browser redirects after being infected by Total PC Defender 2010

[p_s_92]

Yesterday, I was getting popups from Total PC Defender 2010. I updated Malwarebytes(http://www.malwarebytes.org/), ran it which caught and deleted the malware. It asked for reboot which I did. Ran a full scan after that which detected nothing else so i assumed my machine was clean.

But, my browser(Firefox 3.6.3) is getting redirected. It is opening sites like surfing2cash and Stopzilla spyware remover.

Ran Spybot search and Destroy(http://www.safer-networking.org/en/) which detected Fraudreg and removed it.

Looked at the thread http://forums.techguy.org/virus-othe...lp-needed.html as I suspect I am infected with a rootkit TDSS. Ran TDSkiller(http://support.kaspersky.com/downloa...tdsskiller.zip) which claims my atapi.sys is infected with TDSS. Says, it will be removed on reboot, but the redirects still persist after rebooting.

My malwarebytes log when i was infected yesterday is below:

////////////////////////////////////////////////////////////////////

Database version: 4070

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/5/2010 6:28:20 PM

mbam-log-2010-05-05 (18-28-20).txt

Scan type: Quick scan

Objects scanned: 141618

Time elapsed: 9 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 3

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Total PC Defender 2010 (Rogue.TotalPCDefender2010) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Documents and Settings\Admin\Start Menu\Total PC Defender 2010 (Rogue.TotalPCDefender2010) -> Quarantined and deleted successfully.

C:\Program Files\SystemDefender2010 (Rogue.TotalPCDefender2010) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Documents and Settings\Admin\Start Menu\Total PC Defender 2010\Total PC Defender 2010.lnk (Rogue.TotalPCDefender2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\Admin\Desktop\Total PC Defender 2010.lnk (Rogue.TotalPCDefender2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Total PC Defender 2010.lnk (Rogue.TotalPCDefender2010) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\config\systemprofile\Desktop\Windows Police Pro.lnk (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

////////////////////////////////////////////////////////////////////

Malware log which reported a clean machine is below

////////////////////////////////////////////////////////////////////////////////////

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4073

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/6/2010 3:52:10 PM

mbam-log-2010-05-06 (15-52-10).txt

Scan type: Quick scan

Objects scanned: 141140

Time elapsed: 10 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

////////////////////////////////////////////////////////////////////////////////////

Ran Hijackthis 2.0.2 and did not find anything unusual whose log is below:

/////////////////////////////////////////////////////////////////////////////////////

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:16:18 PM, on 5/6/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ASTSRV.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis.exe

C:\Documents and Settings\Admin\Application Data\Simply Super Software\Trojan Remover\mox5B.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{073811F5-8595-4AEE-9BAF-861FA628DBD2}: NameServer = 168.223.2.3,168.223.3.20

O17 - HKLM\System\CS1\Services\Tcpip\..\{073811F5-8595-4AEE-9BAF-861FA628DBD2}: NameServer = 168.223.2.3,168.223.3.20

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\system32\ASTSRV.EXE

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE

O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Macromedia JRun Admin Server - Macromedia Inc. - C:\JRun4\bin\jrunsvc.exe

O23 - Service: Macromedia JRun CFusion Server - Macromedia Inc. - C:\JRun4\bin\jrunsvc.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

O23 - Service: PEVSystemStart - Unknown owner - C:\ComboFix\PEV.cfxxe

--

End of file - 7767 bytes

/////////////////////////////////////////////////////////////////////////////////////

As per the thread http://forums.techguy.org/virus-othe...lp-needed.html ran Dirquery(http://ad13.geekstogo.com/DirQuery.exe) typed the following bolded text into that window:

\Device\Ide\IdePort3

Then, hit Enter. The program generated a file on your desktop called DirQuery.txt. Its contents are

Running from: C:\Documents and Settings\Admin\Desktop\DirQuery.exe

Log file at : C:\Documents and Settings\Admin\Desktop\DirQuery.txt

The driver that owns the link:

\Device\Ide\IdePort3

is located at:

atapi.sys

and the device link is:

\Driver\atapi

The path to the driver from the registry is:

system32\drivers\tskA.tmp.

Tried to use Systemlook(http://jpshortstuff.247fixes.com/SystemLook.exe) as per the post, but it did not work(when i entered ":filefind

atapi.sys" it froze). I guess it is trying to find other uninfected copies of atapi.sys. There was a copy of it at

C:\WINDOWS\ServicePackFiles\i386\atapi.sys

C:\WINdows\$NTServicePackUninstall$

C:\windows\system32\drivers

I tried to use the Avenger(http://swandog46.geekstogo.com/avenger2/download.php) tool to restore the copy by moving the C:\WINDOWS\ServicePackFiles\i386\atapi.sys to C:\win\system32\drivers, and it said in log, that no rootkits were found and file was moved successfully. But, TDSkiller claims TDSS rootkit is there and hooked to atapi.sys

Ran combofix(http://www.combofix.org/download.php) also directly, not using CFScript.txt which rebooted the machine, but the redirection persists.

I looked at the Windows hosts file and it looked fine "127.0.0.1 localhost" Everything else was commented and standard things in a hosts file.

Ran F-Secure's Blacklight rootkit eliminator(http://www.f-secure.com/en_EMEA/prod...es/blacklight/) which could not find anything. Ran the rkill(http://www.technibble.com/rkill-repa...l-of-the-week/) tool also, but that did not fix the issue.

Ran TrojanRemover(http://www.simplysup.com/tremover/download.html) which also said machine was clean.

Do I have TDSS as TDSkiller claims or no as Malwarebytes did not find anything. Then, what could be causing my browser redirects?

Any advice would be welcome.

[mountaintree16]

Hello p_s_92, and welcome to the forums here at Malwarebytes.org

You do have a nasty infection, and you may or may not have the TDSS rootkit.

Please read and follow the directions here, skipping any steps you are unable to complete. Then re-post your topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

Please note that it may take 48 hours or more for you to receive a response in the malware removal forum, as it is often busy at times. Please do not reply to your own post asking for help unless its been more than 48 hours since you originally posted, as this can make it appear as though you are being helped and take longer for you to get help.

If you are unable to do all or any of the steps in the link to the directions above, just post your problem into the forum I gave you a link to anyway and someone will be able to assist you.

Also, when replying, please use the "ADD REPLY" button located at the bottom of the page, as this makes the forum easier to read.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someone has replied to your post.

Thank you

[p_s_92]

Hello mountaintree16 and thanks for the welcome note!,

I am following your directions and will post back soon of how it worked with defogger. Mcafee and Malwarebytes are detecting nothing.

Thanks for your help!

[noknojon]

Hi -

Please follow all the instructions that you can - The expert assisting you will guide you through any other required steps -

Thank You -