Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search redirects... suspect malware/virus/rootkit


  • Please log in to reply
9 replies to this topic

#1 Nuch

Nuch

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 22 October 2009 - 11:49 PM

Hello! I'm having a serious problem that leads me to believe my computer is infected. I've been following this site for computer problems for a few years, and you never fail to help as best you can. If you could spare the time, I would really appreciate some help... this is a bit over my head.

Basically, whenever I do a search on say Google or Yahoo!, I get weird misdirects to unknown/unheard of sites. I recent contracted and purged some viruses/malware from a bad site misdirecting me one of which was "AV Care,") but this problem has lingered since. I've tried Mbam, SaS, Spybot, McAfee, and even the Kaspersky tool, all to no avail, even in safe-mode searches... so my suspicion is that this either something really deep, a "rootkit" (not sure what that is but, I know it masks infections), or a combination of the two. My OS is Windows XP. Please if you can, help me find and solve this problem/

- Nuch

BC AdBot (Login to Remove)

 


#2 Nuch

Nuch
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 23 October 2009 - 01:09 AM

On a side note, I've run Dr. Web Scanner, and each and everytime it finds "Backdoor.tdss.565" and removes it, but it keeps returning...

- Nuch

#3 Nuch

Nuch
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 23 October 2009 - 02:16 PM

Starting to get desperate: nothing is working; blue screens; and losing things such as desktop background/time settings being changed. Please help, I fear I'm going to have to try and flush it soon.

- Nuch

#4 vobguy

vobguy

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 23 October 2009 - 04:01 PM

Starting to get desperate: nothing is working; blue screens; and losing things such as desktop background/time settings being changed. Please help, I fear I'm going to have to try and flush it soon.

- Nuch



I am new here - and not a security professional, but one thing I have learned the hard way several times in my life is - when you are stuck in a hole, stop digging.

Recently I learned how that applies to computer malware too. For me, it meant to keep the computer turned off as much as possible and use other machines I had to do the research, while not introducing files or usb dongles from the infected machines to the clean machines. For awhile that meant I had to wait until I got into work just to be safe.

If you are concerned that you won't be able to turn it back on, then at least unplug from network and disable the network interfaces (and radio if you are on wireless) And use the time while the computer is on to figure out what data you absolutely have to save if worse comes to worse and you have to resort.

Meanwhile I am sure someone will be with you soon. Seems like a lot of issues recently.

I am sorry to tell you but I had the AV Care thing on my system too - I didn't install it it just showed up as I was browsing. Never agreed to install anything. I have virut and a number of trojans, and I am resigned that I am going to have to reformat and reinstall my laptop.

I am not saying that is what YOU have - I will let the professionals here determine that. But start thinking about coming to terms with that, if you have the same thing I do.

#5 Nuch

Nuch
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 23 October 2009 - 07:15 PM

Well I appreciate the advice. It's getting pretty bad so... I'm naturally getting worried... don't even feel secure using my own computer :thumbsup:
Ya I got rid of AV Care, but it seems as though it brought lots of nasty friends...

- Nuch

#6 Nuch

Nuch
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 24 October 2009 - 12:59 AM

WTB Expert :thumbsup:

- Nuch

#7 Nuch

Nuch
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 24 October 2009 - 02:33 AM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/24 04:02
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: C.tmp
Image Path: C:\WINDOWS\system32\C.tmp
Address: 0xB85C6000 Size: 6144 File Visible: No Signed: -
Status: -

Name: dump_iastor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iastor.sys
Address: 0xA1882000 Size: 872448 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9EA26000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xb80f887e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xb8369470

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xb80f8bfe

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xb8369520

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xb83695c0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xb8369660

==EOF==

Edited by Nuch, 24 October 2009 - 03:05 AM.


#8 Nuch

Nuch
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 24 October 2009 - 05:40 PM

Well I ran Dr. Web Cure It in safe mode, and it found a bunch of stuff. Here's the question, I moved all of the files that couldn't be cured, should I manually delete them? What's next?

Process in memory: C:\WINDOWS\Explorer.EXE:312;;BackDoor.Tdss.565;Eradicated.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Moved.;
Process.exe;C:\Documents and Settings\Richard\My Documents\Downloads\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\Richard\My Documents\Downloads\SmitfraudFix;Tool.ShutDown.14;Incurable.Moved.;
RegUBP2b-Richard.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
Flash_Disinfector.exe\nircmd.exe;C:\Documents and Settings\Richard\My Documents\Downloads\Flash_Disinfector.exe;Tool.NirCmd.1;;
Flash_Disinfector.exe;C:\Documents and Settings\Richard\My Documents\Downloads;Archive contains infected objects;Moved.;
SmitfraudFix.exe\SmitfraudFix\Process.exe;C:\Documents and Settings\Richard\My Documents\Downloads\SmitfraudFix.exe;Tool.Prockill;;
SmitfraudFix.exe\SmitfraudFix\restart.exe;C:\Documents and Settings\Richard\My Documents\Downloads\SmitfraudFix.exe;Tool.ShutDown.14;;
SmitfraudFix.exe;C:\Documents and Settings\Richard\My Documents\Downloads;Archive contains infected objects;Moved.;
Dc5.exe\nircmd.exe;C:\RECYCLER\S-1-5-21-619165062-855320985-2905689816-1008\Dc5.exe;Tool.NirCmd.1;;
Dc5.exe;C:\RECYCLER\S-1-5-21-619165062-855320985-2905689816-1008;Archive contains infected objects;Moved.;
A0000524.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3;Tool.Prockill;Incurable.Moved.;
A0000532.reg;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3;Trojan.StartPage.1505;Deleted.;
A0001532.reg;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP7;Trojan.StartPage.1505;Deleted.;
A0001551.reg;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP8;Trojan.StartPage.1505;Deleted.;
A0001563.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP8;Tool.Prockill;Incurable.Moved.;

And also, this backdoor.TDSS, the top one, keeps coming back. How do I get rid of it for good? Some professional help would be greatly appreciated here.

- Nuch

#9 Nuch

Nuch
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 24 October 2009 - 08:16 PM

I hope this forum doesn't mind bumping, because I reeeaaallly need a hand here.

- Nuch

#10 Nuch

Nuch
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 25 October 2009 - 02:20 PM

Again, bump. No change in my situation, except Dr. Web finds more and more crap with every scan. Don't know if I should purge it or search for a cleaner.

- Nuch




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users