Browser Redirect - 8-steps and logs included

Solved
By aristol
Apr 17, 2010
Topic Status:
Not open for further replies.
  1. Been fighting with my computer all this week to try and clean it out from a bad infection. It started with browser redirect, and after a week of frustration, I'm still stuck with redirects and random new tabs with spam/advertising. I also suspect it is preventing my Microsoft Security Essentials from connecting to the update server...

    Any assistance I can get for finally cleaning my computer and fixing this redirect issue would be greatly, greatly appreciated!

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    Do NOT use the computer while GMER is running!
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log.

    ==========================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  3. aristol

    aristol Newcomer, in training Topic Starter Posts: 16

    Here are the new requested logs.
    Two things I noted while the scans were running:
    After GMER ran, MSE notified me of a handful of Alureon.H infections, which it then cleaned.
    While ComboFix was running, I got a number of "Access denied" notifications, although all 50 stages said they were completed. I'm pretty sure I had all of my AV and AM programs disabled, but i don't know what else might've denied access since I was logged in as administrator to run it...

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Your computer is severely infected. We have a rootkit and several trojans here.
    We'll have to try several tools in order to get rid of it.

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :filefind
      disk.sys
      atapi.sys
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

    ======================================================================

    Download TDSSKiller and save it to your Desktop.
    Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
    Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

    If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
    When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.
  5. aristol

    aristol Newcomer, in training Topic Starter Posts: 16

    Here's the c/p of the TDSSKiller log. SystemLook log is attached.
    Thanks, neighbor! (I also live on the Peninsula!)

    16:38:20:828 2904 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
    16:38:20:828 2904 ================================================================================
    16:38:20:828 2904 SystemInfo:

    16:38:20:828 2904 OS Version: 5.1.2600 ServicePack: 3.0
    16:38:20:828 2904 Product type: Workstation
    16:38:20:828 2904 ComputerName: KD7
    16:38:20:828 2904 UserName: Owner
    16:38:20:828 2904 Windows directory: C:\WINDOWS
    16:38:20:828 2904 Processor architecture: Intel x86
    16:38:20:828 2904 Number of processors: 1
    16:38:20:828 2904 Page size: 0x1000
    16:38:20:843 2904 Boot type: Normal boot
    16:38:20:843 2904 ================================================================================
    16:38:20:843 2904 UnloadDriverW: NtUnloadDriver error 2
    16:38:20:843 2904 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
    16:38:20:953 2904 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
    16:38:20:953 2904 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    16:38:20:953 2904 wfopen_ex: Trying to KLMD file open
    16:38:20:953 2904 wfopen_ex: File opened ok (Flags 2)
    16:38:20:953 2904 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
    16:38:20:953 2904 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    16:38:20:953 2904 wfopen_ex: Trying to KLMD file open
    16:38:20:953 2904 wfopen_ex: File opened ok (Flags 2)
    16:38:20:953 2904 Initialize success
    16:38:20:953 2904
    16:38:20:953 2904 Scanning Services ...
    16:38:21:390 2904 Raw services enum returned 468 services
    16:38:21:390 2904
    16:38:21:390 2904 Scanning Kernel memory ...
    16:38:21:390 2904 Devices to scan: 2
    16:38:21:406 2904
    16:38:21:406 2904 Driver Name: Disk
    16:38:21:406 2904 IRP_MJ_CREATE : B810EBB0
    16:38:21:406 2904 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
    16:38:21:406 2904 IRP_MJ_CLOSE : B810EBB0
    16:38:21:406 2904 IRP_MJ_READ : B8108D1F
    16:38:21:406 2904 IRP_MJ_WRITE : B8108D1F
    16:38:21:406 2904 IRP_MJ_QUERY_INFORMATION : 804F355A
    16:38:21:406 2904 IRP_MJ_SET_INFORMATION : 804F355A
    16:38:21:406 2904 IRP_MJ_QUERY_EA : 804F355A
    16:38:21:406 2904 IRP_MJ_SET_EA : 804F355A
    16:38:21:406 2904 IRP_MJ_FLUSH_BUFFERS : B81092E2
    16:38:21:406 2904 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
    16:38:21:406 2904 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
    16:38:21:406 2904 IRP_MJ_DIRECTORY_CONTROL : 804F355A
    16:38:21:406 2904 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
    16:38:21:406 2904 IRP_MJ_DEVICE_CONTROL : B81093BB
    16:38:21:406 2904 IRP_MJ_INTERNAL_DEVICE_CONTROL : B810CF28
    16:38:21:406 2904 IRP_MJ_SHUTDOWN : B81092E2
    16:38:21:406 2904 IRP_MJ_LOCK_CONTROL : 804F355A
    16:38:21:406 2904 IRP_MJ_CLEANUP : 804F355A
    16:38:21:406 2904 IRP_MJ_CREATE_MAILSLOT : 804F355A
    16:38:21:406 2904 IRP_MJ_QUERY_SECURITY : 804F355A
    16:38:21:406 2904 IRP_MJ_SET_SECURITY : 804F355A
    16:38:21:406 2904 IRP_MJ_POWER : B810AC82
    16:38:21:406 2904 IRP_MJ_SYSTEM_CONTROL : B810F99E
    16:38:21:406 2904 IRP_MJ_DEVICE_CHANGE : 804F355A
    16:38:21:406 2904 IRP_MJ_QUERY_QUOTA : 804F355A
    16:38:21:406 2904 IRP_MJ_SET_QUOTA : 804F355A
    16:38:21:406 2904 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
    16:38:21:406 2904
    16:38:21:406 2904 Driver Name: atapi
    16:38:21:406 2904 IRP_MJ_CREATE : 8A732AC8
    16:38:21:406 2904 IRP_MJ_CREATE_NAMED_PIPE : 8A732AC8
    16:38:21:406 2904 IRP_MJ_CLOSE : 8A732AC8
    16:38:21:406 2904 IRP_MJ_READ : 8A732AC8
    16:38:21:406 2904 IRP_MJ_WRITE : 8A732AC8
    16:38:21:406 2904 IRP_MJ_QUERY_INFORMATION : 8A732AC8
    16:38:21:406 2904 IRP_MJ_SET_INFORMATION : 8A732AC8
    16:38:21:406 2904 IRP_MJ_QUERY_EA : 8A732AC8
    16:38:21:406 2904 IRP_MJ_SET_EA : 8A732AC8
    16:38:21:406 2904 IRP_MJ_FLUSH_BUFFERS : 8A732AC8
    16:38:21:406 2904 IRP_MJ_QUERY_VOLUME_INFORMATION : 8A732AC8
    16:38:21:406 2904 IRP_MJ_SET_VOLUME_INFORMATION : 8A732AC8
    16:38:21:406 2904 IRP_MJ_DIRECTORY_CONTROL : 8A732AC8
    16:38:21:406 2904 IRP_MJ_FILE_SYSTEM_CONTROL : 8A732AC8
    16:38:21:406 2904 IRP_MJ_DEVICE_CONTROL : 8A732AC8
    16:38:21:406 2904 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A732AC8
    16:38:21:406 2904 IRP_MJ_SHUTDOWN : 8A732AC8
    16:38:21:406 2904 IRP_MJ_LOCK_CONTROL : 8A732AC8
    16:38:21:406 2904 IRP_MJ_CLEANUP : 8A732AC8
    16:38:21:406 2904 IRP_MJ_CREATE_MAILSLOT : 8A732AC8
    16:38:21:406 2904 IRP_MJ_QUERY_SECURITY : 8A732AC8
    16:38:21:406 2904 IRP_MJ_SET_SECURITY : 8A732AC8
    16:38:21:406 2904 IRP_MJ_POWER : 8A732AC8
    16:38:21:406 2904 IRP_MJ_SYSTEM_CONTROL : 8A732AC8
    16:38:21:406 2904 IRP_MJ_DEVICE_CHANGE : 8A732AC8
    16:38:21:406 2904 IRP_MJ_QUERY_QUOTA : 8A732AC8
    16:38:21:406 2904 IRP_MJ_SET_QUOTA : 8A732AC8
    16:38:21:406 2904 Driver "atapi" infected by TDSS rootkit!
    16:38:21:421 2904 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1
    16:38:21:421 2904 File "C:\WINDOWS\system32\drivers\atapi.sys" infected by TDSS rootkit ... 16:38:21:421 2904 Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
    16:38:21:421 2904 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
    16:38:21:609 2904 vfvi6
    16:38:21:656 2904 !dsvbh1
    16:38:21:921 2904 dsvbh2
    16:38:21:921 2904 fdfb2
    16:38:21:921 2904 Backup copy found, using it..
    16:38:22:078 2904 will be cured on next reboot
    16:38:22:078 2904 Reboot required for cure complete..
    16:38:22:156 2904 Cure on reboot scheduled successfully
    16:38:22:156 2904
    16:38:22:156 2904 Completed
    16:38:22:156 2904
    16:38:22:156 2904 Results:
    16:38:22:156 2904 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
    16:38:22:156 2904 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
    16:38:22:156 2904 File objects infected / cured / cured on reboot: 1 / 0 / 1
    16:38:22:156 2904
    16:38:22:156 2904 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
    16:38:22:156 2904 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
    16:38:22:156 2904 UnloadDriverW: NtUnloadDriver error 1
    16:38:22:156 2904 KLMD(ARK) unloaded successfully

    Attached Files:

  6. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    OK.
    I need you to re-run TDSSKiller and post new log.
    I want to see, if atapi.sys infection was killed, or we have to use some other means.
  7. aristol

    aristol Newcomer, in training Topic Starter Posts: 16

    Looks like it's still there...

    17:04:17:031 1172 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
    17:04:17:031 1172 ================================================================================
    17:04:17:031 1172 SystemInfo:

    17:04:17:031 1172 OS Version: 5.1.2600 ServicePack: 3.0
    17:04:17:031 1172 Product type: Workstation
    17:04:17:031 1172 ComputerName: KD7
    17:04:17:031 1172 UserName: Owner
    17:04:17:031 1172 Windows directory: C:\WINDOWS
    17:04:17:031 1172 Processor architecture: Intel x86
    17:04:17:031 1172 Number of processors: 1
    17:04:17:031 1172 Page size: 0x1000
    17:04:17:078 1172 Boot type: Normal boot
    17:04:17:078 1172 ================================================================================
    17:04:17:078 1172 UnloadDriverW: NtUnloadDriver error 2
    17:04:17:078 1172 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
    17:04:17:218 1172 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
    17:04:17:218 1172 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    17:04:17:218 1172 wfopen_ex: Trying to KLMD file open
    17:04:17:218 1172 wfopen_ex: File opened ok (Flags 2)
    17:04:17:218 1172 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
    17:04:17:218 1172 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    17:04:17:218 1172 wfopen_ex: Trying to KLMD file open
    17:04:17:218 1172 wfopen_ex: File opened ok (Flags 2)
    17:04:17:218 1172 Initialize success
    17:04:17:218 1172
    17:04:17:218 1172 Scanning Services ...
    17:04:17:718 1172 Raw services enum returned 468 services
    17:04:17:734 1172
    17:04:17:750 1172 Scanning Kernel memory ...
    17:04:17:750 1172 Devices to scan: 2
    17:04:17:750 1172
    17:04:17:750 1172 Driver Name: Disk
    17:04:17:750 1172 IRP_MJ_CREATE : B810EBB0
    17:04:17:750 1172 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
    17:04:17:750 1172 IRP_MJ_CLOSE : B810EBB0
    17:04:17:750 1172 IRP_MJ_READ : B8108D1F
    17:04:17:750 1172 IRP_MJ_WRITE : B8108D1F
    17:04:17:750 1172 IRP_MJ_QUERY_INFORMATION : 804F355A
    17:04:17:750 1172 IRP_MJ_SET_INFORMATION : 804F355A
    17:04:17:750 1172 IRP_MJ_QUERY_EA : 804F355A
    17:04:17:750 1172 IRP_MJ_SET_EA : 804F355A
    17:04:17:750 1172 IRP_MJ_FLUSH_BUFFERS : B81092E2
    17:04:17:750 1172 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
    17:04:17:750 1172 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
    17:04:17:750 1172 IRP_MJ_DIRECTORY_CONTROL : 804F355A
    17:04:17:750 1172 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
    17:04:17:750 1172 IRP_MJ_DEVICE_CONTROL : B81093BB
    17:04:17:750 1172 IRP_MJ_INTERNAL_DEVICE_CONTROL : B810CF28
    17:04:17:750 1172 IRP_MJ_SHUTDOWN : B81092E2
    17:04:17:750 1172 IRP_MJ_LOCK_CONTROL : 804F355A
    17:04:17:750 1172 IRP_MJ_CLEANUP : 804F355A
    17:04:17:750 1172 IRP_MJ_CREATE_MAILSLOT : 804F355A
    17:04:17:750 1172 IRP_MJ_QUERY_SECURITY : 804F355A
    17:04:17:750 1172 IRP_MJ_SET_SECURITY : 804F355A
    17:04:17:750 1172 IRP_MJ_POWER : B810AC82
    17:04:17:750 1172 IRP_MJ_SYSTEM_CONTROL : B810F99E
    17:04:17:750 1172 IRP_MJ_DEVICE_CHANGE : 804F355A
    17:04:17:750 1172 IRP_MJ_QUERY_QUOTA : 804F355A
    17:04:17:750 1172 IRP_MJ_SET_QUOTA : 804F355A
    17:04:17:750 1172 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
    17:04:17:750 1172
    17:04:17:750 1172 Driver Name: atapi
    17:04:17:750 1172 IRP_MJ_CREATE : 8A72DAC8
    17:04:17:750 1172 IRP_MJ_CREATE_NAMED_PIPE : 8A72DAC8
    17:04:17:750 1172 IRP_MJ_CLOSE : 8A72DAC8
    17:04:17:750 1172 IRP_MJ_READ : 8A72DAC8
    17:04:17:750 1172 IRP_MJ_WRITE : 8A72DAC8
    17:04:17:750 1172 IRP_MJ_QUERY_INFORMATION : 8A72DAC8
    17:04:17:750 1172 IRP_MJ_SET_INFORMATION : 8A72DAC8
    17:04:17:750 1172 IRP_MJ_QUERY_EA : 8A72DAC8
    17:04:17:750 1172 IRP_MJ_SET_EA : 8A72DAC8
    17:04:17:750 1172 IRP_MJ_FLUSH_BUFFERS : 8A72DAC8
    17:04:17:750 1172 IRP_MJ_QUERY_VOLUME_INFORMATION : 8A72DAC8
    17:04:17:750 1172 IRP_MJ_SET_VOLUME_INFORMATION : 8A72DAC8
    17:04:17:750 1172 IRP_MJ_DIRECTORY_CONTROL : 8A72DAC8
    17:04:17:750 1172 IRP_MJ_FILE_SYSTEM_CONTROL : 8A72DAC8
    17:04:17:750 1172 IRP_MJ_DEVICE_CONTROL : 8A72DAC8
    17:04:17:750 1172 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A72DAC8
    17:04:17:750 1172 IRP_MJ_SHUTDOWN : 8A72DAC8
    17:04:17:750 1172 IRP_MJ_LOCK_CONTROL : 8A72DAC8
    17:04:17:750 1172 IRP_MJ_CLEANUP : 8A72DAC8
    17:04:17:750 1172 IRP_MJ_CREATE_MAILSLOT : 8A72DAC8
    17:04:17:750 1172 IRP_MJ_QUERY_SECURITY : 8A72DAC8
    17:04:17:750 1172 IRP_MJ_SET_SECURITY : 8A72DAC8
    17:04:17:750 1172 IRP_MJ_POWER : 8A72DAC8
    17:04:17:750 1172 IRP_MJ_SYSTEM_CONTROL : 8A72DAC8
    17:04:17:750 1172 IRP_MJ_DEVICE_CHANGE : 8A72DAC8
    17:04:17:750 1172 IRP_MJ_QUERY_QUOTA : 8A72DAC8
    17:04:17:750 1172 IRP_MJ_SET_QUOTA : 8A72DAC8
    17:04:17:750 1172 Driver "atapi" infected by TDSS rootkit!
    17:04:17:781 1172 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1
    17:04:17:781 1172 File "C:\WINDOWS\system32\drivers\atapi.sys" infected by TDSS rootkit ... 17:04:17:781 1172 Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
    17:04:17:781 1172 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
    17:04:18:015 1172 vfvi6
    17:04:18:093 1172 !dsvbh1
    17:04:19:281 1172 dsvbh2
    17:04:19:296 1172 fdfb2
    17:04:19:296 1172 Backup copy found, using it..
    17:04:19:531 1172 will be cured on next reboot
    17:04:19:531 1172 Reboot required for cure complete..
    17:04:19:593 1172 Cure on reboot scheduled successfully
    17:04:19:593 1172
    17:04:19:593 1172 Completed
    17:04:19:593 1172
    17:04:19:593 1172 Results:
    17:04:19:593 1172 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
    17:04:19:593 1172 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
    17:04:19:593 1172 File objects infected / cured / cured on reboot: 1 / 0 / 1
    17:04:19:593 1172
    17:04:19:593 1172 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
    17:04:19:593 1172 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
    17:04:19:593 1172 UnloadDriverW: NtUnloadDriver error 1
    17:04:19:593 1172 KLMD(ARK) unloaded successfully
  8. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    No problem...
    As I said, we'll have try different ways to get rid of it.


    Please download OTM

    • Save it to your desktop.
    • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :Processes
    
    :Services
    
    :Reg
    
    :Files
    C:\WINDOWS\system32\drivers\disk.sys|C:\WINDOWS\ServicePackFiles\i386\disk.sys /replace
    C:\WINDOWS\system32\drivers\atapi.sys|C:\WINDOWS\ServicePackFiles\i386\atapi.sys /replace
          
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [Reboot]
    
    • Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM and reboot your PC.

    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


    In addition, when you're done with OTM, re-run SystemLook with a very same script as in my post #4.
  9. aristol

    aristol Newcomer, in training Topic Starter Posts: 16

    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    File C:\WINDOWS\system32\drivers\disk.sys successfully replaced with C:\WINDOWS\ServicePackFiles\i386\disk.sys
    File C:\WINDOWS\system32\drivers\atapi.sys successfully replaced with C:\WINDOWS\ServicePackFiles\i386\atapi.sys
    ========== COMMANDS ==========
    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 64115 bytes
    ->Flash cache emptied: 41620 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 704646 bytes
    ->Flash cache emptied: 4892 bytes

    User: NetworkService
    ->Temp folder emptied: 6936 bytes
    ->Temporary Internet Files folder emptied: 761479 bytes
    ->Java cache emptied: 12 bytes
    ->Flash cache emptied: 16175 bytes

    User: Owner
    ->Temp folder emptied: 488407 bytes
    ->Temporary Internet Files folder emptied: 206085 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 29706763 bytes
    ->Google Chrome cache emptied: 103527956 bytes
    ->Flash cache emptied: 2917564 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 2641369 bytes
    %systemroot%\System32 .tmp files removed: 5057563 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 218112 bytes
    Windows Temp folder emptied: 3781258 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 67 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 143.00 mb


    OTM by OldTimer - Version 3.1.10.2 log created on 04172010_183340

    Files moved on Reboot...
    File C:\WINDOWS\temp\TMP0000000311A601BAD55F6F52 not found!

    Registry entries deleted on Reboot...

    Attached Files:

  10. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    OK, as expected, it didn't work, so we'll have to do it through an external source.


    Let's see, if we can look at your computer booting from an external source.

    You will need USB flash drive to move information from bad computer to a working computer.

    You need to download two programs.

    First

    ISO Burner this will allow you to burn REATOGO-X-PE ISO to a cd and make it bootable. Just install the programm, from there on it's fairly automatic (Instructions)

    Second

    • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 270.3 MB in size so it may take some time to download.
    • When downloaded double click and this will then open ISOBurner to burn the file to CD
    • Reboot your system (Non working computer) using the boot CD you just created.
      • Note. If you do not know how to set your computer to boot from CD follow the steps HERE
    • Your system should now display a REATOGO-X-PE desktop.
    • Double-click on the OTLPE icon.
    • When asked Do you wish to load the remote registry, select Yes
    • When asked Do you wish to load remote user profile(s) for scanning, select Yes
    • Ensure the box Automatically Load All Remaining Users is checked and press OK
    • OTL should now start. Change the following settings
      • Change Drivers to All
      • Change Registry to All
      • Under Custom Scan box paste this in:

        netsvcs
        %SYSTEMDRIVE%\*.exe
        /md5start
        disk.sys
        eventlog.dll
        scecli.dll
        netlogon.dll
        cngaudit.dll
        sceclt.dll
        ntelogon.dll
        logevent.dll
        iaStor.sys
        nvstor.sys
        atapi.sys
        IdeChnDr.sys
        viasraid.sys
        AGP440.sys
        vaxscsi.sys
        nvatabus.sys
        viamraid.sys
        nvata.sys
        nvgts.sys
        iastorv.sys
        ViPrt.sys
        eNetHook.dll
        ahcix86.sys
        KR10N.sys
        nvstor32.sys
        ahcix86s.sys
        nvrd32.sys
        symmpi.sys
        adp3132.sys
        mv61xx.sys
        userinit.exe
        explorer.exe
        /md5stop
        %systemroot%\*. /mp /s
        %systemroot%\system32\*.dll /lockedfiles
        %systemroot%\Tasks\*.job /lockedfiles
        %systemroot%\system32\drivers\*.sys /lockedfiles
        %systemroot%\System32\config\*.sav
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive.
    • Please post the contents of the C:\OTL.txt file in your reply.
  11. aristol

    aristol Newcomer, in training Topic Starter Posts: 16

    Here's the log for OTL. I know this might seem like a silly question, but should I leave my computer running as reatogo or reboot it to my normal OS? I've still got it in reatogo just in case - I wanted to check first before I did anything else.

    Attached Files:

    • OTL.Txt
      File size:
      162.3 KB
      Views:
      2
  12. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    You did fine :)


    Do this on the computer you are posting from:
    Copy the text in the codebox below:


    Code:
    :OTL
    
    :Services
    
    :Reg
    
    :Files
    C:\WINDOWS\system32\drivers\disk.sys|C:\WINDOWS\ServicePackFiles\i386\disk.sys /replace
    C:\WINDOWS\system32\drivers\atapi.sys|C:\WINDOWS\ServicePackFiles\i386\atapi.sys /replace
    
    :Commands
    [purity]
    [emptytemp]
    
    Open Notepad and paste it.
    Save the document as Fix.txt on to a USB flash drive


    On the infected computer the following...

    Run OTLPE

    • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
      • (The content of Fix.txt should appear in the box)
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post the log produced (you'll need to transfer it with USB stick)
    • Attempt to reboot normally into windows.

    Check for redirection.
  13. aristol

    aristol Newcomer, in training Topic Starter Posts: 16

    *crossing fingers*

    ========== OTL ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    File C:\WINDOWS\system32\drivers\disk.sys successfully replaced with C:\WINDOWS\ServicePackFiles\i386\disk.sys
    File C:\WINDOWS\system32\drivers\atapi.sys successfully replaced with C:\WINDOWS\ServicePackFiles\i386\atapi.sys
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 39331823 bytes
    ->Flash cache emptied: 4729 bytes

    User: NetworkService
    ->Temp folder emptied: 20980 bytes
    ->Temporary Internet Files folder emptied: 13362050 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 2105 bytes

    User: Owner
    ->Temp folder emptied: 166979 bytes
    ->Temporary Internet Files folder emptied: 215742 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 32418138 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 770 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 3287157 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

    Total Files Cleaned = 85.00 mb


    OTLPE by OldTimer - Version 3.1.37.1 log created on 04182010_140452
     
  14. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    How is redirection?
  15. aristol

    aristol Newcomer, in training Topic Starter Posts: 16

    After reboot, redirects seem to be under control.
  16. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Very good :)

    Delete your GMER and Combofix files.
    Download fresh copies, run them and post new logs.
  17. aristol

    aristol Newcomer, in training Topic Starter Posts: 16

    *crosses fingers again*
    Redirects still appear under control...

    Attached Files:

  18. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    We're making progress
    Rootkit appears to be gone, but the computer is still infected.
    Let me take a good look at Combofix log.
  19. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    BTW, you're running two AV programs, Sophos and Microsoft Security Essentials.
    One of them has to go. Your choice.
  20. aristol

    aristol Newcomer, in training Topic Starter Posts: 16

    Yes, I noticed that, and Sophos is gone now.
  21. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    
    Folder::
    
    Driver::
    adzfsgbb
    aflfbkrt
    ahytoetr
    aozigrfv
    arbsoffx
    ascovogd
    asefvnao
    assususx
    bddiehwi
    bjehzksj
    bjrzmzau
    bmcdbqbi
    bqkodmcu
    bsqtrjcu
    bxdkrwez
    cgtjckxv
    cijsbegd
    cjqdtgbk
    csnfvedt
    csoqygch
    cttjedbf
    dcskuyee
    dddxzmzj
    dlxeidhc
    drkrltwf
    dwdzacoi
    eaickfbl
    ebluwqtv
    efbsxkyb
    eodazytk
    eowsnvck
    epxyhxbs
    esikspkj
    gfhczarc
    gzdxqywu
    hbjtpeuj
    hgwpzgev
    hrrffpcz
    htppuxao
    ikukbgdy
    ilsuygju
    imbiaron
    irjtznww
    itysakeu
    iyxgxsfs
    jmuunkvo
    juvcpqmu
    kahpksan
    lsdglscu
    lsirxqtp
    msumxsgw
    obfpmljb
    opvdzbik
    pnorzhwj
    ppvteywr
    pqdujtyd
    pvqreqfu
    qbsylmzj
    qcgzhdpj
    qhiignvo
    qrvxwfnb
    rapyebnl
    rmkhbxii
    rqfykkap
    rwcxdtkm
    rzrfvztf
    smcralxx
    srifwjam
    sxuovuqx
    syoisijy
    tcrrlbxm
    thvpugyb
    uarpoyhf
    udcsrmol
    uljepqkd
    umabifgm
    umyiyutv
    uptjlljf
    vwydrtzk
    wbmpyzgo
    wqgwkflt
    wrsrsnoa
    xajtwske
    yeybugpf
    ysjhvwrj
    
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Norton AntiVirus Server"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000000
    "FirewallOverride"=dword:00000000
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"=dword:00000001
    "DisableNotifications"=dword:00000000
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"=-
    
    
    RegLockDel::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{30723499-6545-EACE-9B5A6213A2611088}\{8F702A1D-0083-23E8-7D232F31414B690B}\{20188B26-1B3F-8E02-CDCA05C95C90DBD0}*]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{945169D7-C27E-315B-97A3E6913A1C7622}\{06C63AB7-5C18-FA8E-E5D32118C99A5B59}\{F7BD6AFF-A45B-6FB8-BB91AB79C0A3DA53}*]
    
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
  22. aristol

    aristol Newcomer, in training Topic Starter Posts: 16

    Here we go.

    Attached Files:

  23. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Delete your GMER file...

    Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    Do NOT use the computer while GMER is running!
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log.

    IMPORTANT! If for some reason GMER refuses to run, try again.
    If it still fails, try to UN-check "Devices" in right pane.
    If still no joy, try to run it from Safe Mode.
  24. aristol

    aristol Newcomer, in training Topic Starter Posts: 16

    Phew, that took awhile!

    Attached Files:

  25. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    How is redirection?

    Please, re-run TDSSKiller.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.