Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Re-direction and Trojan TDSS


  • Please log in to reply
22 replies to this topic

#1 Infected1

Infected1

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 04 August 2009 - 05:45 PM

Hi everyone, thank you for having this site to help people.

I have a problem that redirects my searches in google.

I have run Malwarebytes and Spybot and get the same Trojan.TDSS problems and Backdoor.BOT problems. After I run the the 2 apps, it asks me to restart my computer. However the problem still persists.

If someone can please give me instruction on what to do next I would greatly appreciate it. Thanks in advance.

BC AdBot (Login to Remove)

 


m

#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:29 AM

Posted 04 August 2009 - 06:05 PM

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop:
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check the Files box: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 Infected1

Infected1
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 05 August 2009 - 11:50 PM

Hi Budapest thank you for taking the time to look into my problem

Here is the report

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/06 00:33
Program Version: Version 1.3.3.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Download\PSP\P90x\SHOULDER_AND_ARMS\MAQ10040.MP4:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Download\PSP\P90x\SHOULDER_AND_ARMS\MAQ10041.MP4:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\all users\application data\symantec\common client\volatile.dat
Status: Allocation size mismatch (API: 520, Raw: 0)

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090805.037\EraserUtilDrv10910.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\G\Local Settings\Application Data\Microsoft\Messenger\gpac@hotmail.com\SharingMetadata\jenzt@hotmail.com\DFSR\Staging\CS{A23684AA-1BFF-7142-4E20-308B1681A5EB}\12\21-{4D~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\G\Local Settings\Application Data\Microsoft\Messenger\gpac@hotmail.com\SharingMetadata\jenzt@hotmail.com\DFSR\Staging\CS{A23684AA-1BFF-7142-4E20-308B1681A5EB}\13\18-{79~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\G\Local Settings\Application Data\Microsoft\Messenger\gpac@hotmail.com\SharingMetadata\jenyt@hotmail.com\DFSR\Staging\CS{A23684AA-1BFF-7142-4E20-308B1681A5EB}\13\19-{4D~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\G\Local Settings\Application Data\Microsoft\Messenger\gpac@hotmail.com\SharingMetadata\jenyt@hotmail.com\DFSR\Staging\CS{A23684AA-1BFF-7142-4E20-308B1681A5EB}\14\20-{4D~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

==EOF==

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:29 AM

Posted 06 August 2009 - 12:00 AM

Nothing much there. Try this:

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 Infected1

Infected1
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 06 August 2009 - 08:18 AM

Hi here are the results

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/06/2009 at 03:24 AM

Application Version : 4.27.1000

Core Rules Database Version : 4041
Trace Rules Database Version: 1981

Scan type : Complete Scan
Total Scan Time : 01:51:22

Memory items scanned : 238
Memory threats detected : 0
Registry items scanned : 8051
Registry threats detected : 18
File items scanned : 167976
File threats detected : 2

Trojan.Agent/Gen-SOPIDKC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOPIDKC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOPIDKC#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOPIDKC\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOPIDKC\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOPIDKC\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOPIDKC\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOPIDKC\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOPIDKC\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOPIDKC\0000#DeviceDesc

Trojan.Agent/Gen-MSNCache
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE\0000#DeviceDesc

Trojan.OnlineGames[PWS]
C:\DOCUMENTS AND SETTINGS\GIL\LOCAL SETTINGS\TEMP\FLASHD.DLL

Unclassified.Unknown Origin
C:\PROGRAM FILES\SWISHMAX\TEMP\KEYGEN.NFO

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:29 AM

Posted 06 August 2009 - 04:13 PM

Update Malwarebytes, run another quick scan and post the new log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 Infected1

Infected1
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 07 August 2009 - 12:12 AM

Should I "Remove Selected"



Malwarebytes' Anti-Malware 1.40
Database version: 2573
Windows 5.1.2600 Service Pack 2

07/08/2009 1:10:35 AM
mbam-log-2009-08-07 (01-09-51).txt

Scan type: Full Scan (C:\|)
Objects scanned: 297980
Time elapsed: 1 hour(s), 45 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP929\A0135175.sys (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP929\A0135176.dll (Backdoor.Bot) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP929\A0135178.dll (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP929\A0135179.dll (Trojan.TDSS) -> No action taken.

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:29 AM

Posted 07 August 2009 - 12:27 AM

Yeah - you can remove it.

How's your computer running?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 Infected1

Infected1
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 07 August 2009 - 01:56 AM

So far so good. thank you very much for all your help. I really appreciate it.

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:29 AM

Posted 09 August 2009 - 06:08 PM

If you’re clean, you should create a new Restore Point to prevent possible re-infection from an old one.

Go Start > Programs > Accessories > System Tools and click System Restore. Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name and then click Create. Then use Disk Cleanup to remove all but the most recently created Restore Point. Go Start > Run and type: "Cleanmgr" (without the quotes). Click Ok > More Options tab > Clean Up in the System Restore section to remove all previous restore points except the newly created one.

Also, go Start > Control Panel and double-click Add or Remove Programs. Post back and report any Java or JS2E entries that you have.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 Infected1

Infected1
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 09 August 2009 - 08:37 PM

Thanks I will give that a go

#12 Infected1

Infected1
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 10 August 2009 - 01:14 AM

Hi all I see is

J2SE Runtime Environment 5.0 Update 6

#13 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:29 AM

Posted 10 August 2009 - 01:22 AM

That Java entry is out of date. You should remove it and then get the latest from here:

http://java.com/en/download/index.jsp
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#14 Infected1

Infected1
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 12 August 2009 - 09:05 AM

Ok everything is complete however when I came back today I saw all these pop up windows of gambling sites, etc.

I checked the processes and I see a program called MSA.exe running and all these programs called a.exe, b.exe etc.

Should I start a new topic on this?

#15 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:29 AM

Posted 12 August 2009 - 04:47 PM

Run another Malwarebytes scan and post the new log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users