TechSpot

Google redirect virus? Please help cleaning

Inactive
By dameista
Dec 27, 2011
  1. Hi,

    Seems I’ve been a bad boy and now I suspect I’m being punished with the Google redirect horror…
    The symptoms match: iexplore.exe is open in the processes without IE running, any Google search redirects me to totally unrelated pages and lately my laptop frequently just freezes without any apparent error message. I’ve also been getting random popups saying I’ve won an iPad2 (generated by explorer.exe process); too bad I already have one…

    Thanks a million already for your help!

    Here are the required logs:

    Mbam:
    --------------------------------------------------------------------------------------------------------------------------------------
    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 911122105

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    26/12/2011 11:59:28
    mbam-log-2011-12-26 (11-59-27).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 350682
    Time elapsed: 1 hour(s), 14 minute(s), 33 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
    --------------------------------------------------------------------------------------------------------------------------------------

    GMER:
    --------------------------------------------------------------------------------------------------------------------------------------
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-12-26 20:55:31
    Windows 6.1.7600
    Running: gxek03go.exe; Driver: C:\Users\VheymBB\AppData\Local\Temp\uwliipog.sys


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001e37fcb2e9
    Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Linkage@Bind ?????9??? ???-???r?????t?t??n* 49???? ???????|???????????d?j?????????u?????????????????d????????????????????????????????????????????????ir????????????????????????????????????????????R????????????e?????????????????f?g?h???g?????e????????@nettun.inf,%msft%;Microsoft???????????????????e?????????????????????????????????????????????:??????$???4????? ??????? ??????????????? ????????????????????????????????????????? ??????????? ???horizationState?8}??????????????????????????Microsoft???????-2??????????????????Microsoft????????`?????????????eBC???????`???????????????????????g???????????????????????????f??{4d36e97d-e325-11ce-bfc1-08002be10318}\0034??????f?f?j?j?l?l?i???????????????????????????p??6"??system32\DRIVERS\raspppoe.sys????????????????????????n????N???????????????????N??????T????D03???MONITOR\SAM0373?????????????????t???????4m??? ??????????????s?????N???????????D??????t?t?????????t????????????????????????N????????????D????????????@nettun.inf,%msft%;Microsoft?-???-????????????N????????????D????{4d36e972-e325-
    Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Linkage@Export ???o????ndis5???? ???????o???????????o??????????6?*?????C???system32\drivers\battc.sys??????? ???????o?????o?? ??o????????$?`?,???????????N??o?????????e????@%SystemRoot%\system32\bdesvc.dll,-100????????????????????????????Z??o????????h?????%SystemRoot%\System32\svchost.exe -k netsvcs????????????????t??????? ?????????????N??o?????????n????@%SystemRoot%\system32\bdesvc.dll,-101???????????o??????????? ???o??????????????localSystem?????????????????????????? B??o????????????????`??o???,??????????????SeChangeNotifyPrivilege?SeImpersonatePrivilege????????,??o???????????????????????????????????????o?o?o?o?o?o?o?o?o?o????? ???????o???????????o?,??????,?B??? ???????????????????????????????????%SystemRoot%\System32\bdesvc.dll????? ???????o???????????o??????????????????????????????0????????????????`???????????????????? ??????????? ?????????????????????????????????????????? ???????o?????????????,????????????????e??????o???o???o???o????? ???????o?????o???????????????????????????o????? ???????o???????????o????????????????0
    Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Linkage@Bind ????er??????????????*6to4mp???????????????N???????????D??3???????e??{4d36e97d-e325-11ce-bfc1-08002be10318}\0012??????????????????????????????????/?????s?????g?g?k?k??????????:????????g?z?????????????????s7-???????9??? ???-???r?????t?t??n* 49???? ???????|???????????d?j?????????u?????????????????d????????????????????????????????????????????????ir????????????????????????????????????????????R????????????e?????????????????f?g?h???g?????e????????@nettun.inf,%msft%;Microsoft???????????????????e?????????????????????????????????????????????:??????$???4????? ??????? ??????????????? ????????????????????????????????????????? ??????????? ???horizationState?8}??????????????????????????Microsoft???????-2??????????????????Microsoft????????`?????????????eBC???????`???????????????????????g???????????????????????????f??{4d36e97d-e325-11ce-bfc1-08002be10318}\0034??????f?f?j?j?l?l?i???????????????????????????p??6"??system32\DRIVERS\raspppoe.sys????????????????????????n????N???????????????????N??????T????D03???MONITOR\SAM0373????
    Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Linkage@Export ?????????????????????????????????k???k??????d_??????????????????? ???????2???????2???????????\??0.????????????N?????????????????? l?????????????????winusb.sys??HJ??????????tunnel?\C:??? ???????'???????'??????????????????? l??????????????????????????????????????????d????????????N????????????D????? l????????????ms_???????`???????????e??????ta???&????????????????????<??????i??????????TD??????????????????d???????????????????????????????????b????????????????????????????????????????g??disk.inf?????????????e???h??{745a17a0-74d3-11d0-b6fe-00a0c90f57da}?-51???????????x???????`?`?`?`?u?`?????e??????????disk.inf????????t????????????????????????????????????A??????????????????????????????????????????????text?x???????k??????s)??int?????? ???????.???????????????k???-??b3???????q???????????l????0?????????????????????????????????????????????????? ?????????????????????1????????6???????????????????????????????volsnap.inf?????????????????????????????????????? ?????????????????????1????????????????????? ?????????????????????1???
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x33 0x06 0x63 0x47 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD2 0x65 0x78 0x8B ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD7 0x0C 0xF8 0xC1 ...
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001e37fcb2e9 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\LanmanServer\Linkage@Bind ???p?q??? ???????T?????T?????-?,????????$???<???????????????????????????????????\\?\Root#volmgr#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}?????? ???????T???????????-?,????????z?????#?????LPTENUM\MicrosoftRawPort\5&b35a8ac&0&LPT1?????Z??U???????????????T??????????????????? ???????T?????????????,????????????&???????????????????????\\?\HDAUDIO#FUNC_01&VEN_8384&DEV_76A0&SUBSYS_102801FE&REV_1002#4&26492402&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\eMuxedCaptureTopo???\\?\HDAUDIO#FUNC_01&VEN_8384&DEV_76A0&SUBSYS_102801FE&REV_1002#4&26492402&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\eMuxedCaptureWave???\\?\LPTENUM#MicrosoftRawPort#5&b35a8ac&0&LPT1#{811fc6a5-f728-11d0-a537-0000f8753ed1}????\\?\DISPLAY#AUO2274#4&2615384a&0&UID67568640#{866519b5-3f07-4c97-b7df-24c5d8a8ccb8}?????\\?\DISPLAY#DELA02E#4&2615384a&0&UID50529024#{866519b5-3f07-4c97-b7df-24c5d8a8ccb8}?????ACPI\PNP0501\4&1d374948&0????????U????????????????4??U???????????????????U???????????????????.??????s???USBSTOR\Disk&Ven_2.0&Prod_&Rev_5.00\2609090
    Reg HKLM\SYSTEM\ControlSet002\services\LanmanServer\Linkage@Export ???q?q??tunnel????????????????????????????????N??s????????h???????6??z????????h?????? :??????i?????{57???r?r????TDI?????Cryptography????????????????????????.NT?????????????? ???????o???????????p????????(?4?]??????????????????5????????????????????????6??q?????????e?????????????????|???|?????????????g????????????????????Tdx?nsi?????RpcSs???????Pointer Class?????X??t?????????e?????p???p?q?q??????????????????em??6-21-2006?????????????V????????????n????? ???????o?????q????Pq?2??????$?h?_???????????N??p?????????e????@%SystemRoot%\System32\dnsapi.dll,-101???????????p??????p?????h??p????????h?????%SystemRoot%\system32\svchost.exe -k NetworkService???????N??p?????????n????@%SystemRoot%\System32\dnsapi.dll,-102?????????q0????p??? 8??p??????????????NT AUTHORITY\NetworkService????????????????????????????q????TDI?????????????????t??????? ?????????????,? q???????????????????p???????????e??????????????????????? F??q???????????????q????b??p??????????????????SeChangeNotifyPrivilege?SeCreateGlobalPrivilege??????????q?????????
    Reg HKLM\SYSTEM\ControlSet002\services\LanmanWorkstation\Linkage@Bind ???`?k?????_???_????????2????????????????[?\?\??????d???????????????1???????????????1???????????????5???????????????1???????????????d???????????????1???????????????1???????????????? ???????\???????????-?*??????????????6??????z?_?|???????/??????s????????`??? ???????[???????????/?*??????????????0???????N??a?????????D????*6to4mp??????`?`?_???|?|?|??????????????t????????????????]??????????????????????USB???????t?????????????{4d36e972-e325-11ce-bfc1-08002be10318}?fig????N??f???.???????e????d??|????????h???????6??h?????????????n?3??? ???h???/?????0?/??blbdrive????????1???????????????2???????????????1???????????????5????????????????????\??????????5???????????????1????????????[?\?\???[??????????????? ???????[???????????[?*???????? ??????x86??? ???????[?????????????*??????@??????????????????`???????????_???????????|?|?|???`???`???f?f?f???e?e????????????????????????? V??g???????????????}?v?|???????????????????????????????|??????????????????? ??????????????ACPI\PNP0103?*PNP0103??dIn???????????|??????????? .??e???e?????
    Reg HKLM\SYSTEM\ControlSet002\services\LanmanWorkstation\Linkage@Export ?????\???????:???????????????0??????????????????????????l???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????MSAFD NetBIOS [\Device\NetBT_Tcpip6_{C721F45B-645C-452F-9AF9-D331521F7186}] DATAGRAM 23?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????l???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????MSAFD NetBIOS [\Device\NetBT_Tcpip6_{01A05210-FE2A-4176-B455-431976E5CE25}] SEQPACKET 22????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????l??????????????????????????????????????????????????????????????????????
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x33 0x06 0x63 0x47 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD2 0x65 0x78 0x8B ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD7 0x0C 0xF8 0xC1 ...
    Reg HKLM\SOFTWARE\Microsoft\Windows Search\CatalogNames\Windows\SystemIndex@pkm:catalog:LastCatalogCrawlId 112
    Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\113
    Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\113@CrawlType 2
    Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\113@InProgress 1
    Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\113@DoneAddingCrawlSeeds 0
    Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\113@IsCatalogLevel 0
    Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\113@LogStartAddId 2
    Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\2@CrawlNumberInProgress 113

    ---- EOF - GMER 1.0.15 ----
    --------------------------------------------------------------------------------------------------------------------------------------

    DDS also freezes my laptop or just runs for hours without generating anything.

    Doing my own research I came across ‘bootkit remover’, unfortunately no success…
    Here are the results.

    Just opening the boot_cleaner.exe:
    --------------------------------------------------------------------------------------------------------------------------------------
    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows 7 Enterprise Edition (build 7600), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`075a9e00

    Size Device Name MBR Status
    --------------------------------------------
    111 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
    --------------------------------------------------------------------------------------------------------------------------------------

    When running this script:
    --------------------------------------------------------------------------------------------------------------------------------------
    @ECHO OFF
    START
    boot_cleaner.exe fix \\.\PhysicalDrive0
    EXIT
    --------------------------------------------------------------------------------------------------------------------------------------

    I get:
    --------------------------------------------------------------------------------------------------------------------------------------
    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows 7 Enterprise Edition (build 7600), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`075a9e00
    Restoring boot code at \\.\PhysicalDrive0...
    ATA_Write(): DeviceIoControl() ERROR 1
    ERROR: Can't write first sector of the disk.

    Done;
    Press any key to quit...
    --------------------------------------------------------------------------------------------------------------------------------------
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! It is obvious you have a problem. However, running a Bootkit Remover at this stage isn't appropriate.

    We begin with this: Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
    ----------------------------
    Download aswMBR to your desktop.
    • Double click the aswMBR.exe to run it.
    • Click the "Scan" button to start scan:
      [​IMG]
    • On completion of the scan click "Save log", save it to your desktop
    • Post in your next reply:
    [​IMG]
    ============================================
    Please follow the link in the thread for Malwarebytes.
    ==========================================
    For DDS:
    Please download this file: xp_scr_fix

    Unpack (unzip) the file onto your desktop and double-click it. You will be asked if you wish to merge the file with you registry, say Yes.

    You should then be able to run DDS.scr. It's the .scr file extension causing the problem.
    ==========================================
    If the above does not permit DDS to run- let me know- don't try a workaround.
    =========================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
      ***Please note: if you have downloaded Combofix to a flash drive, then run it on the infected machine> the Recovery Console will not install- just bypass and go on.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ======================================
    Note: if Combofix won't run, do the following:
    NOTE: If, for some reason, Combofix refuses to run, try one of the following:
    1. Run Combofix from Safe Mode.
    2. Delete Combofix file, download fresh one, but rename combofix.exe to
    friday.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    -------------------------------------
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.pif
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following>>>>.

    Please download exeHelper by Raktor and save it to your desktop.
    • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file called exehelperlog.txt will be created and should open at the end of the scan)
    • A copy of that log will also be saved in the directory where you ran exeHelper.com
    • Copy and paste the contents of exehelperlog.txt in your next reply.

    Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).

    Rkill instructions
    Once you've gotten one of them to run
    • immediately double click on friday.exe to run
    • If normal mode still doesn't work, run BOTH tools from safe mode.

    In you have done #2, please post BOTH logs, rKill and Combofix.
    =========================================
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
    ==========================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
  3. dameista

    dameista TS Rookie Topic Starter

    Hi Bobbye,

    Thanks already for your help.

    I haven't had much time yet to try all your instructions, but I have encountered some problems with the ones I did try: (also tried all of these in Safe Mode, same results)

    aswMBR: the process starts running in Task Manager, but closes after a few seconds; the program does not run

    You say "please follow the link in the thread for Malwarebytes"; do you mean that I should run it again? Which thread are you pointing to?

    DDS: it was possible to run the program from the start, scripts were not blocked. The problem is that it just keeps on running (# signs as progress bar) for more than half an hour before I gave up; while the comments in the program tell me it should not take more than 10mins.

    Combofix: took me a couple of attempts before it started running in the command prompt interface (the 'installing' portion seems to work, it creates some new folders for the Recovery Console), also just keeps going for 45mins without results.

    RKILL: tried these to fix Combofix, same results
    FYI: the link for Rkill.pif gives '404 error'

    Should I try to run all of these again or are we going to try other options? Would it help if I performed a format/clean Windows install? (won't be able to do that anytime soon)

    Thanks again!
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Let's run this before trying again:

    Please run the MGA Diagnostics tool
    • You will be prompted to either “Run” or “Save” the tool. Choose to “Run” the tool and follow the on-screen prompts.
    • You will receive an Internet Explorer-Security Warning dialog box for the Windows Genuine Advantage Diagnostic Tool>
    • You must choose to Run this tool when prompted.
    • Once you are presented with the Diagnostics tool choose Continue to run the diagnostic report.
    • If the RESOLVE button is available after running the diagnostics, please click RESOLVE to allow the diagnostic tool to attempt a repair.
    • After running the MGA Diagnostic tool, click on the Windows tab and then click on Copy
    • Please return to this thread and Paste the results here for review.
    ------------------------------------------
    This tool will is to look on the computer itself, in the documentation you received with the computer or with your retail purchase of Windows to see if you have a Certificate of Authenticity (COA). If you have one, tell us about the COA. Tell us:

    1. What edition of Windows XP is it for, Home, Pro, or Media Center, or another version of Windows?
    2. Does it read "OEM Software" or "OEM Product" in black lettering?
    3. Or, does it have the computer manufacturer's name in black lettering?
    4. DO NOT post the Product Key.

    NOTE: The data collected with the Genuine Diagnostics Tool does NOT contain any information that can personally identify you and can be fully reviewed, by you, before being posted.
  5. dameista

    dameista TS Rookie Topic Starter

    I'm running Win7 (no SP); Dell OEM, it's my work laptop :p

    MGAdiag:

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-*****-*****-GPVWB
    Windows Product Key Hash: +B8zzCf9TVkFsQGwJyD6Y4hf7OI=
    Windows Product ID: 55041-049-7898944-86545
    Windows Product ID Type: 6
    Windows License Type: Volume MAK
    Windows OS version: 6.1.7600.2.00010100.0.0.004
    ID: {49EF3FA3-859B-4B2D-87EF-31CCC2653BE7}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Enterprise
    Architecture: 0x00000000
    Build lab: 7600.win7_gdr.110622-1503
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{49EF3FA3-859B-4B2D-87EF-31CCC2653BE7}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7600.2.00010100.0.0.004</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-BBBBB</PKey><PID>55041-049-7898944-86545</PID><PIDType>6</PIDType><SID>S-1-5-21-1113351721-2156225385-3591330761</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Latitude D830 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A11</Version><SMBIOSVersion major="2" minor="4"/><Date>20080403000000.000000+000</Date></BIOS><HWID>48BA3607018400FA</HWID><UserLCID>0813</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Romance Standard Time(GMT+01:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL </OEMID><OEMTableID>M08 </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7600.16385

    Name: Windows(R) 7, Enterprise edition
    Description: Windows Operating System - Windows(R) 7, VOLUME_MAK channel
    Activation ID: 9abf5984-9c16-46f2-ad1e-7fe15931a8dd
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 55041-00172-049-789894-03-2067-7600.0000-0192010
    Installation ID: 013731633012546501601872328162290706072002502376469314
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: GPVWB
    License Status: Licensed
    Remaining Windows rearm count: 3
    Trusted time: 29/12/2011 16:53:06

    Windows Activation Technologies-->
    HrOffline: 0x00000000
    HrOnline: 0x00000000
    HealthStatus: 0x0000000000000000
    Event Time Stamp: 11:28:2011 12:31
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:


    HWID Data-->
    HWID Hash Current: OgAAAAIABAABAAIAAQABAAAAAwABAAEAJJTIvf80Z4DC30aD/JDYQQ4s8FZs943vHOnsg5bhpFkqhQ==

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x0
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
    ACPI Table Name OEMID Value OEMTableID Value
    APIC DELL M08
    FACP DELL M08
    HPET DELL M08
    MCFG DELL M08
    ASF! DELL M08
    TCPA
    SLIC DELL M08
    SSDT PmRef CpuPm
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    It appears that the Windows Networking Stack may have become corrupt. Drivers and Services cannot work:
    System32\drivers\raspppoe.sys
    MONITOR\SAM0373> possibly Sync Master

    System32\bdesvc.dll >> BitLocker Drive Encryption Service

    system32\drivers\battc.sys >> Battery Class Driver

    LanmanServer\Linkage@Bind >> Windows networking stack,

    Windows Product ID Type: 6
    Windows License Type: Volume MAK
    Product Name: Windows 7 Enterprise

    Because this is your work computer, licensed to the business and because you are unable to run scans needed to find and remove malware, I am going to refer you to the IT for your work.
  7. dameista

    dameista TS Rookie Topic Starter

    Actually, I am the IT for my work :) Just not an expert at malware cleaning...
    We're an IT company and each have to manage our own pc/laptop...

    Just tell me what to do like you would anybody else. Would a format/reinstall be a start?
    If so, I'll do that when I have time and create a new thread with the basic diagnostic logs for you. (the bootkit virus probably won't be gone after a low level Windows Setup format I presume)

    Thanks again!
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Understand that in this forum, we find and try to remove malware. We will try a different approach with the understanding that while it should not damage the system, it could also have no affect on the system.

    The presence of these in the GMER log:
    All being questioned by the program, do not, to me, make it clear whether this is a software or hardware problem, or both.
    ===========================================
    Please download Farbar Service Scanner
    • Check Include all files option
    • Press the Scan button
    • Log named FSS.txt will be created in the same directory as the tool
    • Please paste the log into your next reply
    =========================================
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    ============================================
    And we can try this again:
    Bootkit Remover:
    Download bootkitremover.rar and save to your desktop.
    1. Extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. (Use 7-Zip if you don't have an extraction program, )
    2. Double-click on the remover.exe file to run the program.
      (Vista/7 users,right click on remover.exe and click Run As Administrator.)
    3. You will see a black screen with data
    4. Right click on the screen and click Select All.
    5. Press CTRL+C
    6. Open a Notepad and press CTRL+V
    7. Paste the output in your next reply.
    =====================================
    Results should be one of the following:
    1. OK (DOS/Win32 Boot code found)
      - MBR boot code is clean.
    2. Unknown boot code
      - MBR boot code is modified. This practically corresponds to either
      an active bootkit infection, or a custom boot manager installed (such
      as GRUB).
    3. Controlled by rootkit!
      - a bootkit with self-hiding capabilities is detected.
    ==============================================
    If the scan returns #3 as before, run the following:
    • Open Notepad
    • Copy and paste the text in the codebox into Notepad:

    Code:
    
    @ECHO OFF
    START remover.exe fix \\.\PhysicalDrive0  
    EXIT
    
    
    • Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
    • In the FILE NAME box type fix.bat.
    • Save fix.bat to your Desktop.
    • Double click on fix.bat to run.
      You may see a black box appear; this is normal.
    • When done, run remover.exe again and post its output.

    When done, run remover.exe again and post its output.
    ======================================
    New Holiday Notice! I will not be working on the threads Sat. Dec. 31 or Sunday Jan. 1 I will begin with the oldest threads first on Monday. I will do my best to get you finished or as far along as I can before that. Please do not send a PM during those days.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.