9877.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Users\Hauoli\AppData\Local\Temp\tmpA525.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Users\Hauoli\AppData\Local\Temp\tmpB183.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Users\Hauoli\AppData\Local\Temp\tmpBDD3.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Users\Hauoli\AppData\Local\Temp\tmpD9DA.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Users\Hauoli\AppData\Local\Temp\tmpDB22.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Users\Hauoli\AppData\Local\Temp\tmpEC81.tmp.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

C:\Users\Hauoli\AppData\Local\Temp\tmpEDE6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Users\Hauoli\AppData\Local\Temp\tmpFBAC.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Users\Hauoli\AppData\Local\Temp\topwesitjh (Rogue.DefenseCenter) -> Quarantined and deleted successfully.

C:\Users\Hauoli\AppData\Local\Temp\vKnUnoDEWy.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\Users\Hauoli\AppData\Local\Temp\wscsvc32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Windows\PRAGMAeqkcxvnmtn\pragmabbr.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Windows\PRAGMAeqkcxvnmtn\PRAGMAc.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Windows\PRAGMAeqkcxvnmtn\PRAGMAcfg.ini (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Windows\PRAGMAeqkcxvnmtn\PRAGMAd.sys (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Windows\PRAGMAeqkcxvnmtn\pragmaserf.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Windows\PRAGMAeqkcxvnmtn\PRAGMAsrcr.dat (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\ProgramData\pragmamfeklnmal.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\Users\Hauoli\AppData\Local\Temp\PRAGMAae38.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Users\Hauoli\AppData\Local\Temp\pragmamainqt.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.