help with Random MSIE pages

[jimkopke]

Gammo,

Are you still with me?

Jim

[Gammo]

Hi,

Yes, I'm still with you. I was just a bit busy the last two days.

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  SRV - [2010/11/22 21:43:04 | 000,465,792 | ---- | M] (Sysinternals - www.sysinternals.com) [On_Demand | Stopped] -- C:\Documents and Settings\Jim\Local Settings\temp\Y.exe -- (Y)
  DRV - [2010/11/22 02:52:47 | 000,007,168 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\utm3mjg4.sys -- (utm3mjg4)
  FF - prefs.js..browser.search.defaultengine: "Yahoo-FlvTube"
  FF - prefs.js..browser.search.defaultenginename: "Yahoo-FlvTube"
  FF - prefs.js..browser.search.order.1: "Yahoo-FlvTube"
  FF - prefs.js..browser.search.selectedEngineURL: "http://flvtubesearch.co/?tmp=toolbar_FLVTube_results&prt=flvtubetb01ff&clid=99b18cfd5d184cdc80820914e75451de&subid=2728&Keywords={searchTerms}"
  [2010/10/13 16:39:06 | 000,008,603 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\flvtube.xml
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  O7 - HKU\S-1-5-21-606747145-1770027372-682003330-1014\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  [2010/11/23 06:50:15 | 000,024,983 | ---- | M] () -- C:\WINDOWS\System32\13501517141.dll
  [2010/11/22 02:52:47 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\utm3mjg4.sys
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [emptyflash]
  [createrestorepoint]
  [reboot]

  
  

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
  

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download Runscanner to your desktop and run it.

• When the first page comes up select Beginner Mode
  
• On the next page click Scan computer at the top.
  
• At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
  
• On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log file
  
• Call the .run file "Select a name" and save it to your desktop. You will see the .run file on your desktop.
  

You have to zip the .run file. You can do this by right-clicking the .run file, pointing to Send To, and then clicking Compressed (zipped) Folder.

When you've done that, attach the .zip file in your next post.

To attach a file, do the following:

• Click Add Reply
  
• Under the reply panel is the Attachments Panel
  
• Browse for the attachment file you want to upload, then click the green Upload button
  
• Once it has uploaded, click the Manage Current Attachments drop down box
  
• Click on to insert the attachment into your post
  

[jimkopke]

I successfully ran OTL again with your additional code. Then I ran Runscanner and rebooted. Attached are the 2 files requested; the .run file and the .txt file. Note: OTR reported that I had MS's Restore disabled (requested for a previous step). Its true and can be restored at any time.

Jim

[jimkopke]

Gammo,

No change. The last week, it's been including webpages that are related to my neighborhood (so I assume outgoing messages are getting around Norton and the other protections I am running). When I first came online after the changes your ordered, there was immediate attack that Norton blocked called HTTP Misleading Application Detection. It was blocked, but after about 10 minutes, the popups started.

I have a temporary work-around that might interest you. I turned it off for the tests above. I downloaded a product called Internet Access Controller by Gear Box Computers. I've allowed AOL (their own gui) access to the internet along with access to FTP sites for my web pages and a few other odds and ends. With IAC running, I get NO popups. I can use MSIE through AOL without intrusion. I can also use Firefox without issue. Access to the outside world directly via MSIE (direct) is blocked. So long as its blocked (explorer.exe), not a single pop-up has appeared since I downloaded IAC.

Jim

[Gammo]

Hi,

Download avz4.zip from HERE

1. Unzip it to your desktop to a folder named avz4
   
2. Double click on AVZ.exe to run it.
   
3. Run an update by clicking the Auto Update button on the Right of the Log window:
   
4. Click Start to begin the update
   

Note: If you recieve an error message, chose a different source, then click Start again

1. Start AVZ.
   
2. Choose from the menu "File" => "Standard scripts " and mark the "Advanced System Analysis with malware removal mode enabled" check box.
   
   
3. Click on the

[jimkopke]

As requested, though the files are txt instead of zip

[Gammo]

That's weird. Please upload the text files to the forum so that I can take a look at them.

[jimkopke]

That IS weird! Lets see if it goes through this time. This last pass seems to have slowed it down quite a bit.....or it has morphed. When I opened the IAC, I immediately got about 20 sites that popped up (I assume from an earlier upload of new sites to load) but then it stopped for a while (hours). Then, while trying a normal browse, I got a redirect which had never happened. Looking at the addon list in IE, there was a new one I hadn't seen before. Cashtitan Browser Enhancer. Disabling it took care of the redirects. So all was quiet for awhile. Then the popups started again. This time, I found that my IE Pop Up Blocker was turned off, so I turned it back on. That was about 4 hours ago. The popup webpage hits stopped again. So thats where we're at. I've been working here at the computer all morning, so its had plenty of opportunity to do "it's thing." Note, Norton is blocking about 50-100 intrusion attempts per hour, mostly from China and the Soviet block. It that typical? Thanks for your help and patience.

virusinfo_syscheck.txt

virusinfo_syscure.txt

[jimkopke]

Gammo, 12.1 Update: The computer has been running continuously since our last effort with the IAC disabled. When I came in this morning, there was one group of 16 random websites that "loaded" sometime between 4am and 8am. Where that indicates that we're not done yet, its considerably less than before (Note: when I first contacted MalwareBytes, there would be at least 40 or 50 sites when I would start in the morning and as I would work, "groups" of 10-20 or 30 sites would pop up every 15 minutes or so). As of this writing, no additional phantom changes were made to IE's "Manage Add-In" or Pop-Up blocker settings. Norton Unused Port Blocking continues to block 2-4 inbound communication attempts EVERY MINUTE.

[Gammo]

Hi,

Hmm, I'm pretty much out of ideas. Is reinstalling Windows an option for you?

[jimkopke]

Gammo,

Yea......I can handle reinstalling Windows and since this happened, I've learned how to make Windows Restore a WHOLE lot more reliable, but.......

I'm not quite ready to give up. I've been searching similar forums and this exploit has been hitting others bad. Absolutely identical. Thing is, with your efforts, as best that I can tell, we have had more success than anyone. In fact, I think our efforts are the ONLY ones that have found any success at all. The last pass with OTR really slowed it down. After that pass, it started acting different so I started looking around. Thats when I found the new malicious addition to the IE addins. When I disabled that, the intrusions reduced themselves even further, now to a trickle which I can describe as follows: When I leave IE open, I get a single webpage about once every 12 hours along with several popup windows asking me to download an .exe. The popup window is always for the same exe program and always shows up with the single webpage in the IE window, but I don't have the name handy right now.

My thought it that this original intrusion is made up of several scripts or modules in the form of dlls or such which all worked together with a "mother" program that would monitor activity and "call out" to a server for updates....... and the last pass in OTR knocked out its ability to call out (via a network connection) to its own malware server for more websites to visit and to bring in replacement files/prgrams to morph into which have been preventing us from nailing it down. Furthermore, if my theory is even remoting plausible ( you may be shaking your head by this point), using the IAC put this thing in check long enough (keeping the mothercode from calling for help) for OTR to work and get ahead of the morphing files.

So.......now that I think this thing is half dead and no longer morphing, I'm going to go back to square one and start with each of the malware removal tools. My guess is that it will find something fairly simple....maybe well known and zap it.

My question to you Gammo, is would you be willing to monitor this thread and speak up if you see anything valuable and help me if I have a question or get stuck? To that end, I will continue to post the logs. If I get through this again and am still plagued by the intrusion, then it will be time ti reinstall Windows.......or simply burn my outdated MSCE diploma and learn Linux or even worse.....go Mac.......which kinda feels like if I were to cheat on my wife.....if I had one......but one thing for sure.....MALWAREBYTES! Jim

[Gammo]

Fine by me.

[jimkopke]

Gammo,

No luck chasing my theories. That said, I think I can put my hands on the .exe that casued all these problems. Do you have the tools to reverse engineer this file and possibly find a fix? IF so, let me know how to send it to you safely and I will do so. Thanks Jim

[Gammo]

Hi,

Do you have the tools to reverse engineer this file and possibly find a fix?

No, I don't have those kind of tools, so you don't have to send me the file.

[jimkopke]

It seems that our series of posts have gathered a fair amount of attention. I assume the hits are from others with the same problem. In my web searches, I have found others with identical conditions. It seems that nobody has been able to develop a complete solution. Our efforts did seem to seriously injure the malware activity by significantly reducing the magically appearing websites, but in the end, the only tool that gave even temporary relief was a shareware internet access blocking program. That said, a Band-aid is hardly a fix, but it enabled me to work without the annoying pop-ups until I could take the time for a more complete solution. That time came last week. I backed up several hundred gigs of data, wiped the drive clean, reloaded Windows and reinstalled everything and set up System Restore. Problem solved. For anyone reading this who is planning to do the same, take some advice and buy another hard drive to back up to. Don't use a service like Carbonite, which I firmly believe in as a last resort backup, but if you have any amount of data at all, you'll be spending weeks waiting for the "off-site" restore to complete. And last, set up and test Windows System Restore to make sure it works before you need it. That was my critical error in all this. I THOUGHT it was set up, but when I went to use it, none of the restore points would work. I found the problem and solution from Microsoft after it was too late.

[Gammo]

I'm glad the problem is resolved now.

[screen317]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!