search redirect and a variant of Win32/Olmasco.AD trojan

[jbomx363]

Browser redirect issue.

Without coming here first, I ran MWB and it didn't find anything.

I then ran an eset scan and it came up with this:

Operating memory a variant of Win32/Olmasco.AD trojan

I reran microsoft client and it found nothing.

Reran MWB's and nothing.

Need the fix please!

DDS files attached.

dds.txt

attach.txt

[MrCharlie]

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 48 hours, please send me a PM)

[jbomx363]

RogueKiller scan attached.

RKreport1_S_11212012_02d0834.txt

[MrCharlie]

Here you go......

Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please create a new system restore point before running Malwarebytes Anti-Rootkit.

MBAR tutorial

MBAR tutorial

Download Malwarebytes Anti-Rootkit from HERE

• Unzip the contents to a folder in a convenient location.
  
• Open the folder where the contents were unzipped and run mbar.exe
  
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  
• Wait while the system shuts down and the cleanup process is performed.
  
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  
• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
  

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

MrC

[jbomx363]

Thanks MrC.

I'll reformat instead of try to clean it.

[MrCharlie]

OK

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[Maurice Naggar]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.

[Maurice Naggar]

Re-opened per request.

[jbomx363]

Thanks Maurice.

Mr. C... I think I'll take a stab at removing this.

I've tried to run mwb anti-root kit quite a few times and it will get to some certain point and then be "not responding", and will not continue on, so I cannot get a full scan and it will not make it to the cleanup part.

I've tried running in safe mode also. It stops at random sectors, meaning it will sometimes go to sector 312483209 or 312481112 or whatever, then hang.

Suggestions?

[jbomx363]

Attached is the last system log (I have yet to get an mbar log) which I had to end the process on the kit as it was again, not responding.

I noticed this:

Partition information:

Partition 0 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 2048 Numsec = 312467232

Partition 1 type is HIDDEN (0x17)

Partition is ACTIVE.

Partition starts at LBA: 312469504 Numsec = 20480

Partition is not bootable

Infected: VBR on Hidden active partition --> [unknown Rootkit VBR Infection]

I'm going to start again and let it run overnight and see how far it gets.

system-log 4pm 11.26.txt

[MrCharlie]

I know what the problem is......Try this tool instead >>>

Please read the directions carefully so you don't end up deleting something that is good!!

Please note that TDSSKiller can be run in safe mode if needed.

Here's a video that explains how to run it if needed:

Please download the latest version of TDSSKiller from here and save it to your Desktop.

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  
  
• Put a checkmark beside loaded modules.
  
  
• A reboot will be needed to apply the changes. Do it.
  
• TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  
• Then click on Change parameters in TDSSKiller.
  
• Check all boxes then click OK.
  
  
• Click the Start Scan button.
  
  
• The scan should take no longer than 2 minutes.
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
  
  Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.
  
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  
  Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  
• A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  
• Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.
  

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

New window that comes up.

MrC

[jbomx363]

TDSSKiller will not run. Tried it in safe mode also.

The process will show briefly in task manager.

[jbomx363]

btw.. this is windows 7 enterprise, 64 bit system.

I also tried renaming kss to .com and no luck...and I am running as administrator.

[jbomx363]

Welp...took the time to download and run Kaspersky antivirus. Ran it 4 times and cleaned up a bunch of stuff.

Then ran the tdsskiller.

Then ran roguekiller.

Then ran malwarebytes.

Back to Kaspersky AV.

Everything seems to be cleaned and free.

Will run a couple of more times this week and see if anything shows up.

No malware/trojans/zeroaccess and no longer getting redirects.

[MrCharlie]

So you 're OK now?? MrC

[jbomx363]

MrC....I'm totally clean and running as before.

Thanks.

Can close this thread.

[MrCharlie]

OK.............

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[LDTate]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!