TechSpot

Need help with the Google Redirect virus

Solved
By Ariakis
Feb 21, 2010
  1. DELL Precision 380 with XP Pro. Just got the PC and was updating and installing software. I don't think it had it when I first started. I'd hate to start over but may need to. I had AVG and SpyBot running.

    I ran through your 8 recommended steps (attached the 3 logs). As I saw in a few other threads it went away after finishing however it came back after a reboot.

    The HJT log is the most recent after the reboot.

    Update: I saw another thread where Hitman Pro 3.5 cured the problem. I think it found it ... but when I try to remove it's actually removing a key driver and crashing me to a blue screen where I restore my last version (still infected). It says I have a Trojan named iaStor.sys in \system32\DRIVERS
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 47,647   +267

    That's why tools like Hitman are very dangerous.
    iaStor.sys is your hard drive controller driver. If removed, you won't be able to boot.


    Download TDSSKiller and save it to your Desktop.
    Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
    Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

    If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
    When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.
     
  3. Ariakis

    Ariakis TS Rookie Topic Starter

    TSSKiller results

    19:06:10:187 2928 TDSS rootkit removing tool 2.2.4 Feb 15 2010 19:38:31
    19:06:10:187 2928 ================================================================================
    19:06:10:187 2928 SystemInfo:

    19:06:10:187 2928 OS Version: 5.1.2600 ServicePack: 3.0
    19:06:10:187 2928 Product type: Workstation
    19:06:10:187 2928 ComputerName: USER-89FCA39E0D
    19:06:10:187 2928 UserName: User
    19:06:10:187 2928 Windows directory: C:\WINDOWS
    19:06:10:187 2928 Processor architecture: Intel x86
    19:06:10:187 2928 Number of processors: 2
    19:06:10:187 2928 Page size: 0x1000
    19:06:10:187 2928 Boot type: Normal boot
    19:06:10:187 2928 ================================================================================
    19:06:10:187 2928 UnloadDriverW: NtUnloadDriver error 2
    19:06:10:187 2928 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
    19:06:10:187 2928 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
    19:06:10:203 2928 UtilityInit: KLMD drop and load success
    19:06:10:203 2928 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
    19:06:10:203 2928 UtilityInit: KLMD open success
    19:06:10:203 2928 UtilityInit: Initialize success
    19:06:10:203 2928
    19:06:10:203 2928 Scanning Services ...
    19:06:10:203 2928 CreateRegParser: Registry parser init started
    19:06:10:203 2928 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
    19:06:10:203 2928 CreateRegParser: DisableWow64Redirection error
    19:06:10:203 2928 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
    19:06:10:203 2928 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
    19:06:10:203 2928 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    19:06:10:203 2928 wfopen_ex: Trying to KLMD file open
    19:06:10:203 2928 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
    19:06:10:203 2928 wfopen_ex: File opened ok (Flags 2)
    19:06:10:203 2928 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 264B18
    19:06:10:203 2928 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
    19:06:10:203 2928 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
    19:06:10:203 2928 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    19:06:10:203 2928 wfopen_ex: Trying to KLMD file open
    19:06:10:203 2928 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
    19:06:10:203 2928 wfopen_ex: File opened ok (Flags 2)
    19:06:10:203 2928 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 264A08
    19:06:10:203 2928 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
    19:06:10:203 2928 CreateRegParser: EnableWow64Redirection error
    19:06:10:203 2928 CreateRegParser: RegParser init completed
    19:06:10:500 2928 GetAdvancedServicesInfo: Raw services enum returned 340 services
    19:06:10:500 2928 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
    19:06:10:500 2928 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
    19:06:10:500 2928
    19:06:10:500 2928 Scanning Kernel memory ...
    19:06:10:500 2928 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
    19:06:10:500 2928 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8B203938
    19:06:10:500 2928 DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects
    19:06:10:500 2928
    19:06:10:500 2928 DetectCureTDL3: DEVICE_OBJECT: 8A808C68
    19:06:10:500 2928 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A808C68
    19:06:10:500 2928 KLMD_ReadMem: Trying to ReadMemory 0x8A808C68[0x38]
    19:06:10:500 2928 DetectCureTDL3: DRIVER_OBJECT: 8B203938
    19:06:10:500 2928 KLMD_ReadMem: Trying to ReadMemory 0x8B203938[0xA8]
    19:06:10:500 2928 KLMD_ReadMem: Trying to ReadMemory 0xE1009888[0x18]
    19:06:10:500 2928 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
    19:06:10:500 2928 DetectCureTDL3: IRP_MJ_CREATE : BA10EBB0
    19:06:10:500 2928 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F4562
    19:06:10:500 2928 DetectCureTDL3: IRP_MJ_CLOSE : BA10EBB0
    19:06:10:500 2928 DetectCureTDL3: IRP_MJ_READ : BA108D1F
    19:06:10:500 2928 DetectCureTDL3: IRP_MJ_WRITE : BA108D1F
    19:06:10:500 2928 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F4562
    19:06:10:500 2928 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F4562
    19:06:10:500 2928 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F4562
    19:06:10:500 2928 DetectCureTDL3: IRP_MJ_SET_EA : 804F4562
    19:06:10:500 2928 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : BA1092E2
    19:06:10:500 2928 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
    19:06:10:500 2928 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
    19:06:10:500 2928 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F4562
    19:06:10:500 2928 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
    19:06:10:500 2928 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : BA1093BB
    19:06:10:500 2928 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
    19:06:10:500 2928 DetectCureTDL3: IRP_MJ_SHUTDOWN : BA1092E2
    19:06:10:500 2928 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F4562
    19:06:10:500 2928 DetectCureTDL3: IRP_MJ_CLEANUP : 804F4562
    19:06:10:500 2928 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F4562
    19:06:10:500 2928 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F4562
    19:06:10:500 2928 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F4562
    19:06:10:500 2928 DetectCureTDL3: IRP_MJ_POWER : BA10AC82
    19:06:10:500 2928 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : BA10F99E
    19:06:10:500 2928 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F4562
    19:06:10:500 2928 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F4562
    19:06:10:500 2928 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F4562
    19:06:10:500 2928 TDL3_FileDetect: Processing driver: Disk
    19:06:10:500 2928 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
    19:06:10:500 2928 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
    19:06:10:531 2928 TDL3_FileDetect: Processing driver: Disk
    19:06:10:531 2928 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
    19:06:10:531 2928 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
    19:06:10:531 2928 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
    19:06:10:531 2928
    19:06:10:531 2928 DetectCureTDL3: DEVICE_OBJECT: 8B202AB8
    19:06:10:531 2928 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B202AB8
    19:06:10:531 2928 DetectCureTDL3: DEVICE_OBJECT: 8AC0C030
    19:06:10:531 2928 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AC0C030
    19:06:10:531 2928 KLMD_ReadMem: Trying to ReadMemory 0x8AC0C030[0x38]
    19:06:10:531 2928 DetectCureTDL3: DRIVER_OBJECT: 8A7C25A8
    19:06:10:531 2928 KLMD_ReadMem: Trying to ReadMemory 0x8A7C25A8[0xA8]
    19:06:10:531 2928 KLMD_ReadMem: Trying to ReadMemory 0x8B18E030[0x38]
    19:06:10:531 2928 KLMD_ReadMem: Trying to ReadMemory 0x8B18F9C8[0xA8]
    19:06:10:531 2928 KLMD_ReadMem: Trying to ReadMemory 0xE1B43AD8[0x1C]
    19:06:10:531 2928 DetectCureTDL3: DRIVER_OBJECT name: \Driver\iastor, Driver Name: iastor
    19:06:10:531 2928 DetectCureTDL3: IRP_MJ_CREATE : 8B115A9A
    19:06:10:531 2928 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 8B115A9A
    19:06:10:531 2928 DetectCureTDL3: IRP_MJ_CLOSE : 8B115A9A
    19:06:10:531 2928 DetectCureTDL3: IRP_MJ_READ : 8B115A9A
    19:06:10:531 2928 DetectCureTDL3: IRP_MJ_WRITE : 8B115A9A
    19:06:10:531 2928 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 8B115A9A
     
  4. Ariakis

    Ariakis TS Rookie Topic Starter

    19:06:10:531 2928 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 8B115A9A
    19:06:10:531 2928 DetectCureTDL3: IRP_MJ_QUERY_EA : 8B115A9A
    19:06:10:531 2928 DetectCureTDL3: IRP_MJ_SET_EA : 8B115A9A
    19:06:10:531 2928 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 8B115A9A
    19:06:10:531 2928 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 8B115A9A
    19:06:10:531 2928 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 8B115A9A
    19:06:10:531 2928 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 8B115A9A
    19:06:10:531 2928 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 8B115A9A
    19:06:10:531 2928 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : 8B115A9A
    19:06:10:531 2928 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : 8B115A9A
    19:06:10:531 2928 DetectCureTDL3: IRP_MJ_SHUTDOWN : 8B115A9A
    19:06:10:531 2928 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 8B115A9A
    19:06:10:531 2928 DetectCureTDL3: IRP_MJ_CLEANUP : 8B115A9A
    19:06:10:531 2928 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 8B115A9A
    19:06:10:531 2928 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 8B115A9A
    19:06:10:531 2928 DetectCureTDL3: IRP_MJ_SET_SECURITY : 8B115A9A
    19:06:10:531 2928 DetectCureTDL3: IRP_MJ_POWER : 8B115A9A
    19:06:10:531 2928 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : 8B115A9A
    19:06:10:531 2928 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 8B115A9A
    19:06:10:531 2928 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 8B115A9A
    19:06:10:531 2928 DetectCureTDL3: IRP_MJ_SET_QUOTA : 8B115A9A
    19:06:10:531 2928 TDL3_FileDetect: Processing driver: iastor
    19:06:10:531 2928 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\iaStor.sys
    19:06:10:531 2928 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\iaStor.sys
    19:06:10:546 2928 DetectCureTDL3: All IRP handlers pointed to one addr: 8B115A9A
    19:06:10:546 2928 KLMD_ReadMem: Trying to ReadMemory 0x8B115A9A[0x400]
    19:06:10:546 2928 TDL3_IrpHookDetect: CheckParameters: 0, 0, 607, 138, 3, 120
    19:06:10:546 2928 KLMD_ReadMem: Trying to ReadMemory 0x8B115909[0x400]
    19:06:10:546 2928 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 1
    19:06:10:546 2928 TDL3_FileDetect: Processing driver: iastor
    19:06:10:546 2928 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\iaStor.sys
    19:06:10:546 2928 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\iaStor.sys
    19:06:10:546 2928 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\iaStor.sys - Verdict: Clean
    19:06:10:546 2928
    19:06:10:546 2928 Completed
    19:06:10:546 2928
    19:06:10:546 2928 Results:
    19:06:10:546 2928 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
    19:06:10:546 2928 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
    19:06:10:546 2928 File objects infected / cured / cured on reboot: 0 / 0 / 0
    19:06:10:546 2928
    19:06:10:546 2928 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
    19:06:10:546 2928 UtilityDeinit: KLMD(ARK) unloaded successfully
     
  5. Broni

    Broni Malware Annihilator Posts: 47,647   +267

    Good :)

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  6. Ariakis

    Ariakis TS Rookie Topic Starter

    Post ComboFix

    Files attached. The log says removed. Quick test shows no redirects although we'll see next time I reboot. Let me know what you think. Any next steps? Thanks!!!!!!

    Question: Beyond AVG, Comodo, and SpyBot S&D which I had before unless you think i should change them out ... which should I uninstall and/or delete of ComboFix, TDSSKiller, CCleaner, HijackThis, SuperAntispyware, and Malwarebytes?
     

    Attached Files:

  7. Broni

    Broni Malware Annihilator Posts: 47,647   +267

    Very good :)
    Are you running Comodo AV and firewall, or AV only?
    Spybot can be uninstalled, because it's rather obsolete tool.
    We'll take care of Combofix in a moment.
    TDSSKiller can go.
    CCLeaner is a fine tool, as long, as you leave registry part alone.
    HJT can be uninstalled at the end.
    Malwarebytes and Superantispyware are your tools to keep.

    ====================================================================

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\ezsidmv.dat
    
    
    Folder::
    
    Driver::
    
    Registry::
    
    RegLockDel::
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     
  8. Ariakis

    Ariakis TS Rookie Topic Starter

    Thanks!

    I'll have an update with logs next time I get to that PC later tonight thank you so much!

    Only running Comodo as a firewall. I have a router too. Think this is unnecessary?

    I assume you don't want me to uninstall anything until we've completely solved this.

    Will ditch TDSSKiller. You don't advise using the registry cleaner function on CCLeaner at all once this is solved or just carefully?

    Are you saying to ditch AVG and use Malwarebytes and Superantispyware as my active pair once this is resolved?

     
  9. Broni

    Broni Malware Annihilator Posts: 47,647   +267

    That's fine.
    Yes.
    Registry cleaners are absolutely unnecessary and they simply may be dangerous. There is no single reason to use them/
    You'll be in perfect shape with them.
     
  10. Ariakis

    Ariakis TS Rookie Topic Starter

    As requested

    My laptop which didn't come down with this has Avast and Threatfire paired. How do you think they compare for protection to MWB/SASW paired as you have suggested? That is the PC we usually use for banking, etc while this desktop is for general use.

    In any case, logs attached. Am I clean and protected from this forward?
     

    Attached Files:

  11. Broni

    Broni Malware Annihilator Posts: 47,647   +267

    You have to have AV program.
    As for antispyware tools, you won't find anything better, than MBAM and Super.

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    =======================================================================

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

    Post fresh HijackThis log as well.
     
     
  12. Ariakis

    Ariakis TS Rookie Topic Starter

    Not sure what happened ... I'll try again tomorrow with IE8 again or maybe Firefox pending your feedback. Won't be able to try again until after work tomorrow. It was downloading for about 20 minutes to almost 50% then got a bunch of this:

    Invalid file signature: bases/five/avc/avp.klb
    File download: index/master.xml.klz
    Updates source is selected: http://downloads1.kaspersky-labs.com/
    File download: index/master.xml.klz
    File download: bases/five/avc/avp.klb
    Invalid file signature: bases/five/avc/avp.klb
    File download: index/master.xml.klz
    Updates source is selected: ftp://downloads2.kaspersky-labs.com/
    File download: index/master.xml.klz
    File download: bases/five/avc/avp.klb
    Invalid file signature: bases/five/avc/avp.klb
    File download: index/master.xml.klz

    0 [ERROR: Invalid file signature]
     
  13. Broni

    Broni Malware Annihilator Posts: 47,647   +267

    Alternatively, you can try this one:

    Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic
     
  14. Ariakis

    Ariakis TS Rookie Topic Starter

    Update

    I didn't see where ESET would print a log file but it said it finished with no error. I didn't uninstall in case you want me to run it later. I'll try Kaspersky again while I wait on your next response. Attached is the HJT log too.
     

    Attached Files:

  15. Ariakis

    Ariakis TS Rookie Topic Starter

    Ugh. FYI - Clicking the link for Kaspersky on this site took me to one of the virus redirect sites.
     
  16. Broni

    Broni Malware Annihilator Posts: 47,647   +267

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  17. Ariakis

    Ariakis TS Rookie Topic Starter

    Will do ComboFix now ... here is what I got from Kaspersky:

    Monday, February 22, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Tuesday, February 23, 2010 00:11:56
    Records in database: 3632205
    Scan settings
    scan using the following database extended
    Scan archives yes
    Scan e-mail databases yes
    Scan area My Computer
    A:\
    C:\
    D:\
    Scan statistics
    Objects scanned 59700
    Threats found 0
    Infected objects found 0
    Suspicious objects found 0
    Scan duration 01:19:22

    No threats found. Scanned area is clean.
    Selected area has been scanned.
     
  18. Broni

    Broni Malware Annihilator Posts: 47,647   +267

    OK...............
     
  19. Ariakis

    Ariakis TS Rookie Topic Starter

    Update

    What's the verdict?
     

    Attached Files:

  20. Broni

    Broni Malware Annihilator Posts: 47,647   +267

    Yeah, we have a rootkit here...

    Please download The Avenger by Swandog46 to your Desktop.
    - Right click on the Avenger.zip folder and select Extract All...
    - Follow the prompts and extract the avenger folder to your desktop

    Double click on avenger.exe.
    Click OK in pop-up window.

    Avenger window will open.

    Click on Execute button.
    Click OK in two consecutive pop-up windows.

    Your computer will re-boot now.

    Upon re-boot, Notepad window will open.
    Select all text, copy it, and paste it into next reply.

    NOTE. If the log doesn't open on reboot, open Avenger again, and go File>Open Log File.
     
  21. Ariakis

    Ariakis TS Rookie Topic Starter

    Logfile of The Avenger Version 2.0, (c) by Swandog46
    http://swandog46.geekstogo.com

    Platform: Windows XP

    *******************

    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!


    Completed script processing.

    *******************

    Finished! Terminate.
     
  22. Broni

    Broni Malware Annihilator Posts: 47,647   +267

    Please download Sophos Anti-rootkit & save it to your desktop.

    IMPORTANT!
    • Disconnect from the Internet or physically unplug you Internet cable connection.
    • Clean out your temporary files.
    • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
    • Temporarily disable your anti-virus and real-time anti-spyware protection.
    • After starting the scan, do not use the computer until the scan has completed.
    • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

    • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
    • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
    • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
    • Make sure the following are checked:
      • Running processes
      • Windows Registry
      • Local Hard Drives

    • Click Start scan.
    • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
    • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
    • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
      • Files tagged as Removable: No are not marked for removal and cannot be removed.
      • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
      • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.

    • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
    • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
    • After reboot, a dialog box displays the files you selected for removal and the action taken.
    • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
    • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
    • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\
     
  23. Ariakis

    Ariakis TS Rookie Topic Starter

    Update

    I only ran it once as it didn't find anything. So far I haven't been getting redirected though.


    Sophos Anti-Rootkit Version 1.5.0 (c) 2009 Sophos Plc
    Started logging on 2/23/2010 at 0:03:30 AM
    User "User" on computer "USER-89FCA39E0D"
    Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
    Info: Starting process scan.
    Info: Starting registry scan.
    Info: Starting disk scan of C: (NTFS).
    Stopped logging on 2/23/2010 at 0:14:44 AM
     

    Attached Files:

  24. Broni

    Broni Malware Annihilator Posts: 47,647   +267

    Your computer is clean [​IMG]

    1. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
  25. Ariakis

    Ariakis TS Rookie Topic Starter

    Awesome thank you so much! I'll send one last update once I use it a bit more later today.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.