[Inactive] Redirect virus won't die

By joeystar
Feb 7, 2010
Topic Status:
Not open for further replies.
  1. Hi,
    I'm running WIN XP, SP 2. Recently got this re-direct virus affecting both Firefox and IE.

    I've run complete scan/repair processes with:

    AVG
    Super AV
    Malware Bytes

    Sometimes it finds infected items and fixes them but this thing keeps coming back. I really don't want to do a new OS install as my drivers are very tricky to load on this machine.

    I've also tried numerous other fixes including this one (http://www.techspot.com/vb/topic127425.html) but I'm not sure I'm doing right as I don't know if all these log files they refer to are general or relative to the computers of the person in the thread..

    I did run some of these and got the following logs in the attached files.

    I'm going nuts with this! Is there any real solution to this or should I just bite the bullet and re-install Windows?

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Download the MBR Rootkit Detector: http://www2.gmer.net/mbr/mbr.exe to your desktop.

    * Doubleclick mbr.exe and follow prompts (Vista users: right click on mbr.exe and click "Run As Administrator").
    * A black DOS window will quickly appear then disappear.
    * When mbr.exe is finished it will create a log on your desktop.
    * Copy and paste contents of that log (mbr.log) file to your next reply.
  3. joeystar

    joeystar Newcomer, in training Topic Starter Posts: 18

    Log File

    To protect your privacy, remote images are blocked in this message. Display images

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user & kernel MBR OK


    I don't know what this is but thanks!
  4. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    How is redirection issue?
  5. joeystar

    joeystar Newcomer, in training Topic Starter Posts: 18

    Issue

    Basically, either in firefox or IE. I google anything. When I click on the link it takes me to an alternate page. Also seems to happen with any other search engine such as Yahoo etc.

    BTW - I am using XP

    Thanks
  6. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    =======================================================================

    Download Kenco.exe to your desktop
    • Close all windows and run the program.
    • It wont take long to run.
    • Kenco will reboot the system if it finds anything.
    • Post the log it gives you ( it will be saved in the same place as Kenco.exe).
  7. joeystar

    joeystar Newcomer, in training Topic Starter Posts: 18

    no reboot

    Kenco by jpshortstuff (31.12.09.1)
    Log created at 21:12 on 09/02/2010 (JF)

    ========== Task Unlocker ==========

    ========== KencoScan ==========

    ========== C:\WINDOWS\Tasks ==========
    RegCure Program Check.job -> [18:07 08/02/2010] 384 bytes
    RegCure Startup.job -> [18:07 08/02/2010] 372 bytes
    RegCure.job -> [18:07 08/02/2010] 366 bytes

    -=E.O.F=-
  8. joeystar

    joeystar Newcomer, in training Topic Starter Posts: 18

    additional

    just confirmed....redirect is still occuring
  9. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Download RootRepeal.zip (Mirror1, Mirror2) and unzip it to your Desktop.
    • Double click RootRepeal.exe to start the program
    • Click on the Report tab at the bottom of the program window
    • Click the Scan button
    • In the Select Scan dialog, check:

      • [*]Drivers
        [*]Files
        [*]Processes
        [*]SSDT
        [*]Stealth Objects
        [*]Hidden Services
    • Click the OK button
    • In the next dialog, select all drives showing
    • Click OK to start the scan
      Note: The scan can take some time. DO NOT run any other programs while the scan is running
    • When the scan is complete, the Save Report button will become available
    • Click this and save the report to your Desktop as RootRepeal.txt
    • Go to File, then Exit to close the program
    Open RootRepeal.txt file with Notepad, copy, and paste all content into your next reply.

    If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.
  10. joeystar

    joeystar Newcomer, in training Topic Starter Posts: 18

    Very Strange

    I downloaded and ran Rootrepeal. At the end of the process my system automatically restarted. I saw no report and the only thing I was left with was a .dat file on my desktop....Attached.

    Thoughts?

    Attached Files:

  11. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Please, re-run it.
  12. joeystar

    joeystar Newcomer, in training Topic Starter Posts: 18

    Re-Run

    i did actually run it three times with the same result. I'll try again. I'll sit and watch it this time.

    Thanks
  13. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    OK, leave it for now...

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT


    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  14. joeystar

    joeystar Newcomer, in training Topic Starter Posts: 18

    OTL & Extras Logs

    Sorry...OTL and Extras Logs were too long to paste and thus not permitted here....I attached them....

    Attached Files:

  15. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Please, uninstall RegCure. No registry tools are ever recommended.

    =========================================================================

    I recommend, you remove NVIDIA ActiveArmor hardware firewall built into nVidia nForce motherboard chipsets.
    It's known for causing a lot of problems.

    Open Notepad.
    Copy, and paste text below:

    Save it as nvidia.bat

    Run it, by doubleclicking on nvidia.bat

    Restart computer.

    ==========================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - No CLSID value found.
      [2010/02/06 22:57:52 | 000,001,344 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
      [2010/02/05 22:12:49 | 000,016,384 | -H-- | M] () -- C:\SZKGFS.dat
      
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [resethosts]
      [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  16. joeystar

    joeystar Newcomer, in training Topic Starter Posts: 18

    Latest Info

    I performed the procedure you noted above and received the following log. Not sure what this means however?
    ----

    All processes killed
    ========== OTL ==========
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4}\ not found.
    C:\WINDOWS\system32\drivers\kgpcpy.cfg moved successfully.
    C:\SZKGFS.dat moved successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: JF
    ->Temp folder emptied: 1910838 bytes
    ->Temporary Internet Files folder emptied: 9724995 bytes
    ->Java cache emptied: 70324051 bytes
    ->FireFox cache emptied: 64320491 bytes
    ->Apple Safari cache emptied: 5635135 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 2142714 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 65536 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 67 bytes
    RecycleBin emptied: 119582098 bytes

    Total Files Cleaned = 261.00 mb

    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    OTL by OldTimer - Version 3.1.28.0 log created on 02112010_105328

    Files\Folders moved on Reboot...
    C:\Documents and Settings\JF\Local Settings\Application Data\Mozilla\Firefox\Profiles\qcos0x7y.default\Cache\_CACHE_001_ moved successfully.
    C:\Documents and Settings\JF\Local Settings\Application Data\Mozilla\Firefox\Profiles\qcos0x7y.default\Cache\_CACHE_002_ moved successfully.
    C:\Documents and Settings\JF\Local Settings\Application Data\Mozilla\Firefox\Profiles\qcos0x7y.default\Cache\_CACHE_003_ moved successfully.
    C:\Documents and Settings\JF\Local Settings\Application Data\Mozilla\Firefox\Profiles\qcos0x7y.default\Cache\_CACHE_MAP_ moved successfully.
    C:\Documents and Settings\JF\Local Settings\Application Data\Mozilla\Firefox\Profiles\qcos0x7y.default\urlclassifier3.sqlite moved successfully.
    C:\Documents and Settings\JF\Local Settings\Application Data\Mozilla\Firefox\Profiles\qcos0x7y.default\XUL.mfl moved successfully.
    File move failed. C:\WINDOWS\temp\hlktmp scheduled to be moved on reboot.

    Registry entries deleted on Reboot...
  17. joeystar

    joeystar Newcomer, in training Topic Starter Posts: 18

    Additionally

    I was prompted on re-boot to run OTL so I did the quick scan again. Posted here. Probably not necessary?

    It's attached here.

    Attached Files:

  18. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    How is redirection issue?
  19. joeystar

    joeystar Newcomer, in training Topic Starter Posts: 18

    Very Strange....

    Well, the re-direction is still happening. Man, this is a bad infection. I'm beginning to wonder if it's worth persuing or given the time I'm spending it's worth biting the bullet and doing a re-install of windows....Would have already if the drivers on this Avid system were not so fussy.

    What do you think?

    I continue to (most of the time but not always) get redirected from the link I have searched to something completely irrelevant.

    Also odd is that when I click "back" on the browser it usually, but not always, takes me to the originally intended page.

    Your thoughts?
  20. joeystar

    joeystar Newcomer, in training Topic Starter Posts: 18

    Oops...Also

    did you see the logs that I uploaded? Do they mean anything to you?
  21. Broni

    Broni Malware Annihilator Posts: 45,226   +243

  22. joeystar

    joeystar Newcomer, in training Topic Starter Posts: 18

    GMER Log

    This one took a while. Much longer process so sorry for the delay. The GMER log is attached.

    Attached Files:

  23. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    1. Please download The Avenger to your Desktop.
    • Right click on the Avenger.zip folder and select "Extract All..."
    • Follow the prompts and extract the Avenger folder to your desktop
    2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


    Code:
    Begin copying here:
    Files to move:
    C:\WINDOWS\system32\ReinstallBackups\0083\DriverFiles\nvata.sys | C:\WINDOWS\system32\drivers\nvata.sys
    

    3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

    • Right click on the window under Input script here:, and select Paste.
    • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
    • Click on Execute
    • Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:

    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command windowon your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    • The Avenger will also back up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    5. Please copy/paste the content of c:\avenger.txt into your reply
  24. joeystar

    joeystar Newcomer, in training Topic Starter Posts: 18

    Question

    I'll do this now.

    Should I disable any firewalls?

    I forgot to mention that I can not re-boot in safe mode. The computer just shuts down when I try to do so.
  25. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    No, you don't have to disable anything.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.