Jump to content

Help with Redirect Virus


amyf

Recommended Posts

I've got a google redirect virus and Malwarebytes is giving me a clean report. I've run the DeFogger and DDS. I tried to download and run the GMER Rootkit Scanner. However, I got the "blue screen" both times I tried to run it, so I deleted and reinstalled it and tried it two more times. Both times it stopped working a couple of minutes into the scan. Obviously I need help! :~)

I've attached the zipped attach.txt file.

Thanks for your help!

Here is the DDS log:

DDS (Ver_10-12-12.02) - NTFSx86

Run by Amy at 12:25:11.70 on Thu 12/16/2010

Internet Explorer: 8.0.6001.18999

Microsoft

Attach.zip

Link to post
Share on other sites

Hi amyf and Welcome to Malwarebytes!

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

---------------------------------------------------------------------------------------------

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

Hi amyf and Welcome to Malwarebytes!

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

---------------------------------------------------------------------------------------------

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Thanks so much. Here's my log from ComboFix:

ComboFix 10-12-18.01 - Amy 12/18/2010 14:38:32.1.2 - x86

Microsoft

Link to post
Share on other sites

Hi

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

KILLALL::

File::
c:\windows\system32\drivers\sst457D.tmp

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply and let me know how your computer is doing?

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

I ran the combofix by dragging the file onto it. It ran through, but then crashed while creating the log. I tried again and the same thing happened. It froze and I had to manually turn the computer off and on again. At that point I tried the whole process again and got an error that said, "Were you trying to run CFScript?" "The name CFScript appears to be incorrectly spelt."

At that point I stopped trying to generate a log and tried just using the computer for a few days.

The good news is that I do not seem to be being redirected anywhere when using a search engine. The bad news is that I am getting random sound bites such as commercials coming from my computer. I do not see any unauthorized programs running on the Task Manager, but by the time I get it open, the sound bite is finished. Help! Thank you again.

Link to post
Share on other sites

Download Bootkit Remover to your Desktop.

  • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
  • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL C
  • Open a Notepad and press CTRL V
  • Post the output back here.

Link to post
Share on other sites

Bootkit Remover

© 2009 eSage Lab

www.esagelab.com

Program version: 1.2.0.0

OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6

002), 32-bit

System volume is \\.\C:

main(): CreateFile() ERROR 5

ERROR: Can't open volume device \\.\C:

Done;

Press any key to quit...

Thanks, Amy

Link to post
Share on other sites

OOPS... I didn't run it as administrator. Here's the log from when I ran it as admin.

Bootkit Remover

© 2009 eSage Lab

www.esagelab.com

Program version: 1.2.0.0

OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6

002), 32-bit

System volume is \\.\C:

\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000002`83f00000

Boot sector MD5 is: 0ec6b2481fc707d1e901dc2a875f2826

Size Device Name MBR Status

--------------------------------------------

232 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)

Done;

Press any key to quit...

Link to post
Share on other sites

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

Link to post
Share on other sites

Here it is.... thanks again.

2010/12/23 06:51:01.0819 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46

2010/12/23 06:51:01.0819 ================================================================================

2010/12/23 06:51:01.0819 SystemInfo:

2010/12/23 06:51:01.0819

2010/12/23 06:51:01.0819 OS Version: 6.0.6002 ServicePack: 2.0

2010/12/23 06:51:01.0819 Product type: Workstation

2010/12/23 06:51:01.0819 ComputerName: AMY-PC

2010/12/23 06:51:01.0819 UserName: Amy

2010/12/23 06:51:01.0819 Windows directory: C:\Windows

2010/12/23 06:51:01.0819 System windows directory: C:\Windows

2010/12/23 06:51:01.0819 Processor architecture: Intel x86

2010/12/23 06:51:01.0819 Number of processors: 2

2010/12/23 06:51:01.0819 Page size: 0x1000

2010/12/23 06:51:01.0819 Boot type: Normal boot

2010/12/23 06:51:01.0819 ================================================================================

2010/12/23 06:51:03.0364 Initialize success

Link to post
Share on other sites

Hi Amy

Drag ComboFix icon into the Recycle Bin. Lets download it again. But rename Combofix during the download:

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Please give me an update on how the system is running in your next reply.

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Next

Download Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Link to post
Share on other sites

Happy Holidays. Please don't feel obligated to get to this quickly!

Here are the results:

C:\Users\Amy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\4e6f0cfe-3f08fc66 multiple threats

Results of screen317's Security Check version 0.99.8

Windows Vista Service Pack 2 (UAC is enabled)

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

Trend Micro PC-cillin Internet Security

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java SE Runtime Environment 6

Adobe Flash Player

Adobe Reader 8.1.4

Out of date Adobe Reader installed!

````````````````````````````````

Process Check:

objlist.exe by Laurent

TRENDM~1 INTERN~1 PcCtlCom.exe

TRENDM~1 INTERN~1 Tmntsrv.exe

TRENDM~1 INTERN~1 TmPfw.exe

TRENDM~1 INTERN~1 tmproxy.exe

TRENDM~1 INTERN~1 PccGuide.exe

``````````End of Log````````````

Link to post
Share on other sites

Happy Holidays Amy!

Be sure to clear the Java cache:

http://www.java.com/en/download/help/plugin_cache.xml

Your Computer is Clean

CLEAN-1.jpg

Some final items:

Follow these steps to uninstall Combofix and tools used in the removal of malware

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial for Spywareblaster can be found here.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Secunia software inspector & update checker

Visit My Blog for Malware and Spyware Tips

6567E80CC55576485246E130E48A9FA8.png

Link to post
Share on other sites

Wonderful! Thank for all your help. I will be visiting your paypal account. I really appreciate everything. However, I do have one last question: Do I need to do anything with the DDS, DeFogger, GMER, or Security check applications? I did run the DDS and DeFogger at the beginning of this process, so I didn't know if I needed to change any settings?

Thanks again!

Link to post
Share on other sites

As for DDS, DeFogger, GMER and Security check. Remove them off yourn desktop. Then

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Now you can remove DeFogger off your desktop as well.

Have a nice new years Amy...... :D

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.