Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus - Possible Rootkit


  • Please log in to reply
6 replies to this topic

#1 esimms

esimms

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 16 November 2009 - 06:05 PM

Sometimes when I search through google and click on the resulting links I am redirected to random sites. I looked around on some forums for what to do, and ended up downloading SpywareDoctor.

It identified Rootkit.tdss as a critical malware. I went ahead and purchased the full SpywareDoctor in order to remove it and other infections, and it did so. I thought this would have fixed the problem, but it did not. When I run Spyware Doctor now it doesn't show Rootkit.tdss anymore, but again the problem still exists.

Any help is very much appreciated.

Edited by Pandy, 16 November 2009 - 07:54 PM.
Moved from HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ~Pandy


BC AdBot (Login to Remove)

 


#2 marvin w

marvin w

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 19 November 2009 - 07:24 PM

Sometimes when I search through google and click on the resulting links I am redirected to random sites. I looked around on some forums for what to do, and ended up downloading SpywareDoctor.

It identified Rootkit.tdss as a critical malware. I went ahead and purchased the full SpywareDoctor in order to remove it and other infections, and it did so. I thought this would have fixed the problem, but it did not. When I run Spyware Doctor now it doesn't show Rootkit.tdss anymore, but again the problem still exists.

Any help is very much appreciated.



I am having the same problem, and in fact using the same SpywareDoctor. In scanning the Rootkit.tdss is found and "fixed", but in comes back with the next google search. I have sent them a malware report asking for their assistance; will advise if you want?

#3 esimms

esimms
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 20 November 2009 - 12:17 AM

Yes, I would very much appreciate that. Thanks.

#4 BoardWhore

BoardWhore

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 21 November 2009 - 02:01 PM

Sometimes when I search through google and click on the resulting links I am redirected to random sites. I looked around on some forums for what to do, and ended up downloading SpywareDoctor.

It identified Rootkit.tdss as a critical malware. I went ahead and purchased the full SpywareDoctor in order to remove it and other infections, and it did so. I thought this would have fixed the problem, but it did not. When I run Spyware Doctor now it doesn't show Rootkit.tdss anymore, but again the problem still exists.

Any help is very much appreciated.



It's become glaringly obvious that no one at this forum knows how to fix this problem especially when I see people being redirected to post their HijackThis logs over at TrendMicro, who is not keeping up with updates to that help tool. I posted the exact same issue on this forum almost a week ago, and have yet to receive any type of help or answer to my initial post. I do realize that there are many trojans and bugs running around these days and that this forum is busy. However, a simple "we're looking into it" would have been appreciated instead of being completely ignored.

As far as SpywareDoctor goes, I too was suckered into buying something that did not fix this issue. Shame on them for false advertising.

#5 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:09:31 PM

Posted 23 November 2009 - 08:02 PM

To BoardWhore
We have never redirected members to Trend micro
There is a backlog and a waiting period
You should have been taken care of by now, but if you read the instructions it says make one single post
When you add a post,[as you have] it knocks you back in the rotation

==========================

to esimms

Please follow these instructions


:trumpet:
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr

==============================

:flowers:
Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.
--------------------------------------


:thumbsup:
Go to Posted Image > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.

Edited by garmanma, 23 November 2009 - 08:03 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#6 esimms

esimms
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 24 November 2009 - 05:33 AM

Thank you for your assistance. Here is the log from root repeal (processess, drivers, etc... all seemed to be checked and it got through most of files but then came back with message to run chkdsk, I did through cmd promt and same thing happened hopefully there is enough detail here):

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/24 00:18
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: eamon.sys
Image Path: C:\WINDOWS\system32\DRIVERS\eamon.sys
Address: 0x9CA7E000 Size: 770048 File Visible: No Signed: -
Status: -

Name: ehdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ehdrv.sys
Address: 0xA7FE0000 Size: 118784 File Visible: No Signed: -
Status: -

Name: epfwtdir.sys
Image Path: C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
Address: 0x9ECAA000 Size: 102400 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAF306000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Desktop\Microsoft
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner.YOUR-A846B26098\Application Data\Mozilla\Firefox\Profiles\c46p3ve4.default\localstore.rdf
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Owner.YOUR-A846B26098\Application Data\Mozilla\Firefox\Profiles\c46p3ve4.default\parent.lock
Status: Invisible to the Windows API!

Path: c:\documents and settings\owner.your-a846b26098\application data\mozilla\firefox\profiles\c46p3ve4.default\places.sqlite-journal
Status: Size mismatch (API: 386288, Raw: 181088)

Path: C:\Documents and Settings\Owner.YOUR-A846B26098\Application Data\Mozilla\Firefox\Profiles\c46p3ve4.default\prefs.js
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Owner.YOUR-A846B26098\Application Data\Mozilla\Firefox\Profiles\c46p3ve4.default\sessionstore.js
Status: Invisible to the Windows API!

SSDT
-------------------
#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x8980a8a0

#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xb9e6de22

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xb9e4ecdc

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xb9e4eece

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xb9e6e610

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xb9e6e8c4

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xb9e6cb14

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x89809cb0

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x8980a0d0

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xb9e6ed30

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xb9e6e0e2

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8980a6d0

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8980a4f0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "PCTCore.sys" at address 0xb9e4e982

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8980a310

Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x8a1c7920]
Process: System Address: 0x89808930 Size: 1000

==EOF==

Here is win32 Diagnostics:

Running from: C:\Documents and Settings\Owner.YOUR-A846B26098\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Owner.YOUR-A846B26098\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

And the final log:
Volume in drive C has no label.
Volume Serial Number is 302B-8166

Directory of C:\WINDOWS\$NtUninstallKB968389$

08/10/2004 12:00 PM 407,040 netlogon.dll
1 File(s) 407,040 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356

04/13/2008 05:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356

04/13/2008 05:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356

04/13/2008 05:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

08/10/2004 12:00 PM 180,224 scecli.dll

Directory of C:\WINDOWS\system32

02/06/2009 11:46 AM 408,064 netlogon.dll

Directory of C:\WINDOWS\system32

08/10/2004 12:00 PM 55,808 eventlog.dll
3 File(s) 644,096 bytes

Directory of C:\WINDOWS\system32\dllcache

02/06/2009 11:46 AM 408,064 netlogon.dll
1 File(s) 408,064 bytes

Total Files Listed:
8 File(s) 2,103,808 bytes
0 Dir(s) 14,251,593,728 bytes free

#7 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:09:31 PM

Posted 24 November 2009 - 08:57 PM

Hooked by "" at address 0x8980a8a0

With the logs I had you produce, please follow these instructions


Now that you were successful in creating those logs you need to post them in our HJT forum There they will help you with the removal through some custom scripts and programs that we cannot run here in this forum

First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If it won't run, don't worry, just give a brief description and tell them that these logs were all you could get to run successfully

Post them here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

The HJT team is extremely busy, so be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users