Solved Getting search redirects after 'XP pro protector' (or some similar name) infection

[mikeetg]

I got an infection from the above fake virus protector. It locked down almost everything, task manager, applications etc.
I had spybot installed which I ran. It came back so I installed malware bytes, which found more stuff. I updated Avast and scanned -which found more stuff.
I also ran uniblue registry booster.
I followed though the 'eight steps'.
It is still rerouting searches though.

For some reason I get a blue screen when try booting up in safemode, dont know if it is connected.

Chrome stopped working. I uninstalled it.

I posted the original scan with malware that I did initially, and the latest one, under ' latest'

I would greatly appreciate any help!

 

[Broni]

I also ran uniblue registry booster.

Please, uninstall the program. Registry tools are absolutely not recommended. See here why: http://miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html

=======================================================================

Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log.

======================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[mikeetg]

Next step

Thanks for your help!

I did the instructions, although the first time I ran Gmer my screensaver settings made it go in to standby and It froze up, I had to reboot and change the settings so it would stay on. It took a few hours. After it finished and made the log it froze again, so I again rebooted.

I am still getting search redirects though.

Thanks again!

 

[Broni]

What browser is getting redirected?
Did you try another browser?

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.

 

[mikeetg]

cont.

Both Firefox and IE are rerouting searches.

I did it and it came up with 'driver iastor' infected with rootkit, said I need to reboot. I pressed enter. When it rebooted it didnt seem to do anything. I ran it again to see if it had cleared it. It came up with the same infection.

 

[Broni]

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Vista users:: Right click on SystemLook.exe, click Run As Administrator
• Copy the content of the following box into the main textfield:
  

  :filefind
  iaStor.sys

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[mikeetg]

cont

pasted below

 

[Broni]

Do you have Windows CD?


Please download OTM

• Save it to your desktop.
• Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes

:Services

:Reg

:Files
C:\WINDOWS\system32\drivers\iaStor.sys|C:\SWSetup\HDD\iastor.sys /replace
      
:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

 

[mikeetg]

cont

Did it, although after reboot got blue screen and couldnt load windows. Tried safe mode also.
Had to reboot to last configuration that worked.

got the log here: (although I suppose the last configuration may have changed it)

I dont have the cd on me, I am not at home.

 

[Broni]

Please, re-run SystemLook from my reply #6

 

[mikeetg]

cont.

attached below

 

[Broni]

Let's see, if we can look at your computer booting from an external source.

You will need USB flash drive to move information from bad computer to a working computer.

You need to download two programs.

First

ISO Burner this will allow you to burn REATOGO-X-PE ISO to a cd and make it bootable. Just install the programm, from there on it's fairly automatic (Instructions)

Second

• Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 270.3 MB in size so it may take some time to download.
• When downloaded double click and this will then open ISOBurner to burn the file to CD
• Reboot your system (Non working computer) using the boot CD you just created.
  
  • Note. If you do not know how to set your computer to boot from CD follow the steps HERE
• Your system should now display a REATOGO-X-PE desktop.
• Double-click on the OTLPE icon.
• When asked Do you wish to load the remote registry, select Yes
• When asked Do you wish to load remote user profile(s) for scanning, select Yes
• Ensure the box Automatically Load All Remaining Users is checked and press OK
• OTL should now start. Change the following settings
  • Change Drivers to All
  • Change Registry to All
  • Under Custom Scan box paste this in:
    
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    redbook.sys
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    userinit.exe
    explorer.exe
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    
• Press Run Scan to start the scan.
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive.
• Please post the contents of the C:\OTL.txt file in your reply.

 

[mikeetg]

Working on it today. just started the download and the whole scanner malware thing popped up again! How is it getting in? i managed to close the process (ave.exe) striagght away but still...

 

[mikeetg]

locked up the system. couldnt run malwarebytes, ran spybot sd. now running malwarebytes.
it could be it came back because of the system restore i did yesterday?

Should i still run the boot cd and follow the above instructions, do you want me to post the logs when malaware bytes is done?

 

[mikeetg]

cont

I made that cd and ran the program. I didnt run the fix option, as you didnt mention it. I have posted the log and also the logs of spybot and the malwarebytes log.

The log was so big I had to post it in 2 halves.

 

[Broni]

Delete your GMER and Combofix files, download fresh ones and post fresh logs.

 

[mikeetg]

cont

combofix said it found rootkits

I am not getting search redirects today, so it may have cleared.

 

[mikeetg]

P.S, My friend mentioned that i made the boot cd from this computer, which is infected. Was i supposed to do that or do i have to do it from a different computer as the infection may copy in to the system.

 

[Broni]

P.S, My friend mentioned that i made the boot cd from this computer, which is infected. Was i supposed to do that or do i have to do it from a different computer as the infection may copy in to the system.

You did fine.

I'm glad to hear, the redirection is no more there.
GMER log looks fine

You still have Vundo infection present.


1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\drivers\rzgce.sys
c:\documents and settings\Geoff\Application Data\889592D3A1D8B5C706A83B5F0E01A220\appreg70700.exe
c:\documents and settings\geoff\application data\889592d3a1d8b5c706a83b5f0e01a220\appreg70700 .exe
c:\documents and settings\geoff\application data\889592d3a1d8b5c706a83b5f0e01a220\appreg70700  .exe


Folder::

RenV::
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\Alwil Software\Avast4\ashdisp .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                 .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm  .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas                      .exe
c:\program files\HP\HP Software Update\HPWuSchd2 .exe
c:\program files\HP\QuickPlay\QPService .exe
c:\program files\HPQ\Default Settings\cpqset .exe
c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Java\jre1.6.0_02\bin\jusched .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Macrogaming\SweetIM\SweetIM .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Skype\Phone\Skype .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\program files\Windows Media Player\WMPNSCFG .exe
c:\program files\xerox\WorkCentre C2424\xc24bgts .exe
c:\windows\SMINST\RecGuard .exe


Driver::

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"appreg70700.exe"=-
"appreg70700 .exe"=-
"appreg70700  .exe"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
"DisableNotifications"=dword:00000000

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

 

[mikeetg]

cont

uploaded the logs. This time combofix updated the system.

 

[mikeetg]

During the combo reboot of the system windows file wall restarted. it blocked a proccess called xnetsrvc module, which i allowed thinking it was the combo program. After googling it it looks like it may be malicious?

 

[Broni]

Much better

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

Folder::

Driver::

RenV::
c:\program files\Skype\Phone\Skype .exe

Registry::

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

 

[mikeetg]

Did u get my previous message, looks like we wrote at the same time?

 

[mikeetg]

Posted below

 

[Broni]

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\program files\Skype\Phone\Skype .exe

Folder::

Driver::

Registry::

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.