Search engine redirecting, amongst other problems

[Advaya]

My browsers seem to be hijacked. When I search I am redirected to a variety of websites such as search engines and auction websites. Also, I can copy an address and go directly to the web page through copy and paste, but if I actually click on the address it just opens in a new tab and every link on the first page indicates I have clicked on them. I tried to scan with spybot but it won't let me connect to a server, and avg will not update. Websites that seem like they could possibly help me (symantic, spybot) will not load at all, it just says the page can not be displayed.

I ran hijack this, so it's attached below.

Thanks!

 

[rf6647]

Welcome to TS. I am trying to anticipate your needs. HJT indicates protection from AVG is present on the computer. HJT listing of services is remarkably short. Advance settings use 'ignore' to shorten results displayed in HJT.

In case of difficulty, attempt this method
Note, one user reported the need to restart in safe mode with networking, as the relief was temporary. This refers to message #1.
Additional note: Message #3 link to 'fixit download' has demonstrated its effectiveness in many cases. Explicit link to 'fixit download'


Genreal Remark: - React to unanswered items appearing in scan logs

• NO Action’ - Remove Selected when offered by MBAM
• 'Delete on Reboot’ - Restart the computer after concluding the scan

Proceeding along a typical path.

• Update both MBAM & SAS. Rerun them both.
• This effort is complete when logs report NO infections/threats, or reporting something it can not clean.
• Restart the computer. Scan with HJT.
• Posts logs. Report progress & what changes are observed.

 

[Advaya]

Thanks for your help. I had uninstalled AVG because whatever was/is on my computer prevented it from updating so it wasn't working. I installed AVIRA, and Comodo firewall. Both seem to be working well. I am no longer being redirected to random webpages either. I do get a weird pop up when I restart which is a script error from msn or internet explorer. It doesn't seem to affect anything though. I followed the first step above and immediately AVIRA started having about a billion trojan warnings. I initially quarantined them because I was unsure of what action to take since I hadn't started the 8 steps yet.

I don't have time tonight to run anything twice tonight, but I will go ahead and attach the initial scans.

Your help is appreciated.

 

[Bobbye]

Mbam has removed some malware. Did you reboot after running the program to complete the deletions?

NOTE: malware is in the System Restore points. DO NOT use system Restore. When the system is clean we will remove the old restore points and set a new one.

SAS found the Rootkit.TDSServ.
Have Avira remove the entries that are quarantined.

rf6647 may want you to turn off the Comodo firewall while running the programs. I'll leave that up to him.

 

[rf6647]

Advaya, I will try to summarize so you can understand the direction we are taking. I am a newbie here. Bobbye’s reply called attention to significant findings in the logs that affect our next steps.

1. First scans
   • MBAM log contained the phrase > ‘delete on reboot’. In this case, a restart of the computer is needed.
   • SAS log reporting Rootkit.TDSS items is unusual, given that current version of MBAM ordinarily cleans these. If a restart was performed, then this oddity is significant
     
   • TrekBlue, LLC is publisher of this software; possible false positive
     • Malware.SpywareNuker > C:\WINDOWS\SYSTEM32\DRIVERS\PSHOOK11.SYS
     • Was this software installed ever?
   
   
2. After cleaning the infection, removing old System Restore points is recommended.
   
   
3. Purging the virus vault reduces the effort to review logs. (User reports Avira quarantined files )
   
   
4. Turn off Comodo FW – Bobbye recognizes something I have not picked up on where it is a resource hog or causes difficulty.
   • I am OK with running it.
   
   
5. New scan logs will inform us if earliers scans uncovered other infections.
   
   
6. User report:
   • weird pop up when I restart
   • followed the first step above and immediately AVIRA started having about a billion trojan warnings >> good sign
   
   
7. Open Issues:
   • Run the next round of scans & post new logs
   • Is the Plug and Play ‘tdssserv.sys’ driver uninstalled by these scans?
   • Investigate if this is a case where a ‘disabled TDSSserv Trojan’ escapes full treatment from MBAM & SAS
   • tdssserv.sys is NOT among the deleted files in any log

 

[Bobbye]

Nicely done, rf6647!

 

[Advaya]

I am so confused about this! I thought everything was better but evidently not.

I ran Avira and it came up clean, I'll post the log in case I missed something, which is totally possible!!

Malwarebytes' Anti-Malware came up clean as well.

SuperAntiSpyware did not come up clean. In fact, I ran it and it came up with 11 detections. It instructed me to restart. I restarted and reran it, and it came up with 13 detections! I will attach logs.

I do not remember if spywarenuker or whatever was ever installed, it sounds familiar but I honestly can't say. It certainly isn't installed now.

To be honest, I already deleted all restore points. Is this going to be a problem? I researched a result I got during one of my scans and someone explained how to do that step. My boyfriend tells me to turn off the restore option, but I don't know if I should or how to do that.

Also, hijack this shows a lot from AVAST antivirus, which I had tried to install but couldn't get to work when the virus or whatever was blocking updates. I don't know why it's there, either.

Thanks for all your help.

 

[Advaya]

Help!!!

I am in virus hell. I don't know if I should just start a new post about this, since I'm not having the same problems as before.

I can barely use the computer now. I am continuously bombarded with AVIRA warnings about the TR/Vundo.gen Trojan, as well as TR/Spyagent.euy. Oh, hey, here is a new one right now. TR/Dldr.Agent.aiyu.2

I don't know what to do; I don't know where they keep coming from. I don't understand how I can send a virus to quarantine and have the exact same warning keep popping up forever.

My boyfriend sent me a tool to remove VUNDO, but it couldn't find it when I scanned it in safe mode, so it didn't do anything at all.

I am getting pop up ads. At least it's not porn though, looking on the bright side of things. It's some skiing ad.

Do I need to repost logs? I feel like every time I do, things are completely different than they were before and it's going to be a never ending cycle

 

[rf6647]

The quickest route to cleaning this infection is to run ComboFix. The first run of this tool should delete the rootkit.trojan - tdssserv.sys. The second run of ComboFix is a view if any other infection has been uncovered. Post both logs and another HJT log.

If you are interested in helping my study of what role 'disabling the TDSSserv.sys trojan' plays, then I offer a mini-procedure.

• Confirm 'TDSSserv.sys' is disabled. As was done here.. Cancel to exit
  
• Run ComboFix. Near the end of the log, confirm message 'Completion time: ....... - machine was rebooted'
  
• Scan with SAS
  
• Confirm 'TDSSserv.sys' does not appear in the device manager.
  
• Run ComboFix
  
• Scan with MBAM & SAS
  
• Scan with HJT

Post all logs. Please share your observations.

Disable realtime protection before running combofix by right clicking it in the system tray and unchecking the real time monitoring

Combofix

• Download Combofix to your desktop.
• Double click combofix.exe & follow the prompts.
• A window will open with a warning.
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
• How-to-use guide

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt
Also attach a fresh hijackthis scan ran afterwards

 

[Advaya]

Thanks for your help! I have completed the first part of your suggestion, I will start on the second part now and post those later.

Here are the initial two combofix logs and a new hijackthis log.

 

[rf6647]

As per my usual, my communication style is very confusing. It was an either-or proposition. I was trying to demonstrate that the first combofix cleaned the infection. Therefore, nothing remained for SAS to report & the device was gone.

MBAM, SAS, & HJT scans are still needed to confirm progress. The second combofix is used to validate these scans.

Thanks for your support.

[add]
Log1 caught more that expected.
Log 2 gives a clear indication.

Our 2 replys crossed. Your's is similar to another case. A disabled TDSS trojan still has some capabilites. It appears it reached out to attracted a few old infections caught in log1.

 

[Bobbye]

rf6647, I worked with someone the past couple of days with the TDServer malware. We used the following combination and all entries were found and removed. Please check the directions out and if you think it's appropriate, suggest it here:

For TDSServ malware:
The Rootkit TDSServ is still showing in SAS, but Mbam and HijackThis are clean..
Lets follow this to remove:

1. Open up Device Manager(Start> Control Panel> Hardware tab> Device Manager button)
2. Click 'View' and select 'Show Hidden Devices'
3. Expand the 'Non-Plug and Play' Drivers category
4. Right-click and 'Disable' clbdriver.sys, tdsserv.sys (or tdssxyz.sys where xyz.sys are random characters), and/or seneka.sys (any that are present)
5. Restart computer to Safe Mode
6. After restart, go back to Device Manager and right-click 'Uninstall' the above drivers
7. Navigate to 'C:\Windows\System32\Drivers' folder and delete these files if they exist (They will be hidden so show hidden files)***
8. Navigate to 'C:\Windows\System32\ directory, Sort By Date, and remove any recently modified traces of files that resemble clb*.*, td*.*, and seneka*.* or any suspicious looking *.exe's/*.dll's modified in the past 24 hours ***
9. Run SDFIX (see below) and Combofix in Safe Mode (see below)
10. Reboot to Normal mode, install SAS, update, and run a quick scan
12. Run an ESET (NOD32) online scan: http://www.eset.com/onlinescan/
OR F-Secure online malware scan: http://support.f-secure.com/enu/home/ols.shtml

***NOTE: Path for #7 & #8:
Right click on Start> Explore> Windows > System 32

#9: SD FIX- what it does: http://www.bleepingcomputer.com/forums/topic131299.html

1. Download SDFix.exe from the link and save it to your desktop:
2. Confirm that the file SDFix.exe now resides on your desktop, but do not double-click on the icon as of yet. We will use it in later steps.
3. Now, double-click on the SDFix icon that should now be residing on your desktop. If a Open File - Security Warning box opens, click on the Run button.
4. A window will now open showing SDFix being extracted into the C:\SDFix folder. Once the installation program has finished extracting SDFix, it will open a Notepad with further instructions as shown. Follow the instructions and screen shots on the site.

When you have finished, the log will open in Notepad which can be attached here.

#9: ComboFix:

Please download ComboFix.: http://www.bleepingcomputer.com/comb...o-use-combofix
Follow previous directions for this.

 

[Advaya]

Again, thanks for all your help. I'm sorry I misunderstood your instructions for the procedure; I would have followed them!

I am attaching new scans. I ran SAS overnight and it found 8 detections, I ran MBAM this morning and it found 14. After that I re-ran SAS and it came up clean.

I am still having an error when I restart my computer, could it be related to these entries in my hijack this log? I don't understand these, so I thought I would just ask.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = (I deleted the URLS here, I wasn't sure if it was a good idea to have them)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

The error is just a script error for a msn website, even though when I first use my computer an internet browser is not open. It asks if I want to keep running the script.

 

[rf6647]

Advaya, this is a partial reply & not well thought out.

I believe you are clean. The flash from SAS is noted. This is where I grasp at straws.

• Disconnect all computers from the router (local network).
• Power cycle the router (remove power, restore power).
• Power cycle the infected computer.
• move step
• Scan with MBAM, SAS, ComboFix,
• Restart the computer, scan with SDFix
• Restart the computer, scan with HJT.
• intentionally blank
  
• Connect only the infected computer to the router.

R1 - ok to ignore

The error is just a script error for a msn website, even though when I first use my computer an internet browser is not open. It asks if I want to keep running the script.
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

Mini-procedure

• Go to the MSN Messenger application.
• Find the tick box that admits this as a startup item. Untick.
• Close application
• Restart Computer.
• Run the MSN Messenger application. Minimize (puts it into the notification) section of task bar.
• Did the error occur as before? Did the error occur after starting Messenger?

Bobbye, in the review of that thread, I saw only logs for steps 9 +10. It was less clear what results were presented for the other steps. I am definitely the lazy type. I was looking for something not covered by ComboFix. Any of those non- PnP devices are using the same exploit, and disabling the non-PnP drivers gives relief of symptoms. Based on a single reply, ComboFix put down TDSSserv. So the question I have is how much work can be avoided?

 

[Bobbye]

Sorry, I should have stayed out. I didn't go over all the logs, just saw mention of the TDSServ and thought it was still an issue.

Some focus by the poster is needed here.

rf6647, you gave 2 or 3 well thought out step by step guides. they should be followed.

As for the script error, not panic time there. Just turn off 'display script errors' in the browser. In the grand scheme of things, nothing to worry about. Sometimes I think a poster expects us to solve each and every problem- small or what they think is large, instead of just cleaning out the malware!

 

[Advaya]

Thanks guys for your help. I think everything is fine now. I just wasn't sure if the browser error was related to the virus or not, that was my only question. If it wasn't then I wasn't going to panic, just wanted to verify.
-Advaya

 

[Advaya]

Also, I tried following all the guides posted. Did I do them incorrectly? I admit I am not a computer expert by any means, but I thought I did an alright job following them, except for the mistake of not completing the procedure which I thought was separate, which I have apologized for. I'm confused about the comment about the need for focus by the poster. Regardless, thanks everyone for helping me, sorry for the lack of clarity. Communication is difficult in this medium.

 

[rf6647]

Bobbye, apology is not expected. I invite you and all members of the team to make contrbutions. I am not an ‘originalist’. I am the copycat, and mimic what is working for others. It is better to give corrective suggestions earlier rather than later. Part of the rationale comes from the saw about training, old dogs, and new tricks.

Advaya, Message 11 & 14 are obersvations from status updates. To me these indicate that some ‘folk remedies’ are needed. This appears to be “contamination from unknown origin”. The ‘power cycle’ technique cleans the router. The scans are needed to reclean the computer (all scan tools pre-installed ). Then reconnect to the router. SDFix is optional. It gives me information about the coverage from ComboFix.

I offer some consideration of the folklore. Some feedback about the power cycle (poc) of the router would be helpful. This is different than the ‘hard reset’ using the microswitch somewhere on the router. The latter technique forces factory defaults & it a guaranteed cleaning. POC cleans volatile memory on the router. Once the exploits alter saved router settings, the hard reset is indicated. Passwords assigned by user are better than leaving it defaulted.

Here is what I found about uninstalling AVG

You are advised strongly to un-install AVG
If it does not un-install normally, use the removal tool:
AVG Remover Tool
Here is the 32Bit version (most users): http://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe
Here is the 64Bit version: http://www.avg.com/filedir/util/avg_arv_sup_____.dir/avgremoverx64.exe