Solved Need help with the Google Redirect virus

[Ariakis]

DELL Precision 380 with XP Pro. Just got the PC and was updating and installing software. I don't think it had it when I first started. I'd hate to start over but may need to. I had AVG and SpyBot running.

I ran through your 8 recommended steps (attached the 3 logs). As I saw in a few other threads it went away after finishing however it came back after a reboot.

The HJT log is the most recent after the reboot.

Update: I saw another thread where Hitman Pro 3.5 cured the problem. I think it found it ... but when I try to remove it's actually removing a key driver and crashing me to a blue screen where I restore my last version (still infected). It says I have a Trojan named iaStor.sys in \system32\DRIVERS

 

[Broni]

I saw another thread where Hitman Pro 3.5 cured the problem. I think it found it ... but when I try to remove it's actually removing a key driver and crashing me to a blue screen where I restore my last version (still infected). It says I have a Trojan named iaStor.sys in \system32\DRIVERS

That's why tools like Hitman are very dangerous.
iaStor.sys is your hard drive controller driver. If removed, you won't be able to boot.


Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.

 

[Ariakis]

TSSKiller results

19:06:10:187 2928 TDSS rootkit removing tool 2.2.4 Feb 15 2010 19:38:31
19:06:10:187 2928 ================================================================================
19:06:10:187 2928 SystemInfo:

19:06:10:187 2928 OS Version: 5.1.2600 ServicePack: 3.0
19:06:10:187 2928 Product type: Workstation
19:06:10:187 2928 ComputerName: USER-89FCA39E0D
19:06:10:187 2928 UserName: User
19:06:10:187 2928 Windows directory: C:\WINDOWS
19:06:10:187 2928 Processor architecture: Intel x86
19:06:10:187 2928 Number of processors: 2
19:06:10:187 2928 Page size: 0x1000
19:06:10:187 2928 Boot type: Normal boot
19:06:10:187 2928 ================================================================================
19:06:10:187 2928 UnloadDriverW: NtUnloadDriver error 2
19:06:10:187 2928 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
19:06:10:187 2928 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
19:06:10:203 2928 UtilityInit: KLMD drop and load success
19:06:10:203 2928 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
19:06:10:203 2928 UtilityInit: KLMD open success
19:06:10:203 2928 UtilityInit: Initialize success
19:06:10:203 2928
19:06:10:203 2928 Scanning Services ...
19:06:10:203 2928 CreateRegParser: Registry parser init started
19:06:10:203 2928 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
19:06:10:203 2928 CreateRegParser: DisableWow64Redirection error
19:06:10:203 2928 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
19:06:10:203 2928 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
19:06:10:203 2928 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:06:10:203 2928 wfopen_ex: Trying to KLMD file open
19:06:10:203 2928 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
19:06:10:203 2928 wfopen_ex: File opened ok (Flags 2)
19:06:10:203 2928 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 264B18
19:06:10:203 2928 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
19:06:10:203 2928 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
19:06:10:203 2928 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:06:10:203 2928 wfopen_ex: Trying to KLMD file open
19:06:10:203 2928 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
19:06:10:203 2928 wfopen_ex: File opened ok (Flags 2)
19:06:10:203 2928 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 264A08
19:06:10:203 2928 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
19:06:10:203 2928 CreateRegParser: EnableWow64Redirection error
19:06:10:203 2928 CreateRegParser: RegParser init completed
19:06:10:500 2928 GetAdvancedServicesInfo: Raw services enum returned 340 services
19:06:10:500 2928 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
19:06:10:500 2928 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
19:06:10:500 2928
19:06:10:500 2928 Scanning Kernel memory ...
19:06:10:500 2928 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
19:06:10:500 2928 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8B203938
19:06:10:500 2928 DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects
19:06:10:500 2928
19:06:10:500 2928 DetectCureTDL3: DEVICE_OBJECT: 8A808C68
19:06:10:500 2928 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A808C68
19:06:10:500 2928 KLMD_ReadMem: Trying to ReadMemory 0x8A808C68[0x38]
19:06:10:500 2928 DetectCureTDL3: DRIVER_OBJECT: 8B203938
19:06:10:500 2928 KLMD_ReadMem: Trying to ReadMemory 0x8B203938[0xA8]
19:06:10:500 2928 KLMD_ReadMem: Trying to ReadMemory 0xE1009888[0x18]
19:06:10:500 2928 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:06:10:500 2928 DetectCureTDL3: IRP_MJ_CREATE : BA10EBB0
19:06:10:500 2928 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:06:10:500 2928 DetectCureTDL3: IRP_MJ_CLOSE : BA10EBB0
19:06:10:500 2928 DetectCureTDL3: IRP_MJ_READ : BA108D1F
19:06:10:500 2928 DetectCureTDL3: IRP_MJ_WRITE : BA108D1F
19:06:10:500 2928 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F4562
19:06:10:500 2928 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F4562
19:06:10:500 2928 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F4562
19:06:10:500 2928 DetectCureTDL3: IRP_MJ_SET_EA : 804F4562
19:06:10:500 2928 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : BA1092E2
19:06:10:500 2928 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:06:10:500 2928 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:06:10:500 2928 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:06:10:500 2928 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:06:10:500 2928 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : BA1093BB
19:06:10:500 2928 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
19:06:10:500 2928 DetectCureTDL3: IRP_MJ_SHUTDOWN : BA1092E2
19:06:10:500 2928 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F4562
19:06:10:500 2928 DetectCureTDL3: IRP_MJ_CLEANUP : 804F4562
19:06:10:500 2928 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F4562
19:06:10:500 2928 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F4562
19:06:10:500 2928 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F4562
19:06:10:500 2928 DetectCureTDL3: IRP_MJ_POWER : BA10AC82
19:06:10:500 2928 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : BA10F99E
19:06:10:500 2928 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F4562
19:06:10:500 2928 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F4562
19:06:10:500 2928 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F4562
19:06:10:500 2928 TDL3_FileDetect: Processing driver: Disk
19:06:10:500 2928 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
19:06:10:500 2928 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
19:06:10:531 2928 TDL3_FileDetect: Processing driver: Disk
19:06:10:531 2928 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
19:06:10:531 2928 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
19:06:10:531 2928 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
19:06:10:531 2928
19:06:10:531 2928 DetectCureTDL3: DEVICE_OBJECT: 8B202AB8
19:06:10:531 2928 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B202AB8
19:06:10:531 2928 DetectCureTDL3: DEVICE_OBJECT: 8AC0C030
19:06:10:531 2928 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AC0C030
19:06:10:531 2928 KLMD_ReadMem: Trying to ReadMemory 0x8AC0C030[0x38]
19:06:10:531 2928 DetectCureTDL3: DRIVER_OBJECT: 8A7C25A8
19:06:10:531 2928 KLMD_ReadMem: Trying to ReadMemory 0x8A7C25A8[0xA8]
19:06:10:531 2928 KLMD_ReadMem: Trying to ReadMemory 0x8B18E030[0x38]
19:06:10:531 2928 KLMD_ReadMem: Trying to ReadMemory 0x8B18F9C8[0xA8]
19:06:10:531 2928 KLMD_ReadMem: Trying to ReadMemory 0xE1B43AD8[0x1C]
19:06:10:531 2928 DetectCureTDL3: DRIVER_OBJECT name: \Driver\iastor, Driver Name: iastor
19:06:10:531 2928 DetectCureTDL3: IRP_MJ_CREATE : 8B115A9A
19:06:10:531 2928 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 8B115A9A
19:06:10:531 2928 DetectCureTDL3: IRP_MJ_CLOSE : 8B115A9A
19:06:10:531 2928 DetectCureTDL3: IRP_MJ_READ : 8B115A9A
19:06:10:531 2928 DetectCureTDL3: IRP_MJ_WRITE : 8B115A9A
19:06:10:531 2928 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 8B115A9A

 

[Ariakis]

19:06:10:531 2928 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 8B115A9A
19:06:10:531 2928 DetectCureTDL3: IRP_MJ_QUERY_EA : 8B115A9A
19:06:10:531 2928 DetectCureTDL3: IRP_MJ_SET_EA : 8B115A9A
19:06:10:531 2928 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 8B115A9A
19:06:10:531 2928 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 8B115A9A
19:06:10:531 2928 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 8B115A9A
19:06:10:531 2928 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 8B115A9A
19:06:10:531 2928 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 8B115A9A
19:06:10:531 2928 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : 8B115A9A
19:06:10:531 2928 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : 8B115A9A
19:06:10:531 2928 DetectCureTDL3: IRP_MJ_SHUTDOWN : 8B115A9A
19:06:10:531 2928 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 8B115A9A
19:06:10:531 2928 DetectCureTDL3: IRP_MJ_CLEANUP : 8B115A9A
19:06:10:531 2928 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 8B115A9A
19:06:10:531 2928 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 8B115A9A
19:06:10:531 2928 DetectCureTDL3: IRP_MJ_SET_SECURITY : 8B115A9A
19:06:10:531 2928 DetectCureTDL3: IRP_MJ_POWER : 8B115A9A
19:06:10:531 2928 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : 8B115A9A
19:06:10:531 2928 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 8B115A9A
19:06:10:531 2928 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 8B115A9A
19:06:10:531 2928 DetectCureTDL3: IRP_MJ_SET_QUOTA : 8B115A9A
19:06:10:531 2928 TDL3_FileDetect: Processing driver: iastor
19:06:10:531 2928 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\iaStor.sys
19:06:10:531 2928 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\iaStor.sys
19:06:10:546 2928 DetectCureTDL3: All IRP handlers pointed to one addr: 8B115A9A
19:06:10:546 2928 KLMD_ReadMem: Trying to ReadMemory 0x8B115A9A[0x400]
19:06:10:546 2928 TDL3_IrpHookDetect: CheckParameters: 0, 0, 607, 138, 3, 120
19:06:10:546 2928 KLMD_ReadMem: Trying to ReadMemory 0x8B115909[0x400]
19:06:10:546 2928 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 1
19:06:10:546 2928 TDL3_FileDetect: Processing driver: iastor
19:06:10:546 2928 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\iaStor.sys
19:06:10:546 2928 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\iaStor.sys
19:06:10:546 2928 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\iaStor.sys - Verdict: Clean
19:06:10:546 2928
19:06:10:546 2928 Completed
19:06:10:546 2928
19:06:10:546 2928 Results:
19:06:10:546 2928 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
19:06:10:546 2928 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
19:06:10:546 2928 File objects infected / cured / cured on reboot: 0 / 0 / 0
19:06:10:546 2928
19:06:10:546 2928 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
19:06:10:546 2928 UtilityDeinit: KLMD(ARK) unloaded successfully

 

[Broni]

Good

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[Ariakis]

Post ComboFix

Files attached. The log says removed. Quick test shows no redirects although we'll see next time I reboot. Let me know what you think. Any next steps? Thanks!!!!!!

Question: Beyond AVG, Comodo, and SpyBot S&D which I had before unless you think I should change them out ... which should I uninstall and/or delete of ComboFix, TDSSKiller, CCleaner, HijackThis, SuperAntispyware, and Malwarebytes?

 

[Broni]

Very good
Are you running Comodo AV and firewall, or AV only?
Spybot can be uninstalled, because it's rather obsolete tool.
We'll take care of Combofix in a moment.
TDSSKiller can go.
CCLeaner is a fine tool, as long, as you leave registry part alone.
HJT can be uninstalled at the end.
Malwarebytes and Superantispyware are your tools to keep.

====================================================================

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\ezsidmv.dat


Folder::

Driver::

Registry::

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

 

[Ariakis]

Thanks!

I'll have an update with logs next time I get to that PC later tonight thank you so much!

Only running Comodo as a firewall. I have a router too. Think this is unnecessary?

I assume you don't want me to uninstall anything until we've completely solved this.

Will ditch TDSSKiller. You don't advise using the registry cleaner function on CCLeaner at all once this is solved or just carefully?

Are you saying to ditch AVG and use Malwarebytes and Superantispyware as my active pair once this is resolved?

Very good
Are you running Comodo AV and firewall, or AV only?
Spybot can be uninstalled, because it's rather obsolete tool.
We'll take care of Combofix in a moment.
TDSSKiller can go.
CCLeaner is a fine tool, as long, as you leave registry part alone.
HJT can be uninstalled at the end.
Malwarebytes and Superantispyware are your tools to keep.

===================================================================

 

[Broni]

Only running Comodo as a firewall. I have a router too. Think this is unnecessary?

That's fine.

I assume you don't want me to uninstall anything until we've completely solved this.

Yes.

You don't advise using the registry cleaner function on CCLeaner at all once this is solved or just carefully?

Registry cleaners are absolutely unnecessary and they simply may be dangerous. There is no single reason to use them/

Are you saying to ditch AVG and use Malwarebytes and Superantispyware as my active pair once this is resolved?

You'll be in perfect shape with them.

 

[Ariakis]

As requested

My laptop which didn't come down with this has Avast and Threatfire paired. How do you think they compare for protection to MWB/SASW paired as you have suggested? That is the PC we usually use for banking, etc while this desktop is for general use.

In any case, logs attached. Am I clean and protected from this forward?

 

[Broni]

You have to have AV program.
As for antispyware tools, you won't find anything better, than MBAM and Super.

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

=======================================================================

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Post fresh HijackThis log as well.

 

[Ariakis]

Not sure what happened ... I'll try again tomorrow with IE8 again or maybe Firefox pending your feedback. Won't be able to try again until after work tomorrow. It was downloading for about 20 minutes to almost 50% then got a bunch of this:

Invalid file signature: bases/five/avc/avp.klb
File download: index/master.xml.klz
Updates source is selected: http://downloads1.kaspersky-labs.com/
File download: index/master.xml.klz
File download: bases/five/avc/avp.klb
Invalid file signature: bases/five/avc/avp.klb
File download: index/master.xml.klz
Updates source is selected: ftp://downloads2.kaspersky-labs.com/
File download: index/master.xml.klz
File download: bases/five/avc/avp.klb
Invalid file signature: bases/five/avc/avp.klb
File download: index/master.xml.klz

0 [ERROR: Invalid file signature]

 

[Broni]

Alternatively, you can try this one:

Please run a free online scan with the ESET Online Scanner

• Disable your antivirus program
• Tick the box next to YES, I accept the Terms of Use
• Click Start
• When asked, allow the ActiveX control to install
• Click Start
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
• Click Scan (This scan can take several hours, so please be patient)
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic

 

[Ariakis]

Update

I didn't see where ESET would print a log file but it said it finished with no error. I didn't uninstall in case you want me to run it later. I'll try Kaspersky again while I wait on your next response. Attached is the HJT log too.

 

[Ariakis]

Ugh. FYI - Clicking the link for Kaspersky on this site took me to one of the virus redirect sites.

 

[Broni]

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[Ariakis]

Will do ComboFix now ... here is what I got from Kaspersky:

Monday, February 22, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, February 23, 2010 00:11:56
Records in database: 3632205
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
A:\
C:\
D:\
Scan statistics
Objects scanned 59700
Threats found 0
Infected objects found 0
Suspicious objects found 0
Scan duration 01:19:22

No threats found. Scanned area is clean.
Selected area has been scanned.

 

[Broni]

OK...............

 

[Ariakis]

Update

What's the verdict?

 

[Broni]

Yeah, we have a rootkit here...

Please download The Avenger by Swandog46 to your Desktop.
- Right click on the Avenger.zip folder and select Extract All...
- Follow the prompts and extract the avenger folder to your desktop

Double click on avenger.exe.
Click OK in pop-up window.

Avenger window will open.

Click on Execute button.
Click OK in two consecutive pop-up windows.

Your computer will re-boot now.

Upon re-boot, Notepad window will open.
Select all text, copy it, and paste it into next reply.

NOTE. If the log doesn't open on reboot, open Avenger again, and go File>Open Log File.

 

[Ariakis]

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.

 

[Broni]

Please download Sophos Anti-rootkit & save it to your desktop.

IMPORTANT!

• Disconnect from the Internet or physically unplug you Internet cable connection.
• Clean out your temporary files.
• Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
• Temporarily disable your anti-virus and real-time anti-spyware protection.
• After starting the scan, do not use the computer until the scan has completed.
• When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

• Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
• Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
• A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
• Make sure the following are checked:
  
  • Running processes
  • Windows Registry
  • Local Hard Drives
  
  
• Click Start scan.
• Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
• When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
• Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
  
  • Files tagged as Removable: No are not marked for removal and cannot be removed.
  • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
  • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  
  
• Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
• A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
• After reboot, a dialog box displays the files you selected for removal and the action taken.
• Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
• When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
• This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\

 

[Ariakis]

Update

I only ran it once as it didn't find anything. So far I haven't been getting redirected though.


Sophos Anti-Rootkit Version 1.5.0 (c) 2009 Sophos Plc
Started logging on 2/23/2010 at 0:03:30 AM
User "User" on computer "USER-89FCA39E0D"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Stopped logging on 2/23/2010 at 0:14:44 AM

 

[Broni]

Your computer is clean

1. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

[SIZE="4"]5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.[/SIZE]

 

[Ariakis]

Awesome thank you so much! I'll send one last update once I use it a bit more later today.