Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help with Google redirect. TDSS killer won't run!


  • Please log in to reply
16 replies to this topic

#1 HolyCrapItsMyles

HolyCrapItsMyles

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 26 October 2012 - 05:31 PM

Hello. I have a computer that has some form of Google search redirect on it.
I can normally take care of these kinds of things, but this one is very stubborn. The most frustrating thing is that TDSS Killer will not run. I double-click on it, and it just disappears from the task manager, even if renamed.

Rkill comes up clean. Malwarebytes found 'trojan.0access', and removed. Eset online came up clean. Sophos only found items in the Vipre Antivirus Quarantine. Spybot came up clean. Dr. Web Cure it only found false positives (Rkill, showmypc, etc).
What else can I try? I am currently scanning with gmer. Any suggestions will be appreciated.

Edited by HolyCrapItsMyles, 26 October 2012 - 05:33 PM.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:35 PM

Posted 26 October 2012 - 05:57 PM

Download Listparts from here

For 32 bit

List parts 32

For 64 bit

List parts 64

Launch it,click on SCAN,post the log

#3 HolyCrapItsMyles

HolyCrapItsMyles
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 26 October 2012 - 07:22 PM

ListParts by Farbar Version: 16-10-2012
Ran by ****** (administrator) on 26-10-2012 at 17:17:42
Windows 7 (X86)
Running From: C:\Users\****\Downloads
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 65%
Total physical RAM: 3543.25 MB
Available physical RAM: 1220.63 MB
Total Pagefile: 7084.78 MB
Available Pagefile: 4312.98 MB
Total Virtual: 2047.88 MB
Available Virtual: 1951.64 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:138.94 GB) (Free:70.46 GB) NTFS
2 Drive d: (HP_RECOVERY) (Fixed) (Total:8.1 GB) (Free:0.96 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 149 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 2047 MB 1024 KB
Partition 2 Primary 138 GB 2048 MB
Partition 3 Primary 8 GB 140 GB
Partition 4 Primary 10 MB 149 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 SYSTEM NTFS Partition 2047 MB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 138 GB Healthy Boot

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D HP_RECOVERY NTFS Partition 8 GB Healthy

======================================================================================================

Disk: 0
Partition 4
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

======================================================================================================

****** End Of Log ******

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:35 PM

Posted 26 October 2012 - 07:50 PM

.

Edited by narenxp, 28 October 2012 - 07:45 PM.


#5 HolyCrapItsMyles

HolyCrapItsMyles
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 26 October 2012 - 10:24 PM

Kernal Detective did not show "callback routine exists in an unknown module" under System notify callbacks. Should I skip ahead to the awsMBR?

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:35 PM

Posted 27 October 2012 - 12:53 AM

Post the screenshot of it.

#7 HolyCrapItsMyles

HolyCrapItsMyles
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 28 October 2012 - 07:39 PM

Posted Image

and

Posted Image

Sorry it took so long, kept getting a blue screen from kernaldetective.sys.

#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:35 PM

Posted 28 October 2012 - 07:44 PM

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here.If you get crashes in normal mode,run it in safemode with networking

Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

Edited by narenxp, 28 October 2012 - 08:57 PM.


#9 HolyCrapItsMyles

HolyCrapItsMyles
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 28 October 2012 - 08:56 PM

TDSSFix came up with 0 items found. awsMBR and TDSSKiller still will not run.

#10 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:35 PM

Posted 28 October 2012 - 08:57 PM

Did you get any POP UP asking to install EXTENDED MONITORING DRIVER while running TDSSFIX?

Edited by narenxp, 28 October 2012 - 10:03 PM.


#11 HolyCrapItsMyles

HolyCrapItsMyles
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 28 October 2012 - 09:57 PM

I did get a pop up, but cancelled it. I ran it again, and opted to load the monitoring driver, but lost my remote session in the process.

I will continue in the morning.

#12 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:35 PM

Posted 28 October 2012 - 10:03 PM

.

Edited by narenxp, 29 October 2012 - 10:35 AM.


#13 HolyCrapItsMyles

HolyCrapItsMyles
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 29 October 2012 - 10:01 AM

Running TDSSfix with the loaded modules found the TDSS partition, and removed it. I can now scan with TDSS Killer (0 items found), and am no longer getting google redirects!

aswMBR caused an iastor.sys blue screen. Scanning with ESET now.

Edited by HolyCrapItsMyles, 29 October 2012 - 10:02 AM.


#14 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:35 PM

Posted 29 October 2012 - 10:35 AM

Try to run ASWMBR in safemode with networking.

#15 HolyCrapItsMyles

HolyCrapItsMyles
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 29 October 2012 - 04:16 PM

ESET only found items in the virus vaults of other scanners.

Ran aswMBR in safe mode w/ networking:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-10-29 13:12:30
-----------------------------
13:12:30.958 OS Version: Windows 6.1.7601 Service Pack 1
13:12:30.958 Number of processors: 2 586 0x170A
13:12:30.958 ComputerName: A-HP UserName:
13:12:45.155 Initialize success
13:13:39.645 AVAST engine defs: 12102901
13:13:51.361 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
13:13:51.361 Disk 0 Vendor: WDC_WD16 03.0 Size: 152627MB BusType: 3
13:13:51.361 Disk 0 MBR read successfully
13:13:51.361 Disk 0 MBR scan
13:13:51.361 Disk 0 Windows 7 default MBR code
13:13:51.423 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 2047 MB offset 2048
13:13:51.439 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 142275 MB offset 4194304
13:13:51.486 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 8294 MB offset 295573504
13:13:51.486 Disk 0 scanning sectors +312559616
13:13:51.564 Disk 0 scanning C:\Windows\system32\drivers
13:13:59.769 Service scanning
13:14:18.474 Modules scanning
13:14:22.499 Disk 0 trace - called modules:
13:14:22.514 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll iastor.sys
13:14:22.530 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x860c0030]
13:14:22.530 3 CLASSPNP.SYS[8bba359e] -> nt!IofCallDriver -> [0x851d2dc8]
13:14:22.545 5 ACPI.sys[8b4463d4] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x848f1028]
13:14:23.388 AVAST engine scan C:\Windows
13:14:25.806 AVAST engine scan C:\Windows\system32
13:16:35.583 AVAST engine scan C:\Windows\system32\drivers
13:16:55.909 AVAST engine scan C:\Users\****
13:18:45.032 AVAST engine scan C:\ProgramData
13:19:58.492 Scan finished successfully
13:41:51.671 Disk 0 MBR has been saved successfully to "C:\Users\****\Desktop\temp\MBR.dat"
13:41:51.671 The log file has been saved successfully to "C:\Users\*****\Desktop\temp\aswMBR.txt"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users