Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Programs Blocked - Searches Redirected


  • This topic is locked This topic is locked
20 replies to this topic

#1 rexabbot

rexabbot

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 17 August 2009 - 06:12 PM

My problem began when I noticed that my Google searches were being redirected when I clicked on a link.
That progressed until now I cannot open Internet Explore at all.
That progressed, now I can't open any antivirus, spyware program, Hijack This, etc. When I try to open the program I get the following: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."
My antivirus, Symantec Antivirus, has caught a few Trojans but it doesn't fix the problem.
Please help.
I will attach the dds.scr files. But as I mentioned before, I can not run Hijack This.
Thanks, Rex

Attached Files



BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 PM

Posted 17 August 2009 - 09:31 PM

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am Posted Image and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

As I am in the final stages of training an Expert Coach will also oversee your fix. Your benefit will be "four eyes and two brains" but responses may be somewhat delayed so please be patient!!!!

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

==========

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.Posted Image
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
==========

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
==========

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

With your next post please provide:

* OTL.txt
* OTL Extra.txt
* RootRepeal log

I will review your logs and post instructions forthcoming.
Regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 rexabbot

rexabbot
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 18 August 2009 - 07:04 AM

Thank you for your fast reply!

I have attached the RootRepeal Report as requested.

I can not attached the OTL report as it can not complete. I failed to mention in my initial post, when I try to run various antivirus and antimalware programs the first time, they start and run partially and then close.

Thanks for your help!

Rex

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 PM

Posted 18 August 2009 - 07:16 AM

Hi Rex,
I do not see any attachments with your post.

Nevertheless...please reboot your computer into Safe Mode then run the scans I recommended.

This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Please see here for additional details.

Follow my instructions again. This time please Copy and Paste your replies into your post. Do not attach them unless I specify you to do so.

Thanks,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 rexabbot

rexabbot
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 18 August 2009 - 08:19 AM

I booted in safe mode and redid the RootRepeal Scan. The OTL scan still did not work. It started scanning and then closed. That is the same behavior other antivirus and antimalware programs have exhibited since I have had this problem.

Here is the RootRepeal text:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/18 08:29
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xBAD2E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79B5000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF7887000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF77E7000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF7438000 Size: 61440 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\eventlog.dll
Status: Locked to the Windows API!

==EOF==

Thanks again for your help!
Rex

#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 PM

Posted 18 August 2009 - 09:07 AM

Hey Rex,

Try this.
Delete your copy of OTL.
Re-download another copy.
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop. Rename it to Rex.exe
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.Posted Image
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
==========

Also try this if you still can't get OTL to run...
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Thanks,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 rexabbot

rexabbot
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 18 August 2009 - 07:00 PM

Tried both OTL and RSIT. Both started to run and then abruptly quit. When I tried to run them again, I get the error message I stated earlier. I downloaded them again, renaming them as I download them. Ran them in safe mode. They did the same thing. So I can not post any of the logs.
What else can we try?
Rex

#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 PM

Posted 18 August 2009 - 08:37 PM

Hi Rex,
One last idea. If this does not work then I will submit my analysis of your DDS log to my Coach and propose a fix based on your current dilemma.

We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
After you disabled Teatimer, download ResetTeaTimer.exe to your desktop.
Then run ResetTeaTimer.exe.
This will only take a few seconds.

==========

Now try to run OTL as I recommended above. If you are unable then let me know and I will post instructions forthcoming.

Thanks,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 rexabbot

rexabbot
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 18 August 2009 - 08:43 PM

Thank you for your response!

Unfortunately as I mention before, I can not run Spybot Search and Destroy. It is blocked.

I guess you will need to get your coach involved.

Rex

#10 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 PM

Posted 18 August 2009 - 09:10 PM

Hi,
I have reviewed your DDS logs and proposed a fix for review by my expert coach. I will then post instructions for you to follow. Please minimize use of this computer if possible. I would like to ask you to remain patient in the meantime and make no changes to the computer whatsoever unless I direct you to do so! Your fix is based on the current state of your computer and any changes could hamper the cleaning process.
Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#11 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 PM

Posted 19 August 2009 - 02:12 PM

Hi Rex,
Let's begin.

Please note.........

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards.

==========

If you decide to continue despite that outlined above then please proceed as I have listed below.

==========

First...

Download and run Win32kDiag:==========

Next....

Download and run a batch file (peek.bat):
  • Download peek.bat from the download link below and save it to your Desktop.
  • Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running.
  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.
==========

With your next post please provide:

* Your decision in relation to the Backdoor

- If you decided to proceed -

* Win32kDiag.txt
* Log.txt

Kind regards,
~t

Edited by thcbytes, 19 August 2009 - 02:23 PM.

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#12 rexabbot

rexabbot
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 19 August 2009 - 10:16 PM

Thanks for info!
I have reinstalled the computer back to it's orginal state from the restore disks. I hope this is enough?

I had an external hard drive connected that I back up to, could that be infected also?

If so, what so I do to check it?

Thanks, Rex

#13 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 PM

Posted 20 August 2009 - 09:16 AM

Hi Rex,
A good choice. It appears you were likely infected by a very new nasty Rootkit. Most in the Security community are just in the last few days learning about it and developing techniques to eradicate it!!!! Nevertheless.

I have reinstalled the computer back to it's orginal state from the restore disks. I hope this is enough?

Did you format the hard drive and reinstall the OS? Reinstalling Windows without first wiping the entire hard drive with a reformat will not be sufficient. A reinstall will only overwrite the Windows files. Also if you just went back to a previous Restore Point then your still likely infected.

==========


A few caveats.

I had an external hard drive connected that I back up to, could that be infected also?

Note that the files with the following extensions should not be backed up:
.exe
.scr
.htm
.html
.xml
.zip
.rar
.asp
.php


If any of the file extension were saved then we should scan that drive for infection. Have you reconnected that External drive to any other computer aside from the infected one? Have you reconnected that external drive to the reformatted computer?

==========

With you next post please provide:

* Answer to questions
* Based on your answers I will guide you.

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#14 rexabbot

rexabbot
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 20 August 2009 - 05:51 PM

I did not reformat. I tried and I couldn't do it. I booted into safe mode with command prompt and tried but it wouldn't work. I guess I have to try to boot another way to reformat?
I reinstalled from the recovery disks that came with the computer that returns the computer to the state it was in when I bought it including the original programs. I did not use system restore. That wouldn't have worked anyway it was blocked.
I have not plugged the external hard drive into any other computer. I did back up at least one html file. Can I scan the external drive and repair any problems? I have reconnected back to this computer. I have installed and scan everything with mbam. I will paste the log here. I have also done a full scan with avast free home antivirus, no reports of virus'.
Sounds like I will need to reformat and reinstall everything again?
Malwarebytes' Anti-Malware 1.40
Database version: 2663
Windows 5.1.2600 Service Pack 3

8/20/2009 5:26:57 PM
mbam-log-2009-08-20 (17-26-57).txt

Scan type: Full Scan (C:\|K:\|)
Objects scanned: 254759
Time elapsed: 2 hour(s), 41 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Thanks for your help, Rex

#15 rexabbot

rexabbot
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 21 August 2009 - 07:10 AM

I contacted the manufacture of my computer (Sony), and they confirmed that when I used the restore disks it reformated the disk as well. Here is the text of the chat.
Rex has entered room

analyst Arthur_ has entered room

Arthur_> Hi Rex. Welcome to Sony Online Support. I'm Arthur. Please allow me a moment to review your concern.

Arthur_> Thanks for waiting, Rex. Iíll be glad to assist you with the information about the Recovery Discs.

Arthur_> Rex, you can perform a complete System Recovery using the Recovery discs which formats the entire Hard Drive and reinstalls the pre-installed Operating system , Drivers and the applications.

Rex> Good, I have already done this. I just wanted to verify that when did the System Recovery using the Recovery discs that it in fact did reformat. I want to make sure everthing was clean off the drive.

Arthur_> Good. Let me know if there are any questions, or if you have it from here.

Rex> Thanks for your help. That is all I needed to know.

Arthur_> You're welcome.

Arthur_> I hope you find this information useful. If you have any further questions, please feel free to contact us.

Arthur_> Please feel free to get back to us using this same email id, if you require any further assistance.

Arthur_> It was a pleasure assisting you.

Arthur_> Have a nice day.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users