Jump to content

System Crippled From Redirect Malware Removal


Recommended Posts

Greetings all!

I'm a little comforted (not overly) that I am not the only one to have been plagued by the google search redirect malware. After digging through what little information seems to be out there for this problem I attempted to remove it myself.

I'm a regular user of:

Kaspersky IS 2k9 (however my license recently expired, so no more DB updates).

MalwareBytes Anti-Malware

HijackThis

A little background on my problem... I had recently been infected with a bogus anti-malware program which littered my screen with fake pop-ups claiming that I had infected files.. it was incredibly troublesome due to it immediately closing task manager on me as well as blocking any anti-virus and anti-malware from opening. I eventually was able to kill the main process and run MalwareBytes to clean it from my system, and all seemed well enough after that - until I noticed a lingering effect after it was gone.

I had been struck with the google search redirect hijack. I was not getting any strange pop-ups, however clicking on any google search links would bring me to random junk websites every so often. My about:config page in firefox was altered to use some search-star.net website, and any attempt to change it was reversed upon closing and re-opening firefox. I researched the problem heavily on forums such as this and eventually found a recommendation to use ComboFix which cured the problem for one user. I ran it and it seemed to clean a few infected files that MalwareBytes had missed, however the problem in firefox remained. I tried altering all of my user.js files to remove the pointer to the search-star website with little success. Eventually I deleted all of the extension folders in firefox's application data section and it seemed to cure my problem - though now another problem has arose from what I did next.

Through my searching I had also seen TDSSKiller mentioned, and decided to give it a try. It scanned my PC and found 2 more infected files which I instructed it to delete. After doing so, I've experienced consistent BSoD's whenever I try running TDSSKiller again. It scans my PC and finds nothing, however after closing the program it gives me an immediate BSoD without any .dll referenced. Also, I occasionally have windows hang at "Windows XP" loading screen (the loading bar moves VERY slowly and doesn't go anywhere from there) - and now I can't seem to boot into Safe Mode either, as it hangs at a certain driver as well.

So, long story short I guess... is it worth trying to recover my system files that were damaged though this foolish and unadvised process of malware removal? Also, should I be confident that my system is actually clean now? I don't seem to have the redirect any more however when windows loads, my desktop background pops up but it seems to hang for longer than normal before all my icons appear. I'm a little concerned that there may still be something lurking on my PC that shouldn't be there.

Thanks in advance!

-CJ

P.S. the HijackThis log file is current. The attached TDSSKiller log file is from the run I made which deleted the 2 files the first time, leading (I believe) to my current BSoD issues. Subsequent TDSS logs contain no detected files in it. Both mbam logs are from the day I was infected with Antimalware Doctor - just to show what was detected and removed. Subsequent scans result in no detections.

hijackthis_07_29_2010.txt

TDSSKiller.2.4.0.0_28.07.2010_21.35.56_log.txt

mbam_log_2010_07_26__12_48_31_.txt

mbam_log_2010_07_26__23_22_23_.txt

Link to post
Share on other sites

Hi,

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
    Click me
    If you can't disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

  • Double click GMER.exe.
    gmer_zip.gif
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
      GMER_thumb.jpg
      Click the image to enlarge it

    [*] Then click the Scan button & wait for it to finish.

    [*] Once done click on the [save..] button, and in the File name area, type in "ark.txt"

    [*]Save the log where you can easily find it, such as your desktop.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.