[Inactive] Redirect virus won't die

Status
Not open for further replies.

joeystar

Posts: 18   +0
Hi,
I'm running WIN XP, SP 2. Recently got this re-direct virus affecting both Firefox and IE.

I've run complete scan/repair processes with:

AVG
Super AV
Malware Bytes

Sometimes it finds infected items and fixes them but this thing keeps coming back. I really don't want to do a new OS install as my drivers are very tricky to load on this machine.

I've also tried numerous other fixes including this one (https://www.techspot.com/vb/topic127425.html) but I'm not sure I'm doing right as I don't know if all these log files they refer to are general or relative to the computers of the person in the thread..

I did run some of these and got the following logs in the attached files.

I'm going nuts with this! Is there any real solution to this or should I just bite the bullet and re-install Windows?
 

Attachments

  • cf.txt
    22.3 KB · Views: 3
  • CFLog2.txt
    22.7 KB · Views: 2
  • CFScript.txt
    129 bytes · Views: 2
  • ViewpointKiller.log
    6.2 KB · Views: 2
Download the MBR Rootkit Detector: http://www2.gmer.net/mbr/mbr.exe to your desktop.

* Doubleclick mbr.exe and follow prompts (Vista users: right click on mbr.exe and click "Run As Administrator").
* A black DOS window will quickly appear then disappear.
* When mbr.exe is finished it will create a log on your desktop.
* Copy and paste contents of that log (mbr.log) file to your next reply.
 
Log File

To protect your privacy, remote images are blocked in this message. Display images

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK


I don't know what this is but thanks!
 
Issue

Basically, either in firefox or IE. I google anything. When I click on the link it takes me to an alternate page. Also seems to happen with any other search engine such as Yahoo etc.

BTW - I am using XP

Thanks
 
Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

=======================================================================

Download Kenco.exe to your desktop
  • Close all windows and run the program.
  • It wont take long to run.
  • Kenco will reboot the system if it finds anything.
  • Post the log it gives you ( it will be saved in the same place as Kenco.exe).
 
no reboot

Kenco by jpshortstuff (31.12.09.1)
Log created at 21:12 on 09/02/2010 (JF)

========== Task Unlocker ==========

========== KencoScan ==========

========== C:\WINDOWS\Tasks ==========
RegCure Program Check.job -> [18:07 08/02/2010] 384 bytes
RegCure Startup.job -> [18:07 08/02/2010] 372 bytes
RegCure.job -> [18:07 08/02/2010] 366 bytes

-=E.O.F=-
 
Download RootRepeal.zip (Mirror1, Mirror2) and unzip it to your Desktop.
  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:

    • [*]Drivers
      [*]Files
      [*]Processes
      [*]SSDT
      [*]Stealth Objects
      [*]Hidden Services
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan
    Note: The scan can take some time. DO NOT run any other programs while the scan is running
  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program
Open RootRepeal.txt file with Notepad, copy, and paste all content into your next reply.

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.
 
Very Strange

I downloaded and ran Rootrepeal. At the end of the process my system automatically restarted. I saw no report and the only thing I was left with was a .dat file on my desktop....Attached.

Thoughts?
 

Attachments

  • settings.zip
    122 bytes · Views: 1
Re-Run

i did actually run it three times with the same result. I'll try again. I'll sit and watch it this time.

Thanks
 
OK, leave it for now...

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:


netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
CREATERESTOREPOINT


* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
OTL & Extras Logs

Sorry...OTL and Extras Logs were too long to paste and thus not permitted here....I attached them....
 

Attachments

  • OTL.zip
    13.8 KB · Views: 4
  • Extras.zip
    7.2 KB · Views: 2
Please, uninstall RegCure. No registry tools are ever recommended.

=========================================================================

I recommend, you remove NVIDIA ActiveArmor hardware firewall built into nVidia nForce motherboard chipsets.
It's known for causing a lot of problems.

Open Notepad.
Copy, and paste text below:

c:
cd %windir%\system32\wbem\
net stop winmgmt /y
ping -n 10 127.0.0.1
rmdir /s /q repository
rmdir /s /q Logs
mkdir Logs
net start winmgm
ping -n 10 127.0.0.1
exit

Save it as nvidia.bat

Run it, by doubleclicking on nvidia.bat

Restart computer.

==========================================================================

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code:
    :OTL
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - No CLSID value found.
    [2010/02/06 22:57:52 | 000,001,344 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
    [2010/02/05 22:12:49 | 000,016,384 | -H-- | M] () -- C:\SZKGFS.dat
    
    
    :Services
    
    :Reg
    
    :Files
    
    :Commands
    [purity]
    [emptytemp]
    [resethosts]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
 
Latest Info

I performed the procedure you noted above and received the following log. Not sure what this means however?
----

All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4}\ not found.
C:\WINDOWS\system32\drivers\kgpcpy.cfg moved successfully.
C:\SZKGFS.dat moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: JF
->Temp folder emptied: 1910838 bytes
->Temporary Internet Files folder emptied: 9724995 bytes
->Java cache emptied: 70324051 bytes
->FireFox cache emptied: 64320491 bytes
->Apple Safari cache emptied: 5635135 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2142714 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 65536 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 67 bytes
RecycleBin emptied: 119582098 bytes

Total Files Cleaned = 261.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.1.28.0 log created on 02112010_105328

Files\Folders moved on Reboot...
C:\Documents and Settings\JF\Local Settings\Application Data\Mozilla\Firefox\Profiles\qcos0x7y.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\JF\Local Settings\Application Data\Mozilla\Firefox\Profiles\qcos0x7y.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\JF\Local Settings\Application Data\Mozilla\Firefox\Profiles\qcos0x7y.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\JF\Local Settings\Application Data\Mozilla\Firefox\Profiles\qcos0x7y.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\JF\Local Settings\Application Data\Mozilla\Firefox\Profiles\qcos0x7y.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\JF\Local Settings\Application Data\Mozilla\Firefox\Profiles\qcos0x7y.default\XUL.mfl moved successfully.
File move failed. C:\WINDOWS\temp\hlktmp scheduled to be moved on reboot.

Registry entries deleted on Reboot...
 
Additionally

I was prompted on re-boot to run OTL so I did the quick scan again. Posted here. Probably not necessary?

It's attached here.
 

Attachments

  • OTL2.zip
    12.3 KB · Views: 1
Very Strange....

Well, the re-direction is still happening. Man, this is a bad infection. I'm beginning to wonder if it's worth persuing or given the time I'm spending it's worth biting the bullet and doing a re-install of windows....Would have already if the drivers on this Avid system were not so fussy.

What do you think?

I continue to (most of the time but not always) get redirected from the link I have searched to something completely irrelevant.

Also odd is that when I click "back" on the browser it usually, but not always, takes me to the originally intended page.

Your thoughts?
 
GMER Log

This one took a while. Much longer process so sorry for the delay. The GMER log is attached.
 

Attachments

  • GMER_LOG.zip
    12.2 KB · Views: 3
1. Please download The Avenger to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the Avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Code:
Begin copying here:
Files to move:
C:\WINDOWS\system32\ReinstallBackups\0083\DriverFiles\nvata.sys | C:\WINDOWS\system32\drivers\nvata.sys


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:

  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command windowon your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also back up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply
 
Question

I'll do this now.

Should I disable any firewalls?

I forgot to mention that I can not re-boot in safe mode. The computer just shuts down when I try to do so.
 
Status
Not open for further replies.
Back