Jump to content

Recommended Posts

Google links are redirecting to various ad sites. First noticed Google loading a second or two slower than normal. Then links started going to the wrong places. When MSEssentials did its weekly scan on June 30 it quarantined Alureon 32 and 64 which had obviously slipped by. Downloaded and ran MBAM Pro today - scanned twice. Google on IE9 initially looked like it was okay but quickly started redirecting again.

Thanks for helping.

John

DDS 7-3-12.txt

Attach 7-3-12.txt

Share this post


Link to post
Share on other sites

Hello John and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support or here (http://helpdesk.malwarebytes.org/home). If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

BACKDOOR WARNING

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Step 1

Download the latest version of TDSSKiller from here and save it to your Desktop.

  1. Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    tdss_1.jpg
  2. Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
    tdss_2.jpg
  3. Click the Start Scan button.
    tdss_3.jpg
  4. If a suspicious object is detected, the default action will be Skip, click on Continue.
    tdss_4.jpg
  5. If malicious objects are found, they will show in the Scan results and offer three (3) options.
  6. Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    tdss_5.jpg
  7. Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Step 2

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 3

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

aswMBR2.png

In your next reply, post the following log files:

  • TDSSKiller log
  • Malwarebytes' Anti-Malware log
  • aswMBR log
  • a new fresh DDS log file

Share this post


Link to post
Share on other sites

Thanks Maniac. I appreciate your help. I disconnected that machine yesterday but only realized this might be more serious when the problems persisted after I thought it was clean. Based on what you said it is even worse than I suspected.

Was not aware of benefits of being a paying customer so if that is the best route I can do that. I got the MBAM Pro trial yesterday because it was the fastest way to get it without exposing passwords or credit card information through my system. After seeing MSE let viruses through and reading up on this I had decided to buy Pro to use in addition to MSE anyway.

Here is my status. I have a new laptop onsite that I was getting ready to switch to anyway, so switching to that machine immediately followed by a clean install on the old one is not a problem if that will fix the old one. Only things I have to do before switching is export the Outlook 2007 pst folder to the USB backup (unfortunately connected to the infected machine), setup email accounts on the new machine, and move the backup drive to the new machine. Note that the infected machine is also hooked up to a wireless network (three computers but no server). Have had no virus symptoms on the other machines yet, and the new laptop has not been connected to the network recently (last 30 days).

Beyond the password and identity theft issues my concern is infections on the USB backup, and I cannot hook it up to the new machine until it is clean. The files on the backup drive include an old system image from Dec2011 or Jan2012, which is 6 months before virus symptoms showed up in last week's MSE scan. The drive also has recent document, photo, and spreadsheet files, plus a recent Outlook pst file.

Based on what you said I see the tasks in order of importance as:

1. Change passwords

2. Notify relevant parties (already have identify theft monitoring that is locked down for opening of new accounts)

3. Get the backup drive clean so I can use the files on that drive.

4. Deal with the old laptop.

I welcome suggested changes to the list and I really need help with items 3 and 4. Also welcome your thoughts on how to handle infections on the backup drive and about possible network infections.

John

Share this post


Link to post
Share on other sites

I have a solution for you, John! :)

Flash Drive Disinfector

Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.

  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.

Share this post


Link to post
Share on other sites

No luck Maniac. Downloaded Flash_Disinfector to the infected machine but it will not start. Sign in as Admin and it acts like there is a compatibility problem. It ran fine on my other machine (XP). Also moved that copy from the XP to the infected machine but it will not start.

Also, Alureon.FO showed up again in the MSE scan. MSE quarantined it and I removed it again but don't think that did any good. And MBAM Pro stopped updating and kicked out an error. Sent it to support as it requested.

Any suggestions?

Share this post


Link to post
Share on other sites

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

Share this post


Link to post
Share on other sites

Yes am still with you. Have a chronically ill family member - was away from computer.

Bought MBAM Pro.

Panda seemed to take care of the USB issue

Current plan is below and suggestions ARE welcome. Goal is to NOT transfer anything bad to the new machine. Want to get it right the first time and not have to do this again.

1. Reformat infected machine Thursday (friend coming to do that).

2. Check that files on the USB backup drive that was attached to the infected machine do not re-create those same issues on that machine after reformatting.

3. Move files on the USB drive to the new machine.

Will update here after reformat and file transfer later this week.

Thanks.

Share this post


Link to post
Share on other sites

Good luck! :)

I will wait to inform me and then close the topic.

Share this post


Link to post
Share on other sites

Yes, but have not made as nearly much progress as expected. Will likely be next Thursday when my helper returns before I get much further. If you want to close this out that is fine.

John

Share this post


Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.