?
Solved

Malware Hijacking Browser

Posted on 2008-02-05
33
Medium Priority
?
1,263 Views
Last Modified: 2013-12-06
Recently, my browser is being hijacked by some malware inadvertently placed on my computer. I have tried Ad-Aware, Vundo and ComboFix. Vundo does not find anything, Ad-Aware finds things, but when trying to remove the Tracking Cookies it finds, they reappear in the window and you are then unable to remove them and an error appears. Not sure what ComboFix finds. The following is my Hijack This report. Any help would be deeply appreciated, as this has been going on for 2 weeks and I am unable to fix the problem.


hijackthis.log
0
Comment
Question by:adrake9
  • 13
  • 9
  • 8
  • +2
33 Comments
 
LVL 29

Expert Comment

by:chilternPC
ID: 20823578
0
 
LVL 5

Expert Comment

by:hlarse
ID: 20823965
Looks like you've got WinLink.  Try this -->

http://www.spywaredb.com/remove-winlink/
or
http://www.2-spyware.com/remove-winlink.html

It looks like SpySweeper may take care of the issue.
0
 
LVL 5

Expert Comment

by:hlarse
ID: 20824042
There's also a suspicious BHO in there - urstu.dll.  Haven't seen that one before, but here's something I found --> http://forums.techguy.org/malware-removal-hijackthis-logs/406297-trojan-vundo-urstu-dll.html
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
LVL 20

Expert Comment

by:IndiGenus
ID: 20824882
It is Vundo Trojan as hlarse alluded to with the link posted. But in my opinion combofix works better with these infections.

Download and Run ComboFix (by sUBs) You must run it directly from your Desktop.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a new HijackThis log.  

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware.

NOTE: If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternately, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.

PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.
0
 
LVL 2

Author Comment

by:adrake9
ID: 20825257
Ran ComboFix as described and have attached the 2 files.
hijackthis.log
log.txt
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20826001
Do you know what this "program" or files are?
O4 - Startup: TCW.lnk = E:\TCW\TCW.EXE
O4 - Startup: WINLINK.lnk = E:\TCW\WINLINK.EXE

And, did you download the ErrorSmart program. Not to sure if I would trust it...

Don't think they are bad but was curious...

For the fix:

1. Open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:

---------------------------------------------------------------------------------------------------------------

File::
E:\WINDOWS\system32\EAEBE.exe
E:\WINDOWS\system32\urstu.dll

Folder::
E:\WINDOWS\system32\93949
E:\Program Files\Dot1XCfg
E:\WINDOWS\system32\edcA01
E:\WINDOWS\system32\nGpxx01      

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{985459FB-FBAB-4282-B863-67840486371C}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dot1XCfg"=-            
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"E3E4E7E"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

---------------------------------------------------------------------------------------------------------------

3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt
-A new HijackThis log


0
 
LVL 2

Author Comment

by:adrake9
ID: 20826617
I tried to place the above referenced file onto Combofix and it did not run. I had the blue window quickly appear and then disappear. I re-ran Combofix normally and attached the updated file along with a fresh Hijack This file.  By the way...the TCW and WINLINK files are associated with the telephone answering software we use installed on the computer.

Thanks.
hijackthis.log
log.txt
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20827849
No it didn't change anything. Did you save the CFScript as a text file.....txt extension?
0
 
LVL 4

Expert Comment

by:Firstedition0
ID: 20830490
Are you running Spybot and if so is "Teatimer" enabled, if it is please turn it off and re run IndiGenus's CFScript as above. Teatimer may prevent combofix from running correctly.

IndiGenus asked if you downloaded "errorSmart".

Every time I see this program it is on an infected machine usually with the "Starware" Malware.
I would strongly urge the removal of this program.
Please let use know if Combofix runs after "Teatimer" has been disabled and send fresh logs.
0
 
LVL 2

Author Comment

by:adrake9
ID: 20831470
Not sure how to turn off "Teatimer" on Spybot.  Can you help?

I have removed "Errorsmart".
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20831503
Well it may be disrupting things here but I doubt it. Can't hurt to try with it off though.

Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.

Also, you didn't answer me about whether or not you made sure CFScript.txt was saved as a TXT file.
0
 
LVL 4

Expert Comment

by:Firstedition0
ID: 20831539
How to turn off Spybot Teatimer
Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
On the left hand side, click on Tools, then click on the Resident Icon in the list.
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
Click on the "System Startup" icon in the List
Uncheck the "TeaTimer" box and "OK" any prompts.
If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
Exit Spybot S&D when done.
(When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]
0
 
LVL 2

Author Comment

by:adrake9
ID: 20831912
CFScript was saved as .TXT file.

Terminated "Teatimer". Dragged to Combofix. Blue window pops up for a second and disappears. Same thing happened. Any other ideas? Appreciate the help.
0
 
LVL 4

Expert Comment

by:Firstedition0
ID: 20832011
If Combofix is failing to run it could that a virus is stopping it.
Try and run an online virus scan such as
http://housecall.trendmicro.com/
Click scan now its free and follow instructions, if you use java kernel you may to update your java, but the program will tell you if that is so. Or you can use the HouseCall kernel.
Select a full system scan when asked.
Will check back later as am away from computer for a couple of hours.
Please lets us know if the program runs and what results it finds.
Adverage scan time 45mins to 1.5 hrs

0
 
LVL 2

Author Comment

by:adrake9
ID: 20833119
Ran Housecall.trenmicro.com and it found 3 malware. One could not be removed..."Tspy_Banbra.ha". Heard of it?
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20833323
Well a tool called SDFix will target that bad 04.
O4 - HKCU\..\Run: [Dot1XCfg] E:\Program Files\Dot1XCfg\Dot1XCfg.exe

And possibly some others. Run that and then try combofix again with the given script.

Please download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe 

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Open the SDFix folder and double click on RunThis.bat to start the script.
Type Y and press Enter to begin the script.
It will start cleaning your PC and then prompt you to press any key to Reboot.
Press any key to restart the PC.
Your system will take longer than normal to restart as the fixtool will be removing files.
When the desktop loads the Fixtool will complete the removal and display Finished.
Press any key to end the script and to load your desktop icons.

A text file should automatically open,
Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.

Please also upload a fresh HijackThis log.
0
 
LVL 2

Author Comment

by:adrake9
ID: 20833631
Did the SDFix. Have attached the files.
hijackthis.log
sdfix.txt
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20833757
It says for the SDfix file that it does not exist or cannot be accessed...
It did get that one entry I can see...let's go for the other 2 manually.

Run HijackThis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

---------------------------------

O2 - BHO: (no name) - {985459FB-FBAB-4282-B863-67840486371C} - E:\WINDOWS\system32\urstu.dll (file missing)
O4 - HKLM\..\Run: [E3E4E7E] EAEBE.exe

---------------------------------

Then close all windows except this one and press Fix checked.

Then find and delete the EAEBE.exe file. It is likely here...
E:\WINDOWS\system32\
If not there then do a search for it. You may need to remove in Safe Mode also.

Reboot, post a new HJT log and let us know how it's running.
0
 
LVL 2

Author Comment

by:adrake9
ID: 20834370
Did the above. File is attached.
hijackthis.log
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20834425
How is it running?
0
 
LVL 4

Expert Comment

by:Firstedition0
ID: 20834438
Now that some of the problem files are gone, try to run the ComboFix Script again as in IndiGenus ID: 20826001
0
 
LVL 2

Author Comment

by:adrake9
ID: 20834505
I have attempted to run Combofix again and I get the same result...looks like it will start normally and then a quick blue window and it disappears. Now, I hope I am doing this correctly...I am dragging the txt file on top of the Combofix icon. Correct?

Other than that...the computer SEEMS to be running OK. No popups...yet. Only time will tell. Do you see some other problem files from the reports posted?
0
 
LVL 4

Expert Comment

by:Firstedition0
ID: 20834537
no last log looks good and yes you are using ComboFix correctly.
If combofix will run on its own  ie without the txt file, then please do a new scan and post it back here.
0
 
LVL 20

Accepted Solution

by:
IndiGenus earned 1000 total points
ID: 20834565
Can you run combofix without the script? If so go ahead. The only other thing I saw was from the original cf log. This reg entry...

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages      REG_MULTI_SZ         msv1_0 E:\WINDOWS\system32\urstu

Should be this...
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages      REG_MULTI_SZ         msv1_0


0
 
LVL 2

Author Comment

by:adrake9
ID: 20834805
I am able to run Combofix and ran it as instructed. The report is attached.

I also edited the registry as instructed above.

Again...the computer seems to be fine, but time will tell. Does anyone see anything else in the report?
log.txt
0
 
LVL 4

Expert Comment

by:Firstedition0
ID: 20834902
Did you run combofix before or after the registry edit as urstu is still showing
0
 
LVL 2

Author Comment

by:adrake9
ID: 20834931
Ya I saw it was there. I did run Combofix BEFORE editing.
0
 
LVL 4

Expert Comment

by:Firstedition0
ID: 20834960
could you please run Combofix again and post results back. Thanks
0
 
LVL 2

Author Comment

by:adrake9
ID: 20835724
Please see the log.

Thanks.
log.txt
0
 
LVL 4

Expert Comment

by:Firstedition0
ID: 20836272
OK its still their.
Search your harddrive again for "urstu" and delete all found.
Re edit the registry as IndiGenus described ID: 20834565
Also delete from registry this
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
E:\WINDOWS\system32\urstu.exe
Then reboot
run Combofix again to see if it has gone and post log back here

0
 
LVL 2

Author Comment

by:adrake9
ID: 20840273
The computer seems to running fine. I did not get any popups overnight, whereas I was getting about 7 before and up to 40 over the weekend. I have attached the log from Combofix that was run this morning after completing what was requested by Firstedition0. Hopefully this is the last time. Let me know if you see anything; if not, I will assign points. Your help is very much appreciated.

Thank you!
log.txt
0
 
LVL 4

Assisted Solution

by:Firstedition0
Firstedition0 earned 1000 total points
ID: 20842116
Your new log looks clean. No sign of urstu.
Looks like you are virus free.
0
 
LVL 2

Author Closing Comment

by:adrake9
ID: 31428125
Thank you for your help. I feel I must divide the points equally.
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some of the most commonly posted questions in the "Virus & Malware" Zones are related to the family of rogue malware with the date "2012" somewhere in the title. Examples: XP Antispyware 2012 XP Antivirus 2012 XP Security 2012   XP Home Sec…
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

588 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question