New Thread, Same Old Redirect Problem

Status
Not open for further replies.
Ok, I ran Sophos. It found 122 hidden files (4 registry), all with 4DW4R3 in it somewhere, but did not recommend cleaning ANY of them, but to send the scan log etc to them for analyis, so I did. Here's the log though.

BTW Happy VD (Valentine's Day).
 

Attachments

  • sarscan.log
    8.3 KB · Views: 2
Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.
 
Omygawd, omygawd, I think it worked! I got to a google result without being re-directed. Hopefully it won't re-infect....what is the name of the virus/trojan/malware, so I can tell others?

I think these are the logs but not sure. What do I need to do now to make sure I don't get it again? I think I've updated everything, but is there anything else?

And what's your address, so I can send flowers? really, you've saved me, it's the least I can do....

Thank you SO SO much for helping me through this!
 

Attachments

  • TDSSKiller.2.2.3_14.02.2010_13.46.56_log.txt
    68 KB · Views: 4
  • TDSSKiller.2.2.3_14.02.2010_13.48.38_log.txt
    68 KB · Views: 0
You're infected with TDSS rootkit.

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

========================================================================.

Please download ComboFix from Here or Here to your Desktop.


**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
File::
c:\windows\system32\4DW4R3vhAMLcNOAd.dll
c:\windows\system32\drivers\4DW4R3BgegiUdrms.sys
c:\windows\system32\drivers\4DW4R3LiJKnslVtt.sys
c:\windows\system32\drivers\4DW4R3OMDeBesYCq.sys
c:\windows\system32\drivers\4DW4R3NSuclTeFTj.sys
c:\windows\system32\drivers\4DW4R3iCreWUHWGb.sys
c:\windows\system32\drivers\4DW4R3XtEbOkMVIx.sys
c:\windows\system32\drivers\4DW4R3OVqtJAMuGX.sys
c:\windows\system32\drivers\4DW4R3QkLPMLpQxD.sys
c:\windows\system32\drivers\4DW4R3qMkqQxLkLb.sys
c:\windows\system32\drivers\4DW4R3mnBXqRvuTh.sys
c:\windows\system32\drivers\4DW4R3DWcWNiEXPP.sys
c:\windows\system32\drivers\4DW4R3LvDTrcfXVv.sys
c:\windows\system32\drivers\4DW4R3rQHdBcRQbt.sys
c:\windows\system32\drivers\4DW4R3MPJqxbuXKI.sys
c:\windows\system32\drivers\4DW4R3cnTwpTIvyT.sys
c:\windows\system32\drivers\4DW4R3exdafWSxxb.sys
c:\windows\system32\drivers\4DW4R3nWvtbWUjgd.sys
c:\windows\system32\drivers\4DW4R3kdUBvQMlKC.sys
c:\windows\system32\drivers\4DW4R3RbttPpvrOF.sys
c:\windows\system32\drivers\4DW4R3hToCfXbyvU.sys
c:\windows\system32\drivers\4DW4R3XINXnsbqiu.sys
c:\windows\system32\drivers\4DW4R3voJoKOFqeu.sys
c:\windows\system32\drivers\4DW4R3tbLPcoQgqK.sys
c:\windows\system32\drivers\4DW4R3IcxRSwpQXv.sys
c:\windows\system32\drivers\4DW4R3xnfCqeBWIH.sys
c:\windows\system32\drivers\4DW4R3UNMDtyipPK.sys
c:\windows\system32\drivers\4DW4R3BcpXdqgBWd.sys
c:\windows\system32\drivers\4DW4R3JJeURUbXYq.sys
c:\windows\system32\drivers\4DW4R3ssLNDTWmXp.sys
c:\windows\system32\drivers\4DW4R3OxXPdbfecg.sys
c:\windows\system32\drivers\4DW4R3RtCYMbuckM.sys
c:\windows\system32\drivers\4DW4R3qnxctPyjNp.sys
c:\windows\system32\drivers\4DW4R3OpreBqWqxa.sys
c:\windows\system32\drivers\4DW4R3oChWPxOvvj.sys
c:\windows\system32\drivers\4DW4R3ChbeXydvSK.sys
c:\windows\system32\drivers\4DW4R3XOHbsCMQnj.sys
c:\windows\system32\drivers\4DW4R3OxMISWWFxR.sys
c:\windows\system32\drivers\4DW4R3iXYPiRivwF.sys
c:\windows\system32\drivers\4DW4R3tdDJEXARSw.sys
c:\windows\system32\drivers\4DW4R3eFXYDWKItq.sys
c:\windows\system32\drivers\4DW4R3TlJqVHsift.sys
c:\windows\system32\drivers\4DW4R3ewrsqciaRt.sys
c:\windows\system32\drivers\4DW4R3FrdeNtPXFp.sys
c:\windows\system32\drivers\4DW4R3WncSytfuXB.sys
c:\windows\system32\drivers\4DW4R3FcwRPruOIX.sys
c:\windows\system32\drivers\4DW4R3tHeTPbmiBJ.sys
c:\windows\system32\drivers\4DW4R3WVtWMbeyTc.sys
c:\windows\system32\drivers\4DW4R3DqemxhmGiP.sys
c:\windows\system32\drivers\4DW4R3raTthvspqx.sys
c:\windows\system32\drivers\4DW4R3SupfAqulXb.sys
c:\windows\system32\drivers\4DW4R3TXqWoSLYfB.sys
c:\windows\system32\drivers\4DW4R3sYeAvvyaqR.sys
c:\windows\system32\drivers\4DW4R3UrRmvptiss.sys
c:\windows\system32\drivers\4DW4R3HoBtyBXHeT.sys
c:\windows\system32\drivers\4DW4R3tLKYXNQRRR.sys
c:\windows\system32\drivers\4DW4R3qxniiRGSve.sys
c:\windows\system32\drivers\4DW4R3pYrvYnBuTe.sys
c:\windows\system32\drivers\4DW4R3IcOLeaSAmp.sys
c:\windows\system32\drivers\4DW4R3bIMvPUWSQM.sys
c:\windows\system32\drivers\4DW4R3qevnvePCpb.sys
c:\windows\system32\drivers\4DW4R3ILtwiRvPyW.sys
c:\windows\system32\drivers\4DW4R3tpuOkFaYyI.sys
c:\windows\system32\drivers\4DW4R3IiEBgxNbep.sys
c:\windows\system32\104.tmp

Folder::

Driver::
MEMSWEEP2

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]

RegLockDel::


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
 
Google redirects

I've just helped a friend who's had the same problem with Google re-directing links to wrong web addresses. See post here. It only happened on Google, while MSN search engine worked fine.

Maybe it was just beginners luck, but for what it's worth, after running Avast Anti-Virus, Super Antispyware & Malwarebytes; and removing two programs found by SAS which had hijacked the browser... after doing all this and the problem still remaining, I ran HiJackThis.

In the HJT scan there were 15 Google entries listed with re-direct web addresses. I selected all 15 and then clicked: "Fix Checked". It came up with a warning that these entries would be repaired or deleted. So I clicked OK and it deleted all of them.

The problem was fixed immediately and has not come back. I attribute the cause of this problem to my friend going on suspect web sites and downloading suspect files.

Hope this might help somebody?

Cheers PB
 
Ok, here are the two new logs. So far it hasn't re-infected.
 

Attachments

  • hijackthis feb 14 log 2.txt
    9.3 KB · Views: 0
  • combofix feb 14 log 2.txt
    22.6 KB · Views: 2
Looking good :)

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

======================================================================

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

  • Spyware, Adware, Dialers, and other potentially dangerous programs
    [*] Archives
    [*] Mail databases
6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Post fresh HijackThis log as well.
 
Ok it took almost 6 hours to run but here it is...it doesn't actually fix anything, right?
 

Attachments

  • kasperksy feb 14 15 txt file.txt
    2.7 KB · Views: 3
It's not suppose to fix anything. It just shows bad files. We'll remove them right now.

Please download OTM

  • Save it to your desktop.
  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:
:Processes

:Services

:Reg

:Files
C:\!KillBox\4DW4R3jNFoCjjUtI.sys	
C:\!KillBox\4DW4R3jNFoCjjUtI.sys( 1)	
C:\!KillBox\4DW4R3jNFoCjjUtI.sys( 2)
C:\__OLD COMPUTER FILES\Outlook Express Backup from E\Backup from C\Deleted Items.dbx	
C:\__OLD COMPUTER FILES\Outlook Express Backup from E\Deleted Items1.dbx	
C:\__OLD COMPUTER FILES\Outlook Express Backup from E\Deleted Items1.dbx	
C:\__OLD COMPUTER FILES\Outlook Express Backup from E\For Export\Deleted Items1.dbx	
C:\__OLD COMPUTER FILES\Outlook Express Backup from E\For Export\Deleted Items1.dbx
      
:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]

  • Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
 
Alright, here they are.

BTW I noticed some of those infected files found were part of problems fixed years ago--does that mean they were just lingering or quaranteed files?

Computer seems to be working ok. Can't thank you enough for helping us get through this, especially since I need this to look for work.

All this has made me realize I need to do more to back up files. I'm thinking I should get a flash, at least for the photos, which is almost a third of the space (9.3GB of the 30GB total). Any recommendations for one?
 

Attachments

  • hijackthis log feb 15.txt
    9.5 KB · Views: 7
  • 02152010_103306.log
    4.5 KB · Views: 3
Actually, there's one more problem-- a new problem. I'm getting pop-ups. Haven't gotten them in years, but don't know what I was using that was stopping them. What do you suggest to use?
 
Please download ComboFix from Here or Here to your Desktop.


**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
I thought I sent this earlier, sorry
 

Attachments

  • combofix log feb 15.txt
    19.9 KB · Views: 2
  • hijackthis log feb 15.txt
    9.3 KB · Views: 1
Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

=========================================================================

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
  • This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, select Complete scan.
  • Click the green arrow
    drweb.jpg
    at the right, and the scan will start.
  • Click Yes to all if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • [color=5]Important![/color] Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.


Post fresh HijackThis log as well.
 
it took 18 hrs for that program to run that program. It found 81 things, deleted 69. Of the ones remaining, some look like legit files, some look like things that are in vaults and one or two look suspicious.

I was going to close and reboot but when I clicked close I got a box asking if I want to neutralize the rest. I really want to be sure I won't mess up the computer, so I haven't closed or rebooted.

Also I've tried to attach but the file type isn't recognized and it won't let me change it. So I don't know what to do. Thanks
 
I think I can attach it now--but Dr Web froze up, wouldn't let me delet, move or anything so I had to close it.
 

Attachments

  • DrWeb list text.txt
    10.5 KB · Views: 2
I think they are better but the computer is running REALLY slow, pages take forever to load--if they load at all, and the machine fan starts running, which usually only happens if there's a bunch of stuff running at once.So I think something must be running in the background that I don't know about or don't need? I got an external drive and transferred about 19 GB off, which I thought would speed it up, but it's made no difference.
 
Status
Not open for further replies.
Back