Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

search results redirected via 209.85.171.79 and 209.131.36.58/ Moved


  • Please log in to reply
3 replies to this topic

#1 Benos

Benos

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 02 April 2009 - 06:03 PM

I have been having problems since Monday and haven't been able to resolve it yet. In my searching for solutions, I've come across bleepingcomputer's forum and my web browsers (firefox and internet explorer) won't load it so I figured you might be able to help if whatever has infected my computer won't let me access your forum.

All of my internet search results for google are redirected through 209.85.171.79 and my yahoo are redirected through 209.131.36.58. Other oddities are that from Run I can't launch cmd or REGEDIT. Instead, I had to copy and rename the executable files in order to access the c prompt and system registry. It has also not allowed certain scanning programs to receive updated definitions after installation.

I have Symantec End Point but it didn't catch whatever has caused the problem. I've scanned in Normal and Safe mode with SEP but have found nothing. My definition files have been updated as well. It did return the following in the risk log and reported it as being deleted:
Date and Time: 3/31/2009 7:39
Risk: Downloader
Action: Deleted
Filename: NB[1].exe
Risk Type: File
Original Location: c:\Documents and Settings\username\Local Settings\Temporary Internet Files\Content.IE5\99S341XG\
User: SYSTEM
Status: Deleted
Current Location: Deleted
Primary Action: Delete
Secondary Action: Leave alone (log only)
Logged By: Scheduled scan
Action Description: The file was deleted successfully.

I ran Microsoft Window's Malicious Software Removal Tool March 2009 and it found nothing. I attempted Trend Micro's housecall but the infection prevented it from running.

I ran pandasoftware's activescan and it identified what I believe to be SEP files (hkey_classes_root\sep.av.scandlgs and hkey_local_machine\software\classes\sep.av.scandlgs) so I've done nothing with them.

I installed AdwareAlert and it found the following:
<hxxp://www.adwarealert.com/threat_report_big.php?ID=524745>

Adware identified a bunch of hkey_classes_root\interface\...... locations that I removed from the System Registry, but the problems remained.

I installed Malwarebyte’s Anti-Malware and when I tried to update the definition file it failed; however, I did the manual install and the definition file was updated. I performed a scanned in Normal Mode and it identified two items in C:\WINDOWS\system32:
Trojan.TDSS - TDSSpkxukdqf.log
Rootkit.Agent - TDSSufevllmj.dll

I had it remove them and then went to C:\WINDOWS\system32 and found a similar named file:
TDSSrjwptmyk.dat

I deleted it.

I rebooted but the same problems remain. I have since run Malwarebyte’s Anti-Malware in Safe mode but it hasn't found anything since.

I am currently running SUPERAntiSpyware. I installed it on my computer but the defintion file update failed. I tried the manual install option but it never showed as being updated. I installed SAS on this computer and the definitions updated fine. I then copied PROCESSLIST.DB and PROCESSLISTRELATED.DB from the folder of the succesfull install/udpate onto my computer; however, when I launched SAS it still didn't show the definition files as being updated. I ran ATFCleaner in Safe mode and then launched SAS. I conducted a full SAS scan in safe mode with only the following checked:
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.

It found a bunch of tracking cookies and 1 trojan:
C:\WINDOWS\system32\TDSSRJWPTMYK.DAT

So it looks like whatever is on my computer reinstalled the file that I manually deleted yesterday.

I've run Process Explorer and have looked for TDSS* but it didn't find anything. I also haven't observed any abnormal processes being listed either.

I will now rerun Maleware in Safe Mode and would appreciate any other suggestions/recommendations.

Edited by Orange Blossom, 11 February 2013 - 04:20 AM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:47 PM

Posted 02 April 2009 - 08:41 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

PLEASE DO NOT NOW POST LOGS unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:47 PM

Posted 02 April 2009 - 09:20 PM

There's been a very nasty family of rootkits/backdoor trojans evolving these last few months

TDSS, Seneka, GAOpdx, UAC

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

Someone may still be able to clean this machine but we can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
Chewy

No. Try not. Do... or do not. There is no try.

#4 Benos

Benos
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 03 April 2009 - 11:34 AM

Thank you for the information. I had pretty much resolved that I would need to reinstall everything and had posted here as a last resort. I'm on another computer now and will reinstall over the weekend. Again, thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users