Logs attached, Google redirect, evidence of rootkit

By phanson
Jun 24, 2009
Topic Status:
Not open for further replies.
  1. Hello,

    I am trying to clean up a vista machine (newer Toshiba, 32bit Vista, service pack 1, core 2 duo)

    Symptoms:
    It has had a problem with google result links redirecting to ad pages. I saw in some of the results from the preliminary work "rootkit" elements.

    Please take a look at the logs and let me know if there is any further steps that need to be taken.

    I also ran Avast and it found 3 files that were removed -
    File C:\Windows\System32\drivers\gxvxcqmvypeuinstwuvtpdtgdpsberwiqvtfc.sys is infected by Win32:Alureon-AW [Rtk], Repair: Error 42060 {The file was not repaired.}, Moved to chest
    File C:\Windows\System32\gxvxcvgofsexwxwafbfrrcprdqtrpicuolsxg.dll is infected by Win32:Trojan-gen {Other}, Moved to chest
    File C:\Windows\System32\gxvxcweeyyxbtmmcanxqvwxxuxlfyytadsvnc.dll is infected by Win32:Trojan-gen {Other}, Moved to chest

    The machine has "Windows Live OneCare" installed, and I believe I had the virus Real Time Monitoring turned off for this during the steps.

    Thank you for taking a look.

    Peter

    Attached Files:

  2. touch

    touch Newcomer, in training Posts: 978

    Hello phanson

    Please download combofix here ->
    ComboFix
    Before Saving it to Desktop, please rename it to 321.com to stop malware from disabling it.

    Now, please make sure no other programs are running, close all other windows.

    Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
    Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
    It may take a while to complete scanning and this is normal.

    You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
    scanning has completed.

    Combofix will create a logfile and display it after your computer has rebooted.
    Usually located in c:\combofix.txt, please attach it to your next post
  3. phanson

    phanson Newcomer, in training Topic Starter

    combofix log

    Touch,

    Thank you for helping me with my problem.

    Here is the ComboFix log file.

    Peter
  4. phanson

    phanson Newcomer, in training Topic Starter

    oops

    I see that I did not have everything turned off. I turned off the firewall and superantispyware and ran again.

    This log says windows defender is enabled, but it isn't.

    Peter

    Attached Files:

  5. touch

    touch Newcomer, in training Posts: 978

    Open notepad and copy/paste the text in the quotebox below into it:
    Name the file as CFScript
    and Save it on the desktop

    [​IMG]

    Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

    Combofix will create a logfile and display it after your computer has rebooted.
    Usually located in c:\combofix.txt, please post it to your next reply, and tell how things are running ?

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  6. ChrisDown

    ChrisDown Newcomer, in training Posts: 125

    Touch, I don't see what is wrong with those files, unless I'm missing something. Either way, it should be fine to delete them, but I don't see the point.

    If you think you have a rootkit, I'd suggest running GMER and uploading a log.
  7. phanson

    phanson Newcomer, in training Topic Starter

    latest log

    I ran the CFScript. It said it had to send some files to the server for further analysis.

    Here is the latest log.

    The computer seems faster. I tried google searches, and have not been redirected, but it was intermittent before. But searches seem particularly fast. Maybe the time of the night.

    What do you think of the GMER idea, Touch? I read at the GMER site that it's technology has been incorporated into Avast, which I have run.

    Thanks again for the help. What's the next step?

    Peter
  8. ChrisDown

    ChrisDown Newcomer, in training Posts: 125

    Well, there's no harm in running GMER. I would have doubts over what 'incorporated' actually implies.
  9. touch

    touch Newcomer, in training Posts: 978

    phanson -> If your computer are running fine ? Then I can´t see why we should run GMER.

    I have approximately ten other scan tools we can run, but I can´t see the point ;)
  10. ChrisDown

    ChrisDown Newcomer, in training Posts: 125

    Better safe than sorry. Whether a computer is 'running fine' is a rather risky way to go about keeping a computer secure.
  11. touch

    touch Newcomer, in training Posts: 978

    ChrisDown -> You are spamming now
  12. ChrisDown

    ChrisDown Newcomer, in training Posts: 125

    As someone who has been trained in malware removal and has been doing it for years, I find the implication that I am spamming simply because I disagree with you offensive to say the least. This thread isn't the place to pursue whatever feelings you might have against someone who believes differently to yourself, and nor is it the place for me to respond to them.

    Let's keep this thread on topic, please.
  13. phanson

    phanson Newcomer, in training Topic Starter

    next steps?

    touch,

    What are the next steps? I know we aren't finished yet.

    It seems to boot a little slow, but other than that I am not using the thing during this process, so I haven't seen other symptoms.

    here is the latest hjt log.

    Peter
     
  14. tystanwick

    tystanwick Newcomer, in training Posts: 29

    That HJT log looks clean. I'd run MBAM again just to be certain.
  15. phanson

    phanson Newcomer, in training Topic Starter

    thanks tystanwick.

    I ran mbam and it said it found nothing.

    Now windows update is having trouble installing some updates. Office2003 sp3, kb970011, and kb907417. Seems CCleaner or something may have wacked the install cab files, which these updates think they need. I found a solution at sku011cab.com, (a simple regedit) and now they install.

    Thanks everyone for your help.

    Peter
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.