Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect followed by Virus


  • Please log in to reply
5 replies to this topic

#1 junky_2003

junky_2003

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 21 November 2009 - 08:13 PM

Hello :

3 - 4 weeks back, all my google results were hijacked but my pc was working normal with none of antivirus scans reporting any issue.
However, yesterday my machine seems to have become infested with a lot of spyware and all the anti-spyware software have stopped working. I received a lot alerts saying that system files have been replaced. I am now unable to boot my machine in safe mode. It keeps taking away my privilege of updating the registry and folder options are disabled.

There is an entry for kegojapa.dll in my registry that keeps coming back everytime i delete it. I am wondering if re-formatting is the only option left.
Any help would be appreciated.

Thank you !!

BC AdBot (Login to Remove)

 


#2 junky_2003

junky_2003
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 21 November 2009 - 10:16 PM

The OS is WinXP.

#3 junky_2003

junky_2003
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 22 November 2009 - 12:36 PM

I followed some of the diagnostic steps mentioned in another link on this site.
1. Ran TFC.exe
2. Ran rkill
3. Downloaded malwarebytes installer. Found that the moment the software was installed, the malware in my system was deleting the executable file. To circumvent the problem, I ran the installer but in the last stage, I did not let the malwarebytes to launch. I went to installation folder and renamed the mbam.exe file to mbam.com.
4. Launched the malwarebytes and ran a full scan. It showed 18 infections. I rebooted the pc.
5. Ran another full scan but found 7 entries again. Repeated the step again after reboot and found that the these 7 infections could not be cleaned by malwarebytes.

Malware log is as follows :

Malwarebytes' Anti-Malware 1.41
Database version: 3212
Windows 5.1.2600 Service Pack 2

11/22/2009 3:16:19 AM
mbam-log-2009-11-22 (03-16-19).txt

Scan type: Full Scan (C:\|)
Objects scanned: 300728
Time elapsed: 1 hour(s), 37 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINNT\system32\zafufovi.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINNT\system32\__c0089275.dat (Trojan.Vundo) -> Delete on reboot.
C:\WINNT\system32\maligoha.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0089275 (Trojan.Vundo) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINNT\system32\zafufovi.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINNT\system32\__c0089275.dat (Trojan.Vundo) -> Delete on reboot.
C:\WINNT\system32\maligoha.dll (Trojan.FakeAlert) -> Delete on reboot.

6. Downloaded SuperAntispyware and installed it.
7. Downloaded SafebootRepairKey.exe and ran it. However, I was still not able to reboot the machine in safe mode.
8. Ran SuperAntispyware in Normal mode itself. It reported the same issues as Malwarebytes. However, when it tried to fix the problem, pc crashed with blue screen.
8. After reboot, I ran SuperAntispyware in Normal mode again. It reported the issues again. However, this time, when it tried to fix the problem, I did not get blue screen but instead got a message that the pc had to reboot because lsass.exe was terminated. However, it took few seconds before the machine rebooted, but I found that behind that window, I saw the log of Superspyware show that the dlls and dat file were removed.
9. I rebooted the machine and ran malwarebytes quick scan. It found only one issue this time (Security Center Registry fix). After fixing that I am running a full scan now. Fingers crossed !!

#4 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:08:32 AM

Posted 23 November 2009 - 09:50 PM

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 junky_2003

junky_2003
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 24 November 2009 - 01:29 PM

Hello Mark.

Thanks for your reply.

After the scan, I was able to restore McAfee service and Adware SE service but McAfee keeps throwing virus alert 'tdlcmd.dll' deleted. Please find the log from the Rootrepeal below (I changed the name to tatertot.scr). Thanks again for your help.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/22 18:20
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINNT\System32\Drivers\dump_atapi.sys
Address: 0x9E066000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINNT\System32\Drivers\dump_WMILIB.SYS
Address: 0x9EE1A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: tatertot.scr.sys
Image Path: C:\WINNT\system32\drivers\tatertot.scr.sys
Address: 0x9D0B7000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Program Files\Marimba\Castanet Tuner\3140
Status: Locked to the Windows API!

Processes
-------------------
Path: C:\Program Files\Websense\WDC\WDC.exe
PID: 2052 Status: Locked to the Windows API!

SSDT
-------------------
#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINNT\System32\Drivers\wscam6300.sys" at address 0x9eeb6282

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINNT\System32\Drivers\wscam6300.sys" at address 0x9eeb6a5a

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINNT\System32\Drivers\wscam6300.sys" at address 0x9eeb674c

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINNT\System32\Drivers\wscam6300.sys" at address 0x9eeb6d98

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINNT\System32\Drivers\wscam6300.sys" at address 0x9eeb6dfa

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINNT\System32\Drivers\wscam6300.sys" at address 0x9eeb6b42

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINNT\System32\Drivers\wscam6300.sys" at address 0x9eeb6e8e

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINNT\System32\Drivers\wscam6300.sys" at address 0x9eeb7064

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINNT\System32\Drivers\wscam6300.sys" at address 0x9eeb6cbe

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINNT\System32\Drivers\wscam6300.sys" at address 0x9eeb73e8

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINNT\System32\Drivers\wscam6300.sys" at address 0x9eeb6bda

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "C:\WINNT\System32\Drivers\wscam6300.sys" at address 0x9eeb6c56

==EOF==

#6 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:08:32 AM

Posted 24 November 2009 - 09:28 PM

Status: Hooked by "C:\WINNT\System32\Drivers\wscam6300.sys" at address 0x9eeb6cbe
Not a good sign

Now that you were successful in creating a Root Repeal log you need to post it in our HJT forum There they will help you with the removal through some custom scripts and programs that we cannot run here in this forum

First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If it won't run, don't worry, just give a brief description and tell them that this log was all you could get to run successfully

Post them here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

Once your log is posted, do not add any more posts to the topic

The HJT team is extremely busy, so be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users