Logs attached, Google redirect, evidence of rootkit

Status
Not open for further replies.

phanson

Posts: 6   +0
Hello,

I am trying to clean up a vista machine (newer Toshiba, 32bit Vista, service pack 1, core 2 duo)

Symptoms:
It has had a problem with google result links redirecting to ad pages. I saw in some of the results from the preliminary work "rootkit" elements.

Please take a look at the logs and let me know if there is any further steps that need to be taken.

I also ran Avast and it found 3 files that were removed -
File C:\Windows\System32\drivers\gxvxcqmvypeuinstwuvtpdtgdpsberwiqvtfc.sys is infected by Win32:Alureon-AW [Rtk], Repair: Error 42060 {The file was not repaired.}, Moved to chest
File C:\Windows\System32\gxvxcvgofsexwxwafbfrrcprdqtrpicuolsxg.dll is infected by Win32:Trojan-gen {Other}, Moved to chest
File C:\Windows\System32\gxvxcweeyyxbtmmcanxqvwxxuxlfyytadsvnc.dll is infected by Win32:Trojan-gen {Other}, Moved to chest

The machine has "Windows Live OneCare" installed, and I believe I had the virus Real Time Monitoring turned off for this during the steps.

Thank you for taking a look.

Peter
 

Attachments

  • hijackthis.log
    10 KB · Views: 5
  • mbam-log-2009-06-24 (16-53-06).txt
    1.5 KB · Views: 5
Hello phanson

Please download combofix here ->
ComboFix
Before Saving it to Desktop, please rename it to 321.com to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted.
Usually located in c:\combofix.txt, please attach it to your next post
 
oops

I see that I did not have everything turned off. I turned off the firewall and superantispyware and ran again.

This log says windows defender is enabled, but it isn't.

Peter
 

Attachments

  • ComboFix.txt
    17.8 KB · Views: 5
Open notepad and copy/paste the text in the quotebox below into it:
Name the file as CFScript
and Save it on the desktop

Killall::
Snapshot::
File::
c:\programdata\Google\Google Toolbar\Update\gtbEA7D.tmp.exe
c:\programdata\Google\Google Toolbar\Update\gtbAAC8.tmp.exe
c:\programdata\Google\Google Toolbar\Update\gtb6286.tmp.exe
c:\programdata\Google\Google Toolbar\Update\gtb39E.tmp.exe
c:\programdata\Google\Google Toolbar\Update\gtbE6A4.tmp.exe

CFScriptB-4.gif


Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

Combofix will create a logfile and display it after your computer has rebooted.
Usually located in c:\combofix.txt, please post it to your next reply, and tell how things are running ?

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
Touch, I don't see what is wrong with those files, unless I'm missing something. Either way, it should be fine to delete them, but I don't see the point.

If you think you have a rootkit, I'd suggest running GMER and uploading a log.
 
latest log

I ran the CFScript. It said it had to send some files to the server for further analysis.

Here is the latest log.

The computer seems faster. I tried google searches, and have not been redirected, but it was intermittent before. But searches seem particularly fast. Maybe the time of the night.

What do you think of the GMER idea, Touch? I read at the GMER site that it's technology has been incorporated into Avast, which I have run.

Thanks again for the help. What's the next step?

Peter
 
Well, there's no harm in running GMER. I would have doubts over what 'incorporated' actually implies.
 
phanson -> If your computer are running fine ? Then I can´t see why we should run GMER.

I have approximately ten other scan tools we can run, but I can´t see the point ;)
 
Better safe than sorry. Whether a computer is 'running fine' is a rather risky way to go about keeping a computer secure.
 
As someone who has been trained in malware removal and has been doing it for years, I find the implication that I am spamming simply because I disagree with you offensive to say the least. This thread isn't the place to pursue whatever feelings you might have against someone who believes differently to yourself, and nor is it the place for me to respond to them.

Let's keep this thread on topic, please.
 
next steps?

touch,

What are the next steps? I know we aren't finished yet.

It seems to boot a little slow, but other than that I am not using the thing during this process, so I haven't seen other symptoms.

here is the latest hjt log.

Peter
 
thanks tystanwick.

I ran mbam and it said it found nothing.

Now windows update is having trouble installing some updates. Office2003 sp3, kb970011, and kb907417. Seems CCleaner or something may have wacked the install cab files, which these updates think they need. I found a solution at sku011cab.com, (a simple regedit) and now they install.

Thanks everyone for your help.

Peter
 
Status
Not open for further replies.
Back