Google search redirected, 8 steps results

Status
Not open for further replies.

tonytony

Posts: 6   +0
Hello, my google search results are being redirect to random sites, so i ran a scan of my whole computer using AVG anti-virus version 8.5.339. The following are the results under rootkits. The first one is a hidden driver while the rest are hidden files.

C:\WINDOWS\system32\drivers\kungsfjmelmuit.sys
c:\WINDOWS\system32\drivers\kungsfjmelmuit.sys
c:\WINDOWS\system32\drivers\kungsfjmelmuit.sys.rmv.rmv
c:\WINDOWS\system32\drivers\kungsfjmelmuit.sys.rmv.rmv.rmv.rmv
c:\WINDOWS\system32\drivers\kungsfjmelmuit.sys.rmv.rmv.rmv.rmv.rmv.rmv
c:\WINDOWS\system32\kungsfkoejuogl.dll.rmv
c:\WINDOWS\system32\kungsfkoejuogl.dll.rmv.rmv.rmv
c:\WINDOWS\system32\kungsfkoejuogl.dll.rmv.rmv.rmv.rmv.rmv.rmv
c:\WINDOWS\system32\kungsfqnepjyow.dll.rmv
c:\WINDOWS\system32\kungsfqnepjyow.dll.rmv.rmv.rmv
c:\WINDOWS\system32\kungsfqnepjyow.dll.rmv.rmv.rmv.rmv.rmv.rmv
c:\WINDOWS\system32\kungsftuljdvjj.dat.rmv
c:\WINDOWS\system32\kungsftuljdvjj.dat.rmv.rmv.rmv
c:\WINDOWS\system32\kungsftuljdvjj.dat.rmv.rmv.rmv.rmv.rmv.rmv
c:\WINDOWS\Temp\kungsfptwmdvtnbv.tmp.rmv.rmv.rmv.rmv.rmv.

I pressed the "Remove all unhealed" button and the following message appeared.

"Object is hidden by a rootkit technique (which is usually used by a malicious software) Do you really want to remove it?"

I clicked yes, the same message appeared about 6 more times and clicked yes on all of em. It then required me to restart my pc, which i did. But to no avail, my google searches still get redirected. I ran another AVG scan only to yield the same results. Thing is, when i run MBAM and SuperAntiSpyware they didn't detect anything. Which gives me the feeling that i am royally screwed here. Attached are my 8 STEPS logs. Any help would be greatly appreciated.
 
Hello tonytony

Viewpoint is considered foistware and is not needed on your computer.
Download and unzip to own folder on Desktop - http://bellsouthpwp.net/p/r/prprogramsstudios/viewpointkiller.zip

Run ViewpointKiller.exe

Reboot.

Please download Combofix:
http://subs.geekstogo.com/ComboFix.exe
And save to the desktop.

Close all other browser windows.

Double-click on the combofix icon found on your desktop.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post.
 
Thanks for your help, i did everything as instructed. Attached is the combofix log. Oh and btw, is it normal that i suddenly have a Internet Explorer Icon in my desktop? Because it wasn't there from the beginning(never use it).
 
It is combofix there create internet explorer icon on the desktop.

Open notepad and copy/paste the text in the quotebox below into it:
Name the file as CFScript
and Save it on the desktop

Killall::
Snapshot::
Folder::
c:\program files\BitTorrent
c:\program files\LimeWire

http://www.fromsej.saknet.dk/billeder/cfscript.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
Ok, sorry if it took too long to reply..had to go to work. Anyway, i did everything as instructed. Attached the new CF logs.

Also AVG detected something...and I pressed heal.

"Virus identified Packed.Rolex";"C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP860\A0376684.sys";"Moved to Virus Vault";"6/2/2009, 7:37:31 PM";"file";"C:\WINDOWS\system32\svchost.exe"


Thanks again.
 
Looks like everything is running smooth now, google searches no longer being redirected..so the svchost.exe that AVG caught after i ran ComboFix shouldn't be a problem also?
 
Well I uploaded it to VirusTotal and looks like it didn't find anything on it.

It's just that AVG Resident Shield already detected it twice. The Infection is called Virus Identified Packed.Rolex.

Thanks again for taking time to help me.

Attached results
 
Ok. Then you´re good to go :)

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.


To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
http://www.spywareinfoforum.com/index.php?showtopic=60955
 
Hello,

I also am infected with the Packed.Rolex virus. I use AVG and have scanned/removed virus in Safe Mode, but when I restarted my system and scan again, it re-appears and seems to keep duplicating.

Any help would be appreciated.
 
Help

I have the exact same problem but i dont know what to do next for my system. here is my combofix.txt file. please help me if you can. it would be much apprciated. i have already done the viewpoint killer and ran combofix as you can see from the attachment.

thanks kronbergk
 
realization

i realize now that i should ask my own questions but everything seems to work now for me sorry if i did something wrong but it worked avg is no longer finding any packed.rolex viruses on my computer
 
Hi.

I got packed.rolex infection two days ago. On my PC I have two systems installed on different harddrives. The infected system is on a harddrive on it's own.

At first I had no idea how to fix it, but then I just switched over to the other system on the other harddrive and did a scan whole computer with AVG, and packed.rolex was removed.

Maybe just an idea how to solve the problem - and other similar problems very easy.
Of course it will not work if you have two systems on the same drive hidden from each other.

The same metod could work from a bootdisk of some kind with AVG installed on it...
 
Status
Not open for further replies.
Back