TechSpot

Infected with Guard Online and Google Redirect

Solved
By dshoff115
Oct 11, 2011
  1. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    If you disabled what you could and Combofix issues a warning, but it can proceed go ahead and run it.
     
  2. dshoff115

    dshoff115 TS Rookie Topic Starter Posts: 62

    Combofix is still stuck on the same screen as the previous time I ran it saying "scanning.....typically doesn't take more than ten minutes. It has been running for 20 minutes and has not said anything other than scanning....

    Should I do something else?
     
  3. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    Leave it on. Update me in another 20 minutes.
     
  4. dshoff115

    dshoff115 TS Rookie Topic Starter Posts: 62

    Sorry it's still on the same screen.
     
  5. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    Stop Combofix.

    See if aswMBR will run now.
    If so post its log.

    Also....

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box and paste it into the main textfield:
      Code:
      :filefind
      tdx.sys
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  6. dshoff115

    dshoff115 TS Rookie Topic Starter Posts: 62

    asWMBR kept stopping in the middle but I managed to save the log before it closed out when it found a problem. I will do the other step now. here is the log.

    aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
    Run date: 2011-10-13 21:26:15
    -----------------------------
    21:26:15.630 OS Version: Windows 6.0.6002 Service Pack 2
    21:26:15.630 Number of processors: 2 586 0x1706
    21:26:15.632 ComputerName: HOME-PC UserName: Home
    21:26:19.300 Initialize success
    21:26:24.154 AVAST engine defs: 11101200
    21:26:29.013 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    21:26:29.015 Disk 0 Vendor: Hitachi_HTS543232L9A300 FB4OC40C Size: 305245MB BusType: 3
    21:26:31.094 Disk 0 MBR read successfully
    21:26:31.096 Disk 0 MBR scan
    21:26:31.101 Disk 0 Windows VISTA default MBR code
    21:26:31.106 Disk 0 scanning sectors +625140400
    21:26:31.202 Disk 0 scanning C:\Windows\system32\drivers
    21:26:52.928 File: C:\Windows\system32\drivers\tdx.sys **INFECTED** Win32:Crypt-KMR [Trj]
    21:26:56.700 Service scanning
    21:27:00.826 Disk 0 MBR has been saved successfully to "F:\MBR.dat"
    21:27:00.843 The log file has been saved successfully to "F:\aswMBR.txt"
     
  7. dshoff115

    dshoff115 TS Rookie Topic Starter Posts: 62

    Here is the System Look log:

    SystemLook 30.07.11 by jpshortstuff
    Log created at 21:30 on 13/10/2011 by Home
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "tdx.sys"
    C:\Windows\System32\drivers\tdx.sys --a---- 72192 bytes [23:00 23/09/2009] [04:45 11/04/2009] 31396184B0E2D25A1F5FB38D88B89353
    C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys --a---- 71680 bytes [02:24 21/01/2008] [02:24 21/01/2008] D09276B1FAB033CE1D40DCBDF303D10F
    C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6002.18005_none_ec294157d9377403\tdx.sys --a---- 72192 bytes [23:00 23/09/2009] [04:45 11/04/2009] 31396184B0E2D25A1F5FB38D88B89353

    -= EOF =-
     
  8. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    Download BlitzBlank and save it to your desktop.
    Double click on Blitzblank.exe

    • Click OK at the warning.
    • Click the Script tab and copy/paste the following text there:
    Code:
    CopyFile:
    C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys C:\Windows\System32\drivers\tdx.sys
    
    • Click Execute Now. Your computer will need to reboot in order to replace the files.
    • When done, post the report created by Blitzblank.
      You can find it in the root of the drive, normally C:\

    Post new System Look log as well.
     
  9. dshoff115

    dshoff115 TS Rookie Topic Starter Posts: 62

    I ran the program and the computer has been restarting for about ten minutes. Should I wait a little while longer or manually boot the computer. I really appreciate your help on this.
     
  10. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    Wait a bit.
     
  11. dshoff115

    dshoff115 TS Rookie Topic Starter Posts: 62

    Still restarting.....
     
     
  12. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    Restart manually.
     
  13. dshoff115

    dshoff115 TS Rookie Topic Starter Posts: 62

    I got an error saying Windows was unable to start. Windows startup repair is currently running now. Should I let this run?
     
  14. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    Go ahead...
     
  15. dshoff115

    dshoff115 TS Rookie Topic Starter Posts: 62

    it's asking if i want to restore using system restore. Restore or Cancel?
     
  16. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    We have no choice. Restore.
     
  17. dshoff115

    dshoff115 TS Rookie Topic Starter Posts: 62

    Ok it's restoring. Will I lose anything?
     
  18. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    No................
     
  19. dshoff115

    dshoff115 TS Rookie Topic Starter Posts: 62

    OK Windows has restarted
     
  20. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    Are you back at your desktop?
     
  21. dshoff115

    dshoff115 TS Rookie Topic Starter Posts: 62

    yes I am back at my deskop...
     
  22. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    Delete your Combofix file download fresh one and see if it'll run.
     
  23. dshoff115

    dshoff115 TS Rookie Topic Starter Posts: 62

    I have a different message on combofix this time stating the System cannot find the file NIRKMD.
     
  24. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    ...and it refuses to run?
    Did you get fresh copy?
     
  25. dshoff115

    dshoff115 TS Rookie Topic Starter Posts: 62

    I deleted the old one and downloaded a fresh one. I got three error messages saying it can't find the file and now it's scanning for files - same screen as the previous times I ran it. you mentioned it would say stage 1, stage 2, etc but that hasn't happened any time I have run combofix.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.