Jump to content

HELP! Hiloti.gen!D and other infections


Recommended Posts

HELP!! Yesterday I noticed when I click on a link in google, I get redirected to advertisements. I ran microsoft protection scan and it found 3 infections (Trojan: win32/Hiloti.gen!D, Exploit: Java/CVE-2010-0840.AA, and Rogue: Win32/FakeVimes). Protection scan was able to clean the FakeVimes, but not the other two. After doing research, I read recommendations to download Malwarebytes. I downloaded the software to desktop, did quick scan. It found several infections, quarantined them (and I deleted quarantined items). Log-report of original scan below. I re-started computer. Computer ran Check Disk automatically. Windows started successfully, I re-ran quick-scan --> no infections. I did full scan --> infections. I start the Explorer web browser, and still see the same behavior (typed an address into address bar directly, and it brought me to an add page).

Any help/guidance much appreciated!!!!

Thank you,

jaydons

____________________________________________

LOG REPORT OF ORIGINAL INFECTION:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5537

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/17/2011 6:21:34 AM

mbam-log-2011-01-17 (06-21-34).txt

Scan type: Quick scan

Objects scanned: 218694

Time elapsed: 10 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\AppID\{90A52F08-64AC-4DC6-9D7D-4516670275D3} (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{90A52F08-64AC-4DC6-9D7D-4516670275D3} (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{6C51F7E9-8542-4F25-A30F-2060157752E1} (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

__________________________________________________

LOG REPORT for quick re-scan after original infections cleaned by Malwarebytes

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/17/2011 6:53:36 AM

mbam-log-2011-01-17 (06-53-36).txt

Scan type: Quick scan

Objects scanned: 218760

Time elapsed: 10 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Replies 104
  • Created
  • Last Reply

Top Posters In This Topic

:huh:

Please don't attach the scan results, use Copy/Paste

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

Hi, Thank you for taking this one on, much appreciated.

As per instructions, I downloaded ATF to desktop, and under both main and firefox, empty all selected items (all). Downloaded DDS.scr from first link provided to desktop. I read instructions on disabling script blocking protection. I don't have anti-virus software (I was using Norton free on-line scan periodically). I disabled Windows Firewall. I also have SpyBot. Following instructions, made sure Tea Timer was unchecked (in Resident) and it wasn't checked to begin with. Also made sure Tea Timer wasn't in start-up. Closed SypBot, closed all web-browsers. Ran DDS, it looked like it was running, because the progress line/dashes were appearing. Waiting 10 minutes, no reports generated. Tried to close DDS, computer froze, hard boot off, restart, made this reply.

Also note: noticed Outlook no longer works. Says that my .pst file is not a .pst file. When I looked at the .pst file it is now showing 0Kb (whereas yesterday it was in the range of 200,000+ KB).

Will wait further instruction, thanks again.

jaydons

Link to post
Share on other sites

Microsoft Outlook wasn't working prior to running DDS (stopped working sometime after infection) - I just wanted to mention it so that you have information on all symptoms.

Yes, I ran DDS after re-boot. After making my initial post, I re-read the instructions, and noticed I should have run defogger. I ran that before I got your thread, and also ran DDS. Defogger ran fine, but DDS froze just like it did now. (Overall course of events: Microsoft protection scan (infected), malwarebytes quick scan (infections found), malwarebytes quick scan (no infections found), malwarebytes full scan (no infections found), original post, defogger (no problems), DDS (froze), got your reply, ATF cleaner (worked fine), DDS (froze).

Appreciate your help (and will not do anything other than what's instructed!)

jaydons

Link to post
Share on other sites

http://www.eset.eu/online-scanner

Go here to run an online scannner from ESET.

Click the green ESET Online Scanner button.

Read the End User License Agreement and check the box: YES, I accept the Terms of Use.

Click on the Start button next to it.

You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.

A new window will appear asking "Do you want to install this software?"".

Answer Yes to download and install the ActiveX controls that allows the scan to run.

Click Start.

Check Remove found threats and Scan potentially unwanted applications.

Click Scan to begin.

If offered the option to get information or buy software. Just close the window.

Wait for the scan to finish

Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic.

Link to post
Share on other sites

I followed the instructions (opened ESET link provided in Internet Explorer, accepted agreement, clicked start, enabled Active X, yes to install), and got an Unexpected Error 101 while the program was trying to download the Virus Signature Database. I noticed on the bottom part of the screen that it said I have another antivirus program on my computer: McAfee Security Center - however this is no longer on my computer. It was removed about 5 years ago, but I can't remember if it successfully 100% uninstalled. On Control Panel Add/Remove programs it doesn't show McAfee, and I've used several on-line scanners (Microsoft Protection Scan, Norton on-line free scan) since. Windows Firewall still off.

Link to post
Share on other sites

I'm not sure what you have going on there.

See if this fixes the redirections

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Internet Explorer (Windows)

1. Click "Tools", then click "Internet Options". This will bring up the Internet Options window.

2. Click the "Connections" tab, then click the "LAN Settings" button.

3. Uncheck the box labeled "Use a proxy server for your LAN". Click "OK", and click "OK" in the previous window. This will remove the proxy server settings in Internet Explorer.

Firefox (Windows)

1. Click "Tools", then click "Options" to bring up the Options window.

2. Click the "Advanced" button, then click the "Network" tab.

3. Click the "Settings" button, located next to "Configure how Firefox connects to the Internet".

4. Click the radio button labeled "No proxy". Click "OK" twice. This will remove the proxy server settings in Firefox.

Disable Internet Explorer Proxy Settings and Reset TCP/IP and Winsock

Disable Internet Explorer Proxy Settings and Reset TCP/IP

It is very important that these steps be carried out exactly as shown otherwise the fix will not work.

If you have any questions please ask before moving on.

  • Please start Notepad and using your mouse make sure you select and copy all the information below in the Code box into your new document.
  • Then save the file as "fixme.bat" to your Desktop
  • In the drop down box for Save as type: make sure you select All Files (*.*) and keep the quotes on the name as well. Then close the new file.
    @ECHO OFF
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v GlobalUserOffline /t REG_DWORD /d 0 /f
    netsh int ip reset resetlog.txt
    netsh winsock reset catalog


  • On Windows XP you can double-click the file to run it.
  • On Vista/Win7 you need to Right click the file and choose Run as administrator to run it. With User Account Control on it should ask permission to run it. Click Yes
  • This will flash a black DOS box very quickly and go away, this is normal.
  • Restart your computer now.
  • Launch Internet Explorer and see if you can connect to the Internet.
  • Launch MBAM and check for Updates

Link to post
Share on other sites

More information on my last reply. Looked at Program Files under C drive, and see a McAfee folder still there, and a virus scan folder below it. Within the folder there is mcodsax.dll, and scriptsn.dll. Should I delete those folders?

Lets see what my last post does.

Link to post
Share on other sites

Hi tried all of that, rebooted, opened Internet Explorer / Firefox - they open fine,ran malwarebytes, no infections found. Tried Internet Explorer & Firefox and still get redirect on both. Redirects from links in Google, and even redirects when I type an address into the address bar (same behavior as before, no change)

Link to post
Share on other sites

Hi,

Ok, AppRemover recognized McAfee, but after uninstall procedure didn't successfully remove. I read about and downloaded the McAfee Removal tool, and this removed McAfee remnants (complete removal successful). Tried DDS again, still froze. Tried ESET with only "Remove Found Threats" and "Scan for Potentially unwanted Applications" checked. Still got "unexpected Error 101".

Tried running ESET again, but this time with "Enable Anti-Stealth Technology" checked. This time it worked. Here is the log report:

_____________________________________________________

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

can not get scanner. e_gle=1001

can not get scanner. e_gle=1001

DLL:pipe not connected. attempts=120

can not get scanner. e_gle=1001

DLL:pipe not connected. attempts=120

can not get scanner. e_gle=1001

DLL:pipe not connected. attempts=120

can not get scanner. e_gle=1001

DLL:pipe not connected. attempts=120

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6419

# api_version=3.0.2

# EOSSerial=97e1ca46dc8b5340add750a660dba99e

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-01-18 01:03:28

# local_time=2011-01-17 05:03:28 (-0800, Pacific Standard Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=2304 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# compatibility_mode=9217 16777214 0 9 152988704 152988704 0 0

# scanned=92032

# found=3

# cleaned=1

# scan_time=3047

C:\WINDOWS\system32\nt.dll Win32/Bamital.EZ trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\winlogon.exe Win32/Patched.GN trojan (unable to clean) 00000000000000000000000000000000 I

${Memory} Win32/Patched.GN trojan 00000000000000000000000000000000 I

Link to post
Share on other sites

I don't like what that shows.

If the infected winlogon is removed and not replaced with a clean one, you won't be able to login.

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    winlogon.exe


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

SystemLook 04.09.10 by jpshortstuff

Log created at 17:19 on 17/01/2011 by Family

Administrator - Elevation successful

========== filefind ==========

Searching for "winlogon.exe"

C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe -----c- 502272 bytes [01:08 04/04/2009] [07:56 04/08/2004] 01C3346C241652F43AED8E2149881BFE

C:\WINDOWS\$NtUninstallKB840987$\winlogon.exe -----c- 516608 bytes [06:14 07/12/2004] [10:41 29/08/2002] 2246D8D8F4714A2CEDB21AB9B1849ABB

C:\WINDOWS\ServicePackFiles\i386\winlogon.exe ------- 507904 bytes [07:56 04/08/2004] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E

C:\WINDOWS\system32\winlogon.exe --a---- 507904 bytes [10:41 29/08/2002] [00:12 14/04/2008] D2E35BCDFBAB9D0390F140E6B50DB6C6

-= EOF =-

Link to post
Share on other sites

We're going to try combofix first.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.