Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirected


  • Please log in to reply
5 replies to this topic

#1 dahnbee

dahnbee

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 03 June 2009 - 11:43 AM

Windows Defender kept popping up (every hour) with the warning that I had this TrojanDownloader: Renos.dz but said it successfully cleaned it each time. During this time, my web browser has been redirecting search sites, Internet Explorer pages have been popping up (even when offline), and "phantom ads" have played (when no browsers are open and offline). I was unable to run Spybot Search and Destroy at this time as well. I have since uninstalled it and have been unable to reinstall it as it gives me the BSOD even in Safe Mode. SuperAntiSpyware has this problem as well although only in Normal Mode as Windows Installer does not work in safe mode. I have even renamed the .exe file before saving the file and transferring it to my computer via a jump drive to no avail. I am currently only aware of my browsers be redirected when using a search engine as I can type in the web addresses.

I have since (finally) been able to install Malwarebytes which comes out clean. I have not been able to complete a full scan via malwarebytes or Trend Micro because it always gets stuck on the D:\Windows\System32 folder. (usually at D:\Windows\System32\config\SECURITY and once on D:\Windows\System32\Boot\winresume).

I have also run ATF Cleaner in safe mode.

In short, the main problems are the web browser being misdirected, BSOD anytime I try to install Spybot or SuperAntiSpyware, and not being able to complete a full scan as it freezes when in D:\Windows\System32.

I am running Vista 32-bit with Service Pack 1.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:22 AM

Posted 03 June 2009 - 12:53 PM

I have since (finally) been able to install Malwarebytes which comes out clean. I have not been able to complete a full scan via malwarebytes

How you do know its coming out clean if you cannot complete a full scan? Are you trying to do your scan in safe or normal mode?

Please download and scan with Dr.Web CureIt - alternate download link.
Follow these instructions for performing a scan in "safe mode".
If you cannot boot into safe mode, then perform your scan in normal mode. Be aware, this scan could take a long time to complete.
-- Post the log in your next reply. If you can't find the log, try to write down what was detected/removed before exiting Dr.WebCureIt so you can provide that information.

Edited by quietman7, 03 June 2009 - 12:55 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 dahnbee

dahnbee
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 03 June 2009 - 03:58 PM

My apologies, I meant that I was able to run the quick scans and they came up clean. I have been running Dr.Web Cureit and have deleted a .dll object out of my C:\Windows\Sys32, (BackDoor.Tdss.223) but the scan has been "stuck" on D:\Windows\System32\config\SOFTWARE for the better part of 30 minutes. Still letting it continue...

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:22 AM

Posted 03 June 2009 - 09:28 PM

The speed of an anti-virus or anti-malware scan depends on a variety of factors.
  • The program itself and how its scanning engine is designed to scan: using a signature database vs heuristic scanning for suspicious behavior or a combination of both.
  • Options to scan for spyware, adware, riskware and potentially unwanted or unsafe programs (PUPs).
  • Options to scan memory, boot sectors, registry and alternate data streams (ADS).
  • Type of scan performed: Deep, Quick or Custom scanning.
  • What action has to be performed when malware is detected.
  • A computer's hard drive size.
  • Disk used capacity (number of files to include temporary files) that have to be scanned.
  • Types of files (.exe, .dll, .sys, .cab, archived, compressed, packed, email, etc) that are scanned.
  • Whether external drives are included in the scan.
  • Competition for and utilization of system resources by the scanner.
  • Other running processes and programs in the background.
  • Interference from malware.
  • Interference from the user.
To speed up your scans, uninstall unnecessary programs, clean out the temporary files or use ATF Cleaner first, close all open programs and do not use the computer during the scan.

Note: It is not unusal for an anti-virus or anti-malware scanner to be suspicious of some compressed, archived, .cab and packed files because they have difficulty reading what is inside them. These kind of files often trigger alerts by security software using heuristic detection because they are resistant to scanning (difficult to read). This resistance may also result in some scanners to stall (hang) on these particular types of files. Certain files in the System Volume Information Folder like the Tracking.log which is created by the Distributed Link Tracking Service to store maintenance information have also been reported as a source causing some scanners to hang.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 dahnbee

dahnbee
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 04 June 2009 - 11:43 AM

DrWeb still freezes up on in D:\Windows\System32 and I let it run overnight.
It did find one object:
gxvxcmyrsvotsutcreiqtcpprvpvpdbbtssiq.dll, C:\Windows\System32
status: BackDoor.Tdss.22e

I have also tried to just scan the D: drive and it freezes as well.

I have tried to run Kaspersky's online scanner this morning in Internet Explorer (Firefox stops responding when I try to load the scanner) but that fails as well.

Update source selected: http://downloads1.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Downloading file: bases/five/avc/kavset.xml.klz
Downloading file: bases/five/avc/kavset.xml.klz
Downloading file: bases/five/avc/kavset.xml
Invalid file signature: bases/five/avc/kavset.xml
(it tries other other upload sites with the same error)
Update has failed. Program has failed to start. ... [ERROR: Invalid file signature]


Spybot still gives me a BSOD when it begins creating the desktop shortcut.
Malwarebytes quick scan shows no issues.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:22 AM

Posted 04 June 2009 - 12:30 PM

IMPORTANT NOTE: One or more of the identified infections is related to a nasty variant of the TDSSSERV rootkit component. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is another hidden piece of malware which has not been detected by your security tools that protects malicious files and registry keys (which have been detected) so they cannot be permanently deleted. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS/HijackThis log for further investigation. Let me know how you wish to proceed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users