Google redirection virus and other stuff

[VTL]

Hi, lately my google searches have been redirected to random ad/search sites.

I ran kaspersky and it found 2 infected files in my windows system folders. I can't seem to disinfect them. And when I have kaspersky open, I can't open anything. For example: when i click on the firefox icon, it says it cannot find the .exe file. When i do go to the firefox directory in the program files folder to try to open it, it gives me the same error.

I'm not sure if this is caused by the google redirection virus or not, so I mentioned it as well.

Please help me with my computer. Thank you very much.

 

[Bobbye]

If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[VTL]

Sorry about that.

One thing that happened after running GMER is that I cannot open anything after saving the gmer logs. I had to restart my computer, but the screen turned black afterwards and won't restart at all. So I had to manually restart it via pressing the button.

Anyways, here are the logs for my computer. Sorry again for the inconvenience.

 

[Bobbye]

Looks like you have a Rootkit going here!

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
Re-enable your Antivirus software.
==================================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

 

[VTL]

Combofix is not working for me.

The first time I run it, it restarts my computer before showing a blue window named administrator. Then after my computer restarts, the window is still there while my screen is pitch black. So I had to restart my computer again.

Now when I run combofix, the bar loads up and my desktop icons flashes for a while. But nothing else as your steps suggested happens.

 

[Bobbye]

Please go ahead with the Eset scan.

Although ComboFix will work on Windows 7, it is not officially supported yet so if it is run you will receive a warning message that it is a beta version meant for compatibility testing.

From bleepingcomputer.

Try uninstalling Combofix, then reinstalling as follows:

Uninstall ComboFix and all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

====================================
Please download ComboFix HERE and save to your desktop:

Please disable all security programs, such as antiviruses, antispywares, and firewalls.

• Double click on the setup file on the desktop to run
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
• When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
  
• Query- Recovery Console image
  
  
  
  
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
  
  
• Click on Yes, to continue scanning for malware.
  
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

I left more images in this download in case you see any of them. See if you can get a scan.

 

[VTL]

I finally managed to run combofix. It had to restart my computer twice since it found rookits still running. The second time was caused by rookit again and it told me to write down the notice.

Service: RDPREFMP

File: C:\Windows\system32\drivers\rdprefmp.sys.

Anyways, here are the logs from Combofix and Eset.

Also, my computer has been giving me a notice where it says my windows is not a genuine copy, and has changed my background to pitch black. I looked it up and it might be malware blocking my validation files and whatnot. Is this true?

Thank you.

 

[Bobbye]

Related to rdprefmp.sys RDP Reflector Driver Miniport from Microsoft Corporation.
But it was infected and Combofix handled it:
Infected copy of c:\windows\system32\drivers\rdprefmp.sys was found and disinfected
=================================
Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files 
  C:\$Recycle.Bin\S-1-5-21-3180167293-174922687-3939198346-1000\$RZZ21S0\‰¤‘‹*§E«J‰¤—\_A9E5CFE1.exe	
  C:\Users\Tommy\Documents\Downloads\‰¤‘‹*§E«J‰¤—\_A9E5CFE1.exe
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=========================================
Please empty the Recycle Bin

I'd like you to open your Combofix logs and look in the following section:
---- LOCKED REGISTRY KEYS -----
It looks like you are specifying File Handlers for File Extensions:
OpenWithList
OpenWithProgids
Some I can read such as:
"a"="firefox.exe"
"MRUList"="ba"
"b"="uTorrent.exe"
others I cannot identify.

What is *1* 0tmcE04l@w
It is an identity? Another language?

And there is a different entry here:
c:\users\Tommy\AppData\Roaming\—ßìƒTƒfƒBƒXƒeƒBƒbƒN SaveData

Can you identify the following?
c:\program files\millefeuille (7/15/2010) (a cream puff??)
C:\ZERO (7/2/2010)
\ouaoqdbwb (possibly Quick Books?)
c:\program files\Project64 1.6 (7/5/2010)


Do we have a language problem here?

 

[VTL]

Sorry for the late reply.

Here is the log from OT Move.

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File/Folder C:\$Recycle.Bin\S-1-5-21-3180167293-174922687-3939198346-1000\$RZZ21S0\‰¤‘‹*§E«J‰¤—\_A9E5CFE1.exe not found.
File/Folder C:\Users\Tommy\Documents\Downloads\‰¤‘‹*§E«J‰¤—\_A9E5CFE1.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Tommy
->Temp folder emptied: 52714372 bytes
->Temporary Internet Files folder emptied: 3934964 bytes
->Java cache emptied: 10693959 bytes
->FireFox cache emptied: 78099984 bytes
->Flash cache emptied: 2317 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 7378 bytes
RecycleBin emptied: 117039678 bytes

Total Files Cleaned = 250.00 mb


OTM by OldTimer - Version 3.1.15.0 log created on 07262010_174928

c:\users\Tommy\AppData\Roaming\—ßìƒTƒfƒBƒXƒeƒBƒbƒN SaveData
c:\program files\millefeuille (7/15/2010) (a cream puff??)
C:\ZERO (7/2/2010)
\ouaoqdbwb (possibly Quick Books?)
c:\program files\Project64 1.6 (7/5/2010)

These are game directories that I have, I've deleted most of them since I have already finished the game. If it comes out as gibberish, then it must be the unicode settings.

But as for 1* 0tmcE04l@w, I have no idea what that is.

Thanks again.

 

[Bobbye]

Please remove the directories you no longer use. Then run the script below and paste the new log it creates in the next reply.

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
Driver::
FCopy::
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================

 

[VTL]

When I was running ComboFix, I got an error that says failed to delete C:\Windows\erdt\Hiv-Backup. But it seems I can manually delete that folder right now.

Anyways, here is the log from this time.

Thanks again.

 

[Bobbye]

Did you run Combofix in Safe Mode? Why?

 

[VTL]

No, I did not run combofix in safe mode.

 

[Bobbye]

Okay, Combofix is indicating that it was run in - REDUCED FUNCTIONALITY MODE -

Please review the information here and tell me which applies to your system:
http://support.microsoft.com/kb/925582

 

[VTL]

It is probably the non-genuine copy notice that I've mentioned before. I got it a couple days after running combofix the first time. And I haven't encountered the google redirection virus recently, but my computer is stuck in non-genuine reduced mode though.

 

[Bobbye]

If I had known the OS was pirated, the support would have stopped then.

 

[VTL]

The os is not pirated. I got it from my university.

 

[Bobbye]

Then it should have been a genuine copy. I seriously doubt that your university is handing out pirated copies of a Windows operating system.