Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect?


  • Please log in to reply
30 replies to this topic

#1 klmnumbers

klmnumbers

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 16 July 2009 - 08:05 PM

Hi there-

This is my second time with a malware (I think) infection. Last time around, you guys helped me out. So, I'm looking to pester again.

Sometime a week ago, my computer started bluescreening in the middle of playing some games unexpectedly. Then my mother mentioned that her google searches were getting redirected. Then, the desktop of my computer was changed and the oh-too-familiar fake Antivirus ad popped up. I ran Malwarebytes and removed the offending items.

So, I thought everything was fine. But my google searches continue to be redirected, my mother's VISA was compromised, and Malwarebytes (which is up to date) is finding NO offending items. Could someone possibly help me?

Edited by klmnumbers, 16 July 2009 - 08:06 PM.


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:22 PM

Posted 16 July 2009 - 09:27 PM

Hello klmnumbers,

Let's see if we can zap this bugger :thumbsup:

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

***************************************************

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (uncheck all others):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
~Blade

In your next reply, please include the following:
SUPERAntiSpyware log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 klmnumbers

klmnumbers
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 17 July 2009 - 01:40 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/17/2009 at 01:26 AM

Application Version : 4.15.1000

Core Rules Database Version : 4001
Trace Rules Database Version: 1941

Scan type : Complete Scan
Total Scan Time : 02:12:16

Memory items scanned : 173
Memory threats detected : 0
Registry items scanned : 5922
Registry threats detected : 0
File items scanned : 76294
File threats detected : 1

Rootkit.TDSServ-Trace
C:\WINDOWS\SYSTEM32\TDSSNIRJ.DAT

Just an extra note, after rebooting, I tried to run Malwarebyte's Anti-Malware, and the program keeps just auto exiting in the middle of the scan. Like someone is closing the window, but I'm not touching the program. It quits about one minute in, and I've tried running it several times.

Edited by klmnumbers, 17 July 2009 - 01:47 AM.


#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:22 PM

Posted 17 July 2009 - 02:13 AM

Hello,

Before we continue, please take note of the following:

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

***************************************************

If you wish to reformat and reinstall your OS, let me know. Otherwise we will continue with the cleaning process below.

***************************************************

Let's see if we can get Malwarebytes to run.

If you have problems getting MBAM to execute after installation, navigate to the folder MBAM installed to and rename mbam.exe to bubbles.bat. Then double click on the file you just renamed to launch the program. Once MBAM is running, make sure you've updated it and then run a scan as directed above.

***************************************************

Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.

~Blade

In your next reply, please include the following:
Malwarebytes log
RootRepeal log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 klmnumbers

klmnumbers
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 17 July 2009 - 07:19 AM

I renamed Malwarebytes and it still stopped running in the middle. Rootrepeal also auto-quit. (I tried renaming & re-extention-ing both. I also tried running Spybot which auto-quit). I have already disconnected the comp from the net.

I'd rather not reformat if at all possible.. I genuinely don't know if I'll be able to find my XP discs, and I have somewhere in the neighborhood of 10 years worth of music on this computer that I (foolishly) don't really have saved elsewhere because my external which I used to back up the system was broken not too long ago.

I will tell you that I know the system was compromised because my mother's credit card information was stolen. She's already done what she needs to. I had a Xoom account registered in my name and already canceled it, but looking through my bank records, nothing seems out of place.

If it is your honest thought that I should reformat, I will. For the record, I ran Superanti-spyware in safe mode again last night because I realized I forgot to clean the firefox cache the first time. Here is the log from that one:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/17/2009 at 05:31 AM

Application Version : 4.15.1000

Core Rules Database Version : 4001
Trace Rules Database Version: 1941

Scan type : Complete Scan
Total Scan Time : 02:11:28

Memory items scanned : 173
Memory threats detected : 0
Registry items scanned : 5922
Registry threats detected : 0
File items scanned : 75571
File threats detected : 1

Rootkit.Agent/Gen-Skynet
C:\WINDOWS\TEMP\SKYNETRRXCLPMXFB.TMP

Edited by klmnumbers, 17 July 2009 - 08:03 AM.


#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:22 PM

Posted 17 July 2009 - 08:05 AM

Try running just a file scan with Rootrepeal


Posted Image
Chewy

No. Try not. Do... or do not. There is no try.

#7 klmnumbers

klmnumbers
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 17 July 2009 - 08:15 AM

I did a file scan. I watched while it scanned, and when it found the Skynet items, rootrepeal automatically shut down as well. I'm doing all this while NOT connected to the internet, also.

#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:22 PM

Posted 17 July 2009 - 09:37 AM

Have you tried scanning with RootRepeal in Safe Mode? If you haven't yet tried that, please do so now.


I'd rather not reformat if at all possible..


This is your decision to make, but please realize that it would be unwise to ever use this computer for activities dealing with personally sensitive information. Also, even if nothing appears out of place in your financial records, it would be prudent to alert your bank and credit card company of your situation, so that they can be on the lookout for any strange behavior. Better safe than sorry! :thumbsup:

Edited by Blade Zephon, 17 July 2009 - 09:43 AM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#9 klmnumbers

klmnumbers
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 17 July 2009 - 09:45 AM

Rootrepeal did the same in safemode. It searched, once it recognized Skynet, it shut down. (the program, not the computer)

ETA- would there be a way for me to reformat if I don't have my XP discs anymore, though? I don't know if I'll be able to find them..

Edited by klmnumbers, 17 July 2009 - 09:46 AM.


#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:22 PM

Posted 17 July 2009 - 10:36 AM

I would keep looking for those disks but

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Chewy

No. Try not. Do... or do not. There is no try.

#11 klmnumbers

klmnumbers
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 17 July 2009 - 10:54 AM

I know the complete scan takes a really long time, so I just wanted to update you that the express scan found nothing. (I will post the complete log once it's done)

bright side - I found a Dell installation CD for Windows XP and all the device drivers etc. (3 CDs in total). I hope that's all of the stuff I would need to reformat.. if it comes to that. Seriously though, RIP 100 gigs of music. =(

Edited by klmnumbers, 17 July 2009 - 10:57 AM.


#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:22 PM

Posted 17 July 2009 - 11:10 AM

I would consider purchasing an external hard drive for backup. You never want to put all your eggs(mp3's) in one basket.
Chewy

No. Try not. Do... or do not. There is no try.

#13 klmnumbers

klmnumbers
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 17 July 2009 - 11:30 AM

I would consider purchasing an external hard drive for backup. You never want to put all your eggs(mp3's) in one basket.


I had one, but it was compromised somehow and broke. As in, when I moved my files from my old computer, onto the external, onto the new computer, it only transferred 1/3 of the files and them now won't open at all. It sucks, but I genuinely don't have the money to drop on another one. Grad school makes me live on ramen and grilled cheese.

#14 klmnumbers

klmnumbers
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 17 July 2009 - 01:42 PM

Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Moved.;
SKYNETdbybktrh.dll;C:\WINDOWS\system32;Trojan.DownLoad.38278;Deleted.;
SKYNETbvpeqwbwxk.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETcndogcpuih.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETcvgpvrqsvw.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETcvoicorcop.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETebkhkhwmau.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETeiocwcoiow.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETfpxdcfauhp.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETgpsybuxojo.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNEThajnnjqvcu.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNEThvjyybclmw.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETicpsbnsvpl.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETikfikpmjtr.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETimdpmcqjnd.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETjkcwoxmvvf.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETkqthvjguxv.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETmeackxdmpt.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETmixlguesxo.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETnkeelrspsi.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETomeeweeksj.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNEToriwtsegxl.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETpordixiwrq.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETpuuofqried.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETrgyarmvfew.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETriqrglmxsu.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETrmcjfgbfao.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETruwlsvpvhu.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETrxylbyfvkb.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETsbwvfxyvrw.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETsnebspbxiq.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETsvbrompnnq.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETtadksuwdef.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETtetsaispsc.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETtqxoxdmyrb.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETvofufpxtbr.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETwetmnsvunt.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETwnfbgaaalr.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETwwjkyryuuo.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETwxvncvbyap.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETxwlhoshwhp.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETxxgyurgcvn.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETxyiqjaxfml.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETygdxcbxvoo.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETyripylnsec.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;

#15 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:22 PM

Posted 17 July 2009 - 05:56 PM

Please download TFC by Old Timer and save it to your desktop.

http://oldtimer.geekstogo.com/TFC.exe
http://www.geekstogo.com/forum/TFC-Temp-Fi...er-file187.html

Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Then try a file scan again with Rootrepeal
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users