TechSpot

Redirect virus - need some help please

By lownotesb
Jun 21, 2009
  1. looks like I finally caught a virus. been trying to clean this up but striking out. The crew here at techspot seems pretty good so I'm gonna ask for some help.

    Here's my status.

    Clicked on a link on a weird website about 10 days ago and noticed something strange popup. Things started getting weird from that point on.

    First symptom was the Firefox would start with an error message about jqsnotify.exe. popup with an error. Then I noticed my google searches were getting redirected.

    I started searching around and taking some measures, scanning, spybot, avg. nothing turning up. Tried CCCleaan (I think I was following a thread here). I ran ccclean and didn''t see instructions here and I DID check clear prefetch data. Since then can't run browsers at all.

    After this first round of battle and running CC I then was unable to run Firefox or IE. IE just hourglasses for 10 secs and then nothing, no processes running. Firefox now launches application error "The instruction at "0x7c5b73a3" referenced memory at "0x7c5b73a3". The memory could not be "read". Click OK to terminate the program. Tried uninstall and reinstall FF3 & 2 but can get it to run at all. Same error.

    Downloaded Chrome so at least I can browse on the PC. Chrome runs good but google search redirects, and even yahoo search redirects.

    Looking for help at this point. I'm following 8 steps and am now ready to post logs.

    Thanks for helping here, really appreciate it. Attaching logs.

    What next
     
  2. touch

    touch TS Rookie Posts: 978

    Hello lownotesb

    Remove/uninstall from " Programs and Features " in controlpanel:
    One of your antivirus programs

    AVG8 or Comodo

    Please download combofix here ->
    ComboFix
    Before Saving it to Desktop, please rename it to 123.com to stop malware from disabling it.

    Now, please make sure no other programs are running, close all other windows.

    Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
    Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
    It may take a while to complete scanning and this is normal.

    You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
    scanning has completed.

    Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post
     
  3. lownotesb

    lownotesb TS Rookie Topic Starter

    thanks for your help

    I've followed instructions and run combofix.

    attached is log file. looks like I've got the skynet rootkit.

    Comodo Firewall keeps poping up about catchme.sys and similar files. I blocked them and then the log file finally came up.
     

    Attached Files:

  4. touch

    touch TS Rookie Posts: 978

    Open notepad and copy/paste the text in the quotebox below into it:
    Name the file as CFScript
    and Save it on the desktop

    [​IMG]

    Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

    Combofix will create a logfile and display it after your computer has rebooted.
    Usually located in c:\combofix.txt, please attach it to your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
     
  5. lownotesb

    lownotesb TS Rookie Topic Starter

    thanks

    here is the log file

    I really appreciate your help.
     
  6. touch

    touch TS Rookie Posts: 978

    It looks clean. Please tell how things are running ?
     
  7. lownotesb

    lownotesb TS Rookie Topic Starter

    smooth sailing

    yes, things seem to be running better. no redirects and all browsers working.

    Much appreciate your assistance and expertise. Thank you!!!!!
     
  8. lownotesb

    lownotesb TS Rookie Topic Starter

    question about installed apps

    what can I do at this point to reduce my overhead on the machine. should I keep all the new apps running and installed.

    also, do I need spybot & super spy

    thanks
     
  9. touch

    touch TS Rookie Posts: 978

    You don´t need spybot & superantispyware, if you keep malwarebyte.

    You should Create a New Restore Point to prevent possible reinfection from an old one.
    The easiest and safest way to do this is:
    Go to Start > All Programs > Accessories > System Tools > System Restore
    Select Create a restore point, and Ok it.
    Next, go to Start > Run and type in cleanmgr
    Select the More options tab
    Choose the option to clean up system restore and OK it.

    This will remove all restore points except the new one you just created.

    Please download: OTCleanIt.exe
    Save it to desktop.
    This will remove all the tools we used to clean your computer.
    Double-click OTCleanIt.exe. Click CleanUp. Say Yes to the "Begin cleanup Process?"
    When asked if you want to proceed with the cleanup process, click Yes. Restart your computer when prompted.
    Please note. It will NOT remove Mbam, Ccleaner and SuperAntispyware.

    To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
    How did I get infected in the first place?
     
  10. m106

    m106 TS Rookie

    This happened to me and is still happening. happen 50% of the time I'm browsing on firefox. I already tried scanning with Malwarebytes and it still here.
    Here is my Hijack this log:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:07:36 PM, on 7/5/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Unable to get Internet Explorer version!
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
    D:\Program Files\FormatFactory\FormatFactory.exe
    D:\Program Files\FormatFactory\FFModules\mencoder.exe
    C:\WINDOWS\system32\ctfmon.exe
    D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    D:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsaua.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\ORSP Client\fsorsp.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

    --
    End of file - 2136 bytes
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...