Rootkit Infection!!!! - Google.com/webhp redirect

[gringo_pr]

dont do mcafee yet - don't worry about being without an antivirus , this thing got on here with one so if anything gets on while we test , I will clean it

gringo

[Ghostrider 7]

I was thinking the same thing? I'm surfin'!

[gringo_pr]

it is 8pm my time here - I will be on till 8:30, then I will be back on later at 10:30 till 6am

surf for a little while and let me know at 8:30 how are things then at 10:30

gringo

[Ghostrider 7]

Cool! It's 7:15 here now. I'll let you know something in 15 & again at 10:30 your time, 9:30 mine.

So far so good!

Don'y forget about my PM I sent you, I would really appreciate your advice.

Thanks!

NHITX

[Ghostrider 7]

6 instances of IE8 open & no redirects!

That's a good thing!

Talk to you in 2 hours!

Thanks!

NHITX

[gringo_pr]

that is good news

ok reboot the computer a couple of times to make sure it hasn't come back - (not at the same time)

talk to you soon

gringo

[Ghostrider 7]

I guess what we done will take care of everybody's logon? There are 4 different logons,

1 for me, 1 for my wife, & 1 for each son. I'm rebooting & logging on each one & testing.

Also, let me know when I can turn cd emulation back on with defogger, because I may forget later.

[Ghostrider 7]

Gringo,

It looks like it is working ok. No redirects or no pop-ups.

I need or will need to do the following:

Enable the CD Emulators

Turn McAfee back on

Make sure Adobe is up to date

Check Windows Update

Do I need to uninstall/clean up any programs we used?

Or can they just be sent to the recycle bin?

Is there any thing else you can think of?

After you give the pc a clean bill of health, all I ask of you is to answer my PM.

Man, I might get to go to bed at a regular time tonight!

NHITX

[gringo_pr]

That is good news!!!

ok for now turn mcafee back on.

I will give all my recomondations durring the night check back here tomarrow.

that will give you time to check things out.

now get some sleep!!

Gringo

[Ghostrider 7]

Thanks a bunch Gringo!

I really appreciate your help!

I'll check back every so often, since I've posted enough to be an Honorary Member!

Best Regards,

NO LONGER NeedhelpinTX!!

You may close the post!

[gringo_pr]

good evening

going thru the whole posts this is what I would like you to do next to make sure there is nothing else on the PC

TFC(Temp File Cleaner):

• Please download TFC to your desktop,
  
• Save any unsaved work. TFC will close all open application windows.
  
• Double-click TFC.exe to run the program.
  
• If prompted, click "Yes" to reboot.
  

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

• I would like you to rerun MBAM
  
• Double-click mbam icon
  
• go to the update tab at the top
  
• click on check for updates
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK to either and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

:Kaspersky scan:

• Please go to

Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
  
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  
• When the downloads have finished, click on Settings.
  
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
    

  [*]Click on My Computer under Scan.

  [*]Once the scan is complete, it will display the results. Click on View Scan Report.

  [*]You will see a list of infected items there. Click on Save Report As....

  [*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

  [*]Please post this log in your next reply.

"information and logs"

• In your next post I need the following
  

1. Log From MBAM
   
2. Log From Kaspersky
   
3. let me know of any problems you may have had
   
4. How is the computer doing now?
   

Gringo

[Ghostrider 7]

One last thing. Do I need to run defogger & activate the CD Emulators?

I got this off of AdvancedSetup's post at topic 9573,

"I'm infected - What do I do now?, Please follow these instructions to clean your system"

DeFogger - Re-Enable (only run when instructed to when your system is clean again)

To re-enable your Emulation drivers, double click DeFogger to run the tool.

The application window will appear

Click the Re-enable button to re-enable your CD Emulation drivers.

Click Yes to continue

A 'Finished!' message will appear

Click OK

DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

NHITX

[Ghostrider 7]

Sorry,

I didn't see your post above my last post. I will run TCF, MBAM, Kapersky tomorrow after work & post the logs.

Good night all!

NHITX out

[Ghostrider 7]

Hello Gringo!

I did the TFC cleaner & MBAM. No problems encountered with these.

TFC did have me reboot. McAfee also ate ComboFix like last time.

But, I did have a problem when I went to the Kaspersky online scanner.

I will also attach a screen shot of the problem I had with Kaspersky.

The only way I could get of the Kaspersky website was alt-crtl-del. I

wasn't going to click on anything, it may of been genuine, but I'm gun shy

now.

First, here is the MBAM log & it was clean.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4056

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

4/30/2010 5:04:32 PM

mbam-log-2010-04-30 (17-04-32).txt

Scan type: Quick scan

Objects scanned: 158887

Time elapsed: 14 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Now, here's the screen shot of the Kaspersky problem. I got a Security Warning pop-up that read

"The application's digital signature has an error. Do you want to run the application?"

The yellow warning shield didn't look right to me, plus it says the name is javavm & the publisher is

Microsoft Corporation. I did have a Java icon show up in the system tray next to the Ad-Aware icon.

So, I'm not sure if this is real or another malware program. It seems funny that you would get something

like this at the Kaspersky site.

I'll be waiting for your response!

NHITX

[gringo_pr]

Hello

I don't think that is a problem but lets play it safe, use this one

Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan
  
• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the activex control to install
  
• Click Start
  
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  
• Click Scan
  
• Wait for the scan to finish
  
• Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  
• Copy and paste that log as a reply to this topic and also let me know how things are now.
  

Gringo

[Ghostrider 7]

Ok Gringo,

I'll run ESET.

By the way, I went to the Kaspersky website & I think their on-line scanner is down for an upgrade.

This is what they had on the free scanner page.

Detect viruses on your computer with Kaspersky

[Ghostrider 7]

ESET is at 99% step 3 of 4. It found five Win32/Patch/EQtrojan during the scan. Is this one we repaired?

I'll post the log when finished.

NHITX

[gringo_pr]

I will have to see the file path

gringo

[Ghostrider 7]

Here's the ESET log file & it appears to be the infection you cleared last night. (rasacd.sys renamed to rascd.old)

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=709d22b16f9d3a4a91bfa66f9d1d676c

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-05-01 02:38:44

# local_time=2010-04-30 09:38:44 (-0600, Central Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=5121 16776869 100 96 615308 24673278 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=182801

# found=6

# cleaned=0

# scan_time=13370

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\rasacd.sys.vir Win32/Patched.EQ trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP332\A0054278.sys Win32/Patched.EQ trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP334\A0055508.sys Win32/Patched.EQ trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP334\A0056936.sys Win32/Patched.EQ trojan 00000000000000000000000000000000 I

C:\WINDOWS\maxdriver\rasacd.sys Win32/Patched.EQ trojan 00000000000000000000000000000000 I

C:\WINDOWS\system32\drivers\rasacd.old Win32/Patched.EQ trojan 00000000000000000000000000000000 I

The pc seems to be running okay, no redirects or pop-ups.

Now, do I check the box for "Uninstall application on close"?

ESET says, "Select Uninstall if you want to remove all ESET Online Scanner files from your computer.

The next time you run ESET Online Scanner, they will need to be downloaded again".

Then click "Finish".

What's my next step?

[gringo_pr]

Hello NeedhelpinTX

Now, do I check the box for "Uninstall application on close"? yes you can

every it found was the infection we delt with and in system restore which we will clean out next

click on start > run and type in the following maxlook -cleanup (note the space)

Delete Files

We need to delete some files.

It will be easier and less error prone, if we create a batch file to do this... please follow these steps:

• Copy all text in the quote box (below)...to Notepad.

  @echo off
  del /f /s /q "C:\WINDOWS\system32\drivers\rasacd.old"
  del %0

• Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
  
  delfile.bat <<------------- you should see this on your desktop.
  
• Double click on delfile.bat to execute it.
  A black CMD window will flash, then disappear...this is normal.
  
• The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.
  

:Uninstall ComboFix:

• push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  
• please copy and past the following into the box ComboFix /Uninstall and click OK.
  
• Note the space between the X and the /Uninstall, it needs to be there.
  
• 
  

:DeFogger:

• To re-enable your Emulation drivers, double click DeFogger to run the tool.
  
  • The application window will appear
    
  • Click the Re-enable button to re-enable your CD Emulation drivers
    
  • Click Yes to continue
    
  • A 'Finished!' message will appear
    
  • Click OK
    
  • DeFogger will now ask to reboot the machine - click OK
    

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

:remove tools:

• Let's clear out the programmes we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
  
  Please download

OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.

• Double-click OTCleanIt.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it by yourself.
  

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:Make your Internet Explorer more secure:

• please visit this page that gives instructions to do this
  

http://surfthenetsafely.com/ieseczone8.htm

:Turn On Automatic Updates:

• Turn On Automatic Updates
  1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
  2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them
  If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.
  or visit

http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

• you have a couple of good antispyware programs on this computer but you still can try some of these others to see if you like them also
  I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:
  
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
    
  • Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee.
    
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
    

please read this great article by miekiemoes How to prevent Malware:

and

this great article by Tony Klein So How Did I Get Infected In First Place

Now you have followed my advice - it's time to lodge a complaint against what you have suffered.........

Malware Complaints

If you were infected .... Stand Up and be Counted.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here:

Gringo

[Ghostrider 7]

It says "Windows cannot find maxlook -cleanup".

And it also says the same for ComboFix. McAfee ate ComboFix again after it was reactivated.

I'm going on with the rest of your post.

Defogger enable complied with.

defogger_enable by jpshortstuff (23.02.10.1)

Log created at 23:14 on 30/04/2010 (Dad)

Parsing file...

-=E.O.F=-

[gringo_pr]

yea I forgot about combo and mcafee but OTC will still clean it up

and defogger is ok

gringo

[Ghostrider 7]

Ok Gringo,

Everything has been complied with. I will download the antispyware programs you suggest tomorrow.

The "Make your Internet Explorer more secure" link says it is for IE7, I'm guessing that also goes for IE8?

There are a couple more things left on your post that I need to do tomorrow, so I'll be back on to take care

of them. How long do these topics stay in the forum after they are closed? I should be back on tomorrow

morning to finish up.

If you are going to close this topic then let me thank you again for your assistance. You did a great job &

a great service to all that face the scourge of malware. It was a pleasure working with you.

KEEP KILLIN' THOSE BUGS!!

Best Regards,

No longer NeedhelpinTX (for now)

[gringo_pr]

Hello No longer NeedhelpinTX

I normaly keep a topic open for about 48hrs after I finish in case something comes up , but the topic stays on the forum forever so no problem there.

Surf safe

gringo