Malware Hijacking Browser

Recently, my browser is being hijacked by some malware inadvertently placed on my computer. I have tried Ad-Aware, Vundo and ComboFix. Vundo does not find anything, Ad-Aware finds things, but when trying to remove the Tracking Cookies it finds, they reappear in the window and you are then unable to remove them and an error appears. Not sure what ComboFix finds. The following is my Hijack This report. Any help would be deeply appreciated, as this has been going on for 2 weeks and I am unable to fix the problem.


hijackthis.log
LVL 2
adrake9Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

hlarseCommented:
Looks like you've got WinLink.  Try this -->

http://www.spywaredb.com/remove-winlink/
or
http://www.2-spyware.com/remove-winlink.html

It looks like SpySweeper may take care of the issue.
0
hlarseCommented:
There's also a suspicious BHO in there - urstu.dll.  Haven't seen that one before, but here's something I found --> http://forums.techguy.org/malware-removal-hijackthis-logs/406297-trojan-vundo-urstu-dll.html
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

IndiGenusCommented:
It is Vundo Trojan as hlarse alluded to with the link posted. But in my opinion combofix works better with these infections.

Download and Run ComboFix (by sUBs) You must run it directly from your Desktop.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a new HijackThis log.  

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware.

NOTE: If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternately, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.

PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.
0
adrake9Author Commented:
Ran ComboFix as described and have attached the 2 files.
hijackthis.log
log.txt
0
IndiGenusCommented:
Do you know what this "program" or files are?
O4 - Startup: TCW.lnk = E:\TCW\TCW.EXE
O4 - Startup: WINLINK.lnk = E:\TCW\WINLINK.EXE

And, did you download the ErrorSmart program. Not to sure if I would trust it...

Don't think they are bad but was curious...

For the fix:

1. Open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:

---------------------------------------------------------------------------------------------------------------

File::
E:\WINDOWS\system32\EAEBE.exe
E:\WINDOWS\system32\urstu.dll

Folder::
E:\WINDOWS\system32\93949
E:\Program Files\Dot1XCfg
E:\WINDOWS\system32\edcA01
E:\WINDOWS\system32\nGpxx01      

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{985459FB-FBAB-4282-B863-67840486371C}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dot1XCfg"=-            
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"E3E4E7E"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

---------------------------------------------------------------------------------------------------------------

3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt
-A new HijackThis log


0
adrake9Author Commented:
I tried to place the above referenced file onto Combofix and it did not run. I had the blue window quickly appear and then disappear. I re-ran Combofix normally and attached the updated file along with a fresh Hijack This file.  By the way...the TCW and WINLINK files are associated with the telephone answering software we use installed on the computer.

Thanks.
hijackthis.log
log.txt
0
IndiGenusCommented:
No it didn't change anything. Did you save the CFScript as a text file.....txt extension?
0
Firstedition0Commented:
Are you running Spybot and if so is "Teatimer" enabled, if it is please turn it off and re run IndiGenus's CFScript as above. Teatimer may prevent combofix from running correctly.

IndiGenus asked if you downloaded "errorSmart".

Every time I see this program it is on an infected machine usually with the "Starware" Malware.
I would strongly urge the removal of this program.
Please let use know if Combofix runs after "Teatimer" has been disabled and send fresh logs.
0
adrake9Author Commented:
Not sure how to turn off "Teatimer" on Spybot.  Can you help?

I have removed "Errorsmart".
0
IndiGenusCommented:
Well it may be disrupting things here but I doubt it. Can't hurt to try with it off though.

Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.

Also, you didn't answer me about whether or not you made sure CFScript.txt was saved as a TXT file.
0
Firstedition0Commented:
How to turn off Spybot Teatimer
Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
On the left hand side, click on Tools, then click on the Resident Icon in the list.
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
Click on the "System Startup" icon in the List
Uncheck the "TeaTimer" box and "OK" any prompts.
If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
Exit Spybot S&D when done.
(When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]
0
adrake9Author Commented:
CFScript was saved as .TXT file.

Terminated "Teatimer". Dragged to Combofix. Blue window pops up for a second and disappears. Same thing happened. Any other ideas? Appreciate the help.
0
Firstedition0Commented:
If Combofix is failing to run it could that a virus is stopping it.
Try and run an online virus scan such as
http://housecall.trendmicro.com/
Click scan now its free and follow instructions, if you use java kernel you may to update your java, but the program will tell you if that is so. Or you can use the HouseCall kernel.
Select a full system scan when asked.
Will check back later as am away from computer for a couple of hours.
Please lets us know if the program runs and what results it finds.
Adverage scan time 45mins to 1.5 hrs

0
adrake9Author Commented:
Ran Housecall.trenmicro.com and it found 3 malware. One could not be removed..."Tspy_Banbra.ha". Heard of it?
0
IndiGenusCommented:
Well a tool called SDFix will target that bad 04.
O4 - HKCU\..\Run: [Dot1XCfg] E:\Program Files\Dot1XCfg\Dot1XCfg.exe

And possibly some others. Run that and then try combofix again with the given script.

Please download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe 

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Open the SDFix folder and double click on RunThis.bat to start the script.
Type Y and press Enter to begin the script.
It will start cleaning your PC and then prompt you to press any key to Reboot.
Press any key to restart the PC.
Your system will take longer than normal to restart as the fixtool will be removing files.
When the desktop loads the Fixtool will complete the removal and display Finished.
Press any key to end the script and to load your desktop icons.

A text file should automatically open,
Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.

Please also upload a fresh HijackThis log.
0
adrake9Author Commented:
Did the SDFix. Have attached the files.
hijackthis.log
sdfix.txt
0
IndiGenusCommented:
It says for the SDfix file that it does not exist or cannot be accessed...
It did get that one entry I can see...let's go for the other 2 manually.

Run HijackThis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

---------------------------------

O2 - BHO: (no name) - {985459FB-FBAB-4282-B863-67840486371C} - E:\WINDOWS\system32\urstu.dll (file missing)
O4 - HKLM\..\Run: [E3E4E7E] EAEBE.exe

---------------------------------

Then close all windows except this one and press Fix checked.

Then find and delete the EAEBE.exe file. It is likely here...
E:\WINDOWS\system32\
If not there then do a search for it. You may need to remove in Safe Mode also.

Reboot, post a new HJT log and let us know how it's running.
0
adrake9Author Commented:
Did the above. File is attached.
hijackthis.log
0
IndiGenusCommented:
How is it running?
0
Firstedition0Commented:
Now that some of the problem files are gone, try to run the ComboFix Script again as in IndiGenus ID: 20826001
0
adrake9Author Commented:
I have attempted to run Combofix again and I get the same result...looks like it will start normally and then a quick blue window and it disappears. Now, I hope I am doing this correctly...I am dragging the txt file on top of the Combofix icon. Correct?

Other than that...the computer SEEMS to be running OK. No popups...yet. Only time will tell. Do you see some other problem files from the reports posted?
0
Firstedition0Commented:
no last log looks good and yes you are using ComboFix correctly.
If combofix will run on its own  ie without the txt file, then please do a new scan and post it back here.
0
IndiGenusCommented:
Can you run combofix without the script? If so go ahead. The only other thing I saw was from the original cf log. This reg entry...

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages      REG_MULTI_SZ         msv1_0 E:\WINDOWS\system32\urstu

Should be this...
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages      REG_MULTI_SZ         msv1_0


0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
adrake9Author Commented:
I am able to run Combofix and ran it as instructed. The report is attached.

I also edited the registry as instructed above.

Again...the computer seems to be fine, but time will tell. Does anyone see anything else in the report?
log.txt
0
Firstedition0Commented:
Did you run combofix before or after the registry edit as urstu is still showing
0
adrake9Author Commented:
Ya I saw it was there. I did run Combofix BEFORE editing.
0
Firstedition0Commented:
could you please run Combofix again and post results back. Thanks
0
adrake9Author Commented:
Please see the log.

Thanks.
log.txt
0
Firstedition0Commented:
OK its still their.
Search your harddrive again for "urstu" and delete all found.
Re edit the registry as IndiGenus described ID: 20834565
Also delete from registry this
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
E:\WINDOWS\system32\urstu.exe
Then reboot
run Combofix again to see if it has gone and post log back here

0
adrake9Author Commented:
The computer seems to running fine. I did not get any popups overnight, whereas I was getting about 7 before and up to 40 over the weekend. I have attached the log from Combofix that was run this morning after completing what was requested by Firstedition0. Hopefully this is the last time. Let me know if you see anything; if not, I will assign points. Your help is very much appreciated.

Thank you!
log.txt
0
Firstedition0Commented:
Your new log looks clean. No sign of urstu.
Looks like you are virus free.
0
adrake9Author Commented:
Thank you for your help. I feel I must divide the points equally.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.