Link to home
Start Free TrialLog in
Avatar of msibley
msibleyFlag for United States of America

asked on

Combofix log

Trying to rid myself of the search engine redirect virus. I've run malwarebytes, eset, superantispyware, avg, spybot s&d to no avail. I ran combo fix as per the instructions in articleID=3299. Here is my log. I'd appreciate any help I can get. Thanks! Mark

 ComboFixMSJ.txt
Avatar of younghv
younghv
Flag of United States of America image

If one of our Experts who is a ComboFix "Trusted Helper" checks in, they can give you a script to run - based on the log you posted.

Until then, you might want to start with TDSSKILLER - very good for 're-direct' malware,  found here:
http://support.kaspersky.com/viruses/solutions?qid=208280684

Let us know the results and we can take the next steps.
Avatar of msibley

ASKER

Forgot to mention that I ran TDSSKiller beforehand and it didn't find anything. Thanks. Mark
Thanks Mark.
Sounds as though you know what you're doing.

The only "Trusted Helper" I know of posting here is rpggamergirl, so watch for her to post a script for you.

Out of curiousity, do you have the MBAM log that you could attach as a file here - and did you use the "Save As" function to rename your anti-malware apps before downloading?
Avatar of msibley

ASKER

Oops, didn't save the mbam log. It found some stuff, mostly tracking cookies and the like. All that superantispyware found was tracking cookies. I uninstalled the various anti-mw apps before running combofix. I reinstalled avg and am now running a full system scan. Didn't know to save those apps to a different filename when downloading... so much for the theory that I know what I'm doing. ;-) Mark
<laughing>
Understood. On a good day I figure I'm about a 7 on a scale of 1-100.

The need to rename both MBAM and CF (before) downloading is because they are so darn good. The malware writers actually include code to watch for either of those names being copied to the computer, then prevents them from being loaded/run.

Your CF log (I think) shows a couple of apps running out of the profile (temp) files, which I don't like to see.

Have you run any of the various "Temp/Junk" file removers?
My personal preference is for www.ccleaner.com

I've personally used for several years and has been rock solid.
It also has a "Registry" function that will clean up/verify accurate registry entries. If you use THAT, make sure you also accept the 'save' function of the old registry.
Avatar of msibley

ASKER

Just now getting home from the office. AVG ran a full scan and basically didn't find anything.  I'll run ccleaner to see if it finds anything and post the results. The redirection of links in Google has stopping, which is a good sign. Mark
<<I'll run ccleaner to see if it finds anything and post the results.>>

Minor correction -
CCleaner doesn't really look for anything specific during the cleaning function (no report to review) - it just throws out everything it finds.
I'm not a trusted helper in regard to Combofix, but I've used it many times with excellent results.

When all else has failed, I have run it in Safe Mode, even though this is not recommended, and it has killed the threat without killing the OS, though on one occasion the networking broke and had to be fixed afterwards.
A particularly useful feature I've found in Combofix is the comprehensive log that it generates when it's finished, because it shows the attributes of the files it lists; looking at anything with system and hidden attributes set has revealed, on occasion, randomly named files that were implicated in the threat even if they weren't specifically identified as such, so allowing them to be dealt with accordingly.

Another tool to try is HijackThis - it doesn't fix anything but it is particularly good at detecting browser hijacks and reporting on them. This Wikipedia article tells you about it in more detail, and links to the official site.

Hope this helps.
<<A particularly useful feature I've found in Combofix is the comprehensive log that it generates when it's finished,>>

You mean just like the one attached to the original post up at the start of this question?
Ahem, *blush* - you're right, Younghv! The quickness of the eye deceives the brain cell...
Heh - have another cup of coffee (my treat).
Avatar of msibley

ASKER

Thanks for the additional input. The more eyes we have on the problem, the better--even if some of the eyes are too fast for their respective occipital grid ;-)

Any recommendations on options for finding a "trusted helper" to look over the log? Another site, perhaps?

Mark
SOLUTION
Avatar of Perarduaadastra
Perarduaadastra
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of msibley

ASKER

I followed the advice in the article by rpggamergirl mentioned in my original post and downloaded ComboFix from the site recommended (bleepingcomputer.com) and followed the instructions there in running it. CF updated itself to the most recent version when I ran the script. Mark
@msibley,
I have no idea what occasioned that last "Expert" comment, but as the EE Page Editor who actually published the Article you used, I can say that without question you followed her advice to the letter (to include posting this question WITH your CF log).

I think it is fair to conclude that since I was designated as a Page Editor by TPTB at EE to approve the content, accuracy, and efficacy of all Articles in the Virus & Spyware Zones that I am also qualified to offer technical advice to our Members.

Just in case anyone else wants to challenge my technical expertise, I encourage them to review the Article used for this question:

https://www.experts-exchange.com/A_3299.html

as well as the two Articles I have published of a similar nature:

https://www.experts-exchange.com/A_1940.html
https://www.experts-exchange.com/A_1958.html

I also find it helpful to review the EE Profile of other Experts (just click on their name in the header of a comment) to get some indication of their actual performance here on EE:

https://www.experts-exchange.com/M_3628488.html
Avatar of msibley

ASKER

I deleted the 2 files mentioned by Perarduaadastra without any apparent ill effects.

Mark
Has anything worked yet?
Avatar of msibley

ASKER

After running ComboFix, the search engine redirection quit affecting my browsers, which is a good thing. I'm wanting to follow up with the advice of having the log read so that I can clean up any residual threats.

Mark
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Jonvee
Jonvee

As a somewhat late arrival, and with reference to your original ComboFix log file entry, i suspect your browser re-direction was due to the BHO and registry entries, shown here>>

<quote>
[- HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

[- HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
<unquote>

Haven't yet confirmed that all of these are nasty ...but still working on it  :)
If you have a more recent log file, it could make interesting reading!

i agree with younghv's comments, & it would be great to see the re-appearance of rpggamergirl ...among other things, a great script writer!
Avatar of msibley

ASKER

So, should I run ComboFix again to produce another log?

BTW, what is BHO?

Mark
A BHO is a Browser Helper Object:
http://en.wikipedia.org/wiki/Browser_Helper_Object

A ComboFix log would certainly be useful, and could show us if the above nasties have been removed (i'm now pretty certain that all those listed earlier are nasty).

On the other hand, if your computer is now running well, naturally i'm hesitant about re-running Combo  ....but this would leave us all in some doubt about how well your machine has been disinfected!

Hmm ..on balance i would go for another Combo scan.
If you do, please download from here, and save to your Desktop, not a temporary folder>
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

A refresher ;)
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
msibley,
Have to log off for the night shortly, but earlier this script was put together.
However i must emphasise that it is based on the entries in your first ComboFix log file.   Since you now report that the browser problem seems resolved, some (or hopefully all) of these entries should have been deleted.
Please do not use this script until we have reviewed any new Combo log file that you may generate, its simply offered as a guide, and would probably need some modification on a second ComboFix run.


1. Open Notepad.
2. Copy & paste all text between the lines below, into Notepad window:
======================================================

File::
c:\program files\Ask.com\GenericAskToolbar.dll

Folder::
c:\windows\Rmequ.bin

Registry::
[- HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

[- HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[- HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[- HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[- HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= -

[- HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]


==================================================

3. Now Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt just created into ComboFix.exe. This will re-start ComboFix, to remove the problem.
5. Finally, please attach the newComboFix logfile.

Will drop by in the morning ...
Avatar of msibley

ASKER

Out of town ... Be back in 24hrs.

Mark
No problem ...we'll be here.
Avatar of msibley

ASKER

Ran a second ComboFix. The log is attached.

Mark
ComboFixMSJ.txt
Thanks.  Including interuptions it'll take maybe an hour or two.   Will post asap.
Okay thanks ....well, the new log file appears to be the same as your first scan, except the c:\windows\Rmequ.bin folder appears to be missing, presumably deleted by ComboFix on the last run ...but lets include that entry as before.

Therefore, please run this script(which i've repeated below).
If you'd like a reminder of how you can drag the CFScript.txt just created into ComboFix.exe, just open & scroll down on the "bleepingcomputer" link above.


1. Open Notepad.
2. Copy & paste all text between the lines below, into Notepad window:
======================================================

File::
c:\program files\Ask.com\GenericAskToolbar.dll

Folder::
c:\windows\Rmequ.bin

Registry::
[- HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

[- HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[- HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[- HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[- HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= -

[- HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]


==================================================

3. Now Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt just created into ComboFix.exe. This will re-start ComboFix, to remove the problem.
5. Finally, please attach the newComboFix logfile.
@Jonvee,
What is the concern with the "Ask.com" toolbar?
The site has been around forever and I hadn't heard it associated with malware before.
@ younghv
Yesterday i was convinced that Malware had camouflaged themselves as the GenericAskToolbar.dll file, especially as it was located in the C:\windows\system32 folder.   The associated BHO appeared to me to be the only reason for Mark's browser redirect.
Something about "ASK" -:
Quote

    * It promotes its toolbars on sites targeted at kids.
    * It promotes its toolbars through ads that appear to be part of other companies' sites.
    * It promotes its toolbars through other companies' spyware.
    * It is Installed without any disclosure whatsoever and without any consent from the user whatsoever.
    * It Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.
    * It makes confusing changes to user's browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.

You can read more about Ask.com - http://www.benedelman.org/spyware/installations/askjeeves-banner/
Unquote
Just something that's been found - user's choice.
Regards!
rossfingal
Thanks JV - I'm always interested in learning more, but sorry to see that "Jeeves" might be at fault...

wait for it....

(the butler did it?).
Avatar of msibley

ASKER

Here is the latest log from CF--after running the script Jonvee provided. How's it look?

Mark
ComboFixMSJ2.txt
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
The CF log looks ok.   Off now until morning.
Avatar of msibley

ASKER

Browser works OK.

Thanks to all for your assistance.

Mark
After reading the comments in your thread again it can be seen that it was your first run of CF that resolved the main issue of browser redirection, and as younghv said there was no need to award any of us any points!
However ... thanks!  It was an interesting thread.

You should now uninstall ComboFix as follows >
Start > Run > then type "ComboFix /Uninstall" (with no quotes, and space between x and / )
Then hit enter.  
This will uninstall ComboFix, reset your clock settings, re-hide system hidden files, re-hide the file extensions and reset System Restore.
Avatar of msibley

ASKER

Thanks. Got 'er done.

Mark