Solved Spyware (HJT log included) Re-directing to spam sites

[Resolved] Spyware (HJT log included) Re-directing to spam sites

Well, as I have read, I see that some of you have come across people with this problem and assisted them; so I hope that I am another case of that. The problem is that when trying to access websites, I am met with 3 possible outcomes (using Firefox 3:

First and rarely, I will access the site without any problems and go about my merry way.
Secondly and a bit more apparent, I receive this error "The page you are trying to view cannot be shown because it uses an invalid or unsupported form of compression. "
The third and most received outcome when accessing websites is the fact that I am re-directed to a spam site, such as monstercareers.com, primosearch.com, etc. I know that this is due to spyware because it opens the links in a new tab, which is not a setting I am using.

I hope you are able to help me fix my problem, as I am a learning computer science student and have much interest in computers and security. Again, thank you in advance.
That being said, here is my HJT Thread.

Much Thanks,
SteelyDan99

 

Welcome to WindowsBBS steelydan99

We're going to need to get a better look at your system using another tool.

• Download RSIT by random/random and save it to your desktop.
• Double click RSIT.exe to start the tool and click Continue at the disclaimer.
• When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
• Please post the contents of log.txt here in your next reply.

 

Thank you for the response, noahdfear. I've been eagerly awaiting a response. Here are the results from the rsit log.txt:

Thank you again,
Steelydan99

 

Not much showing up there, other than a registry entry showing that a rogue file was given access through the firewall. Lets fix that. Highlight and copy the contents of the code box below to a blank notepad. Save it to the desktop as;

Filename: fix.reg
Save as type: All Files (*.*)

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
 "C:\WINDOWS\system32\a.exe "=-

Double click fix.reg and allow it to merge with the registry, then delete fix.reg.


Now, see if the file C:\WINDOWS\system32\a.exe and delete it if present.

Lets see if an online scan shows anything else. Please do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Post the Kaspersky log here.

 

Thanks again for responding, Noah.

Before mentioning the results, I feel the need to also mention that whenever I restart the computer, my windows security alerts me that my norton anti-virus has been shut off. I believe that this is a result of the spyware/virus. I just wanted to make sure I mention this before I forget. I am not sure if it is helpful in determining the problem within my computer.

OK, well first things first. I had typed in the registry code and everything had gone successful. Looking for a.exe in the system32 folder and it did not exist. Afterwards, I had restarted my computer and the problem still existed.

At this point I attempted to use the online scan. I was pulling my hair out as firefox 3 and IE 7 would not let me go to the site, due to the spyware. My crafty thinking led me to Outlook Express and sure enough, I was able to access the site there without any issues. I had run the Online scan and found 1 infected file. I do not believe it is a virus, as it is a file that I tried using to help neutralize this issue a day or 2 before I posted. It had helped a bit, but not fully. Needless to say, here is the log.

I hope this does not lead us in a dead end. It appears that Kaspersky is not picking up any true threats, which worries me a bit. Thank you again for taking my call, so to speak.

Sincerely,
SteelyDan99

 

Download GMER

Right click and extract it to it's own folder on the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for "˜Show All’.
Click on Scan.
When the scan has completed, click Copy and paste the results (if any) into this topic.

 

Well unfortunately, I can't get the darn thing to run. When starting the program, I receive the following prompt:

I've done both of these and they don't make a difference. When starting hitting ok after the warning prompt, I receive the following GMER error:

I hit OK, and attempt to continue on. When reaching the Rootkit tab, the only 4 things able to be checked are Services, Registry, Files and ADS. Nothing else is available. I hit scan, to see what happens, and I am met with the following prompt:

Then:

Followed by:

And finally:

And then it tells me GMER hasn't found any system modifications.



Long story short, I think there is something wrong with the program, as it is loading old drivers or whatnot. I cannot find any updated drivers, so I'm lost on that front.

Also, it appears I can't do any scans because a program (don't know which one) is using the processes that I need to use. So I don't think I will be able to use this program, or perhaps I need to download drivers or block certain programs from using the necessary processes. I'm not entirely sure and a bit upset I wasn't able to make progress between our correspondences. I hope we are able to get over this hurdle.

Sincerely,
SteelyDan99

 

Hmmmm ..... lets see what happens with another tool. Download ComboFix by sUBs from here, saving the file to your desktop.


Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

Noahdfear,

I am happy to say that google is no longer re-directing my links and my internet is most definitely moving quicker. This is, indeed, a great sign.

I must admit that the only noticeable issues is that my clock is still in military time (reading 23:01 at the moment). Also, when attempting to run Symantec Antivirus Corporate Edition (packaged with my university as an anti-virus program is needed to connect ot the network), I receive the following error:

and the program closes after i click OK.

Oh well, first things first. I'll post the log for Combofix, followed by the hijackthis log.

ComboFix:

HiJackThis:

Again Noah, thanks for everything. Sincerely,
SteelyDan99

 

Click here for clock_fix.exe
When a file download dialog box opens, you can select Save or Run, doesn't matter.
If you save it, just run it when the download is complete.
If the default format shown by the tool is not what you want, press R and hit Enter to set it from the International Settings control panel.
Reboot when done and let me know if your clock is correct.

Before going any further, I'd like to get an online scan done. I suspect some remaining infections. Please scan with Kaspersky WebScanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

Post the Kaspersky log here.


You may need to do a repair of Symantec. You may be offered a repair option if you open Add/Remove programs, select your Antivirus application and click Remove. If not given the option to modify or repair, cancel that and just run the setup again.

 

Noah,

Oddly enough, I'm receive the following error after updating the definitons:

I've tried rebooting and also add/removing the webscanner from the add/remove programs function in the control panel. No luck. Any ideas?

Sincerely,
SteelyDan99

 

My apologies. I gave you an outdated set of instructions.

This is a different link.

Please do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

 

Noah,

LOL, that is no problem. With the help you are providing, I wouldn't hold you at fault regardless. I picked up on that and am already in progress of running the virus scan from the provided link. Hope to have the results to you soon.

On a side note: I tried repairing my Symantec through add/remove and I am still receiving that error. I believe it may be due to the previous spyware/virus because whenever I rebooted, the red shield in my notification area always alerted me that my anti-virus has been turned off. Even after we have applied the fixes you have provided me, I still receive that error. I hope that this scan will show us more information.

Sincerely,
SteelyDan99

 

After the scan has finished and you've posted the report, try running a manual Live Update, then reboot.

 

Kaspersky log:

 

Noah,

I hope the log has showed some insightful stuff. Appears that everything malicious is in a quarantine folder, but not entirely sure.

The clock fix has worked, so I thank you for that.

Unfortunately, I still cannot get Symantec to run. I tried modifying it in the add/remove, and the problem still persists. I've tried LiveUpdate, and it is unable to find any updates. I've rebooted anyways, and the problems still persist. This gives me an uneasy feeling that my computer is still infected. Look forward to your upcoming response.

Sincerely,
SteelyDan99

 

I'm perplexed that the driver associated with that rootkit infection isn't showing up anywhere, so lets make sure it's been rooted out.

Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

Rootkit::
C:\WINDOWS\system32\drivers\tdssserv.sys

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.


I would guess that the Symantec file is damaged, and it will likely require complete removal of, then re-installation of Symantec to repair it.

 

Noah,

Well thank you for the continued help. Now to the juicy stuff.

I dropped the file onto Combofix and it ran flawlessly, to a point. It went through most of the steps, and restarted the computer. However, after restarting and trying to create the log, I get these commands.

http://img517.imageshack.us/my.php?image=find3mpg8.png

After this, it runs through the rest of the process and is still able to create a log. However, it feels like some sort of infection is not allowing the program to use the necessary processes. Here is the ComboFix log:

Also, two side notes. After restarting the computer, my clock has resorted back to the military format. However, after the log was brought up, the time went back to standard time. I do not know if this is an issue or perhaps just some sort of rollback settings with ComboFix.

Also, I believe that I am just going to completely uninstall Symantec and invest in some better AV software. Any suggestions, free or commercial???

Again Noah, your help is a blessing. Sincerely,
SteelyDan99

 

Do you know what this file is, or where it came from?

C:\Documents and Settings\Chris\xrt_itcq.exe

If not, please submit it to my submission channel for analysis. Leave a link back to this topic.

Something has modified winlogon.exe on the 10th of this month too. When did you install SP3? Please upload a copy of C:\WINDOWS\system32\winlogon.exe as well. Then lets see if there are any more copies on the system, in case we need one. Please highlight and copy the contents of the code box below.

Code:

@echo off
echo ~~winlogon backups~~>check.txt
echo.>>check.txt
dir %Systemdrive%\winlogon.exe /a h /s >>check.txt
start notepad check.txt
exit
cls

Click Start>Run and type cmd then hit Enter to open a command window.
Right click in the command window and paste the copied text.
When the search is complete, the command window will close and a log will open.
Please post the contents of that log here.

 

Noah,

Thanks for the response. I can honestly say that I have no idea what the "xrt_itcq" file is. In addition, i have a "xrt_log.DAT" file located under the "xrt_itcq" file, created a day after the "xrt_itcq" file.

Also, I cannot recall when I had installed SP3, but it certainly wasn't in the month of September or August, or even July for that matter.

I have submitted both the "xrt_itcq" and "winlogon.exe" file. Though I'm not sure if it's important, I also have a "winlogon.old" file located under the exe. I'm not sure if it's relevant; just playing it safe and mentioning it to you. This is the report of the log received after typing in your code in the CMD prompt:

Thanks for everything, Noah.

Sincerely,
SteelyDan99