Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect - computer freezing - rootkit


  • This topic is locked This topic is locked
21 replies to this topic

#1 Jingo

Jingo

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 29 December 2009 - 11:05 AM

Hi,

I have been reading your forums for a while, and trying to deal with a problem with my computer. It started off as a Google redirect virus, and I downloaded Spybot and Malware Antibytes, which identified a rootkit problem. Antibytes, I thought, had cleared the problem up - it asked me to reboot to complete the removal process, etc.

However, since then my computer keeps freezing, sometimes after only a few minutes. It often doesn't even load windows up properly and gets stuck in the "running startup scripts" message.

I've tried to follow your instructions about DDS and Root Removal and have attached the logs. Root Removal stopped halfway through and said there was some kind of error.

I am very stuck, (this is the third time I'm writing this message - the first two times the computer froze) please help.

Many thanks in advance.

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:42 PM

Posted 08 January 2010 - 09:45 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#3 Jingo

Jingo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 09 January 2010 - 10:56 PM

Hi m0le,

I am writing this msg from my phone because the computer no longer allows me to log into forums (i'm guessing something to do with cookies perhaps?).
Anyway, I am here and have been checking the forums daily. I hope you are able to help me and I appreciate you getting back to me. :(

How would you like me to proceed?

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:42 PM

Posted 10 January 2010 - 05:03 AM

Your PC has been attacked and may have had system files damaged too.

Not being able to run tools on the machine makes this tougher so we'll try and run some small programs to help us.

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Next

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Finally attempt to run Combofix


Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


If any of these steps gets stopped then let me know. :(
Posted Image
m0le is a proud member of UNITE

#5 Jingo

Jingo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 10 January 2010 - 09:55 AM

Hi m0le,

Thanks for getting back to me so soon. Well, it seems you have the magic touch already - as a result of your steps I am now able to log into the forum from my computer without getting the Microsoft "sorry we have to close Internet Explorer" message.

Okay so I followed all your steps:

1. exehelper did what you said it would. Didn't have to do it twice as there was no error message. I have attached the log file to this message.

2. Rkill downloaded successfully (as far as I know). Double-clicked, got a little black DOS screen, which then closed a few moments later, so I think that went okay.

3. Combofix downloaded, saved as comfix.exe. It identified the lack of Recovery Console as you said it would. Allowed it to do all its stuff, following the prompts, and ended up with a log, which I have also attached to this message along with the exehelper one.

Incidentally, I tried to follow your instructions about disabling programs before running combofix. McAfee, I wasn't able to do anything with. I have a white icon with a red M in it in my system tray (I don't know if that's relevant or not), and there is no option to "Exit". I tried opening the Virus Scan Console up, but couldn't find anything.

I have Spybot Tea-timer running aswell I think. I tried to disable it, but until I ran your combofix, spybot wouldn't even open. Not sure if any of these things are relevant, but I thought I'd mention them in case it helps your work.

Also, when I first started up the computer, it would stay stuck in the "running startup scripts" bit for ages before asking me to enter my password. It ran much quicker this time. I have noticed though that there is now an Internet Explorer icon on my desktop with my password as the filename. Weird or expected?

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:42 PM

Posted 10 January 2010 - 11:12 AM

Expected. Combofix has ripped out the rootkit and that frees up your operating system.

There's still an infected system file to replace so we need to rerun Combofix with a script.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Fcopy::
c:\windows\$NtServicePackUninstall$\ws2_32.dll | c:\windows\system32\ws2_32.dll


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 Jingo

Jingo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 10 January 2010 - 12:19 PM

Hi m0le,

I ran the script you posted. McAfee wouldn't let me disable anything. Spybot wouldn't load up.

Logfile is attached.

Attached Files

  • Attached File  log2.txt   14.07KB   14 downloads


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:42 PM

Posted 10 January 2010 - 05:07 PM

Slight problem, you don't seem to have a clean backup file to replace the infected file.

We need to copy a clean file from a clean PC and replace the bad one. This is a little bit more tricky but I have laid it out for you in four steps. If you are stuck or not sure then just post back.


1. Copy the ws2_32.dll file from a clean computer. Do not download a copy from the internet as this may also be infected.

Double-click My Computer, double-click the windows folder, then double-click the system32 folder. You should find the ws2_32.dl file in this folder. Right click on this file and select Copy.

Insert your transferral media (blank CD or flash drive)

Open the media by double-clicking the icon for it in windows explorer.

Select Paste from the edit menu at the top of the explorer window. If you are burning onto a CD select Burn these files to CD from the panel at the left of the explorer screen.


2. Renaming the bad file

Boot the computer with your XP CD and wait for it to get to the main installation screen; it should give you the option of pressing R to start the recovery console. Press R.

You should see a command prompt - C:\windows>

Type cd system32 and then press enter

The command prompt should now read C:\windows\system32>

Type rename ws2_32.dll ws2_32.bad then press enter


3. Find out the drive letter associated with your media. (If you know this already skip to number 4)

Insert your media and type d and hit enter.

If the command prompt changes to D:\> then type dir and press enter.

If you see your clean copy of ws2_32.dll listed, then you've got the right drive letter. If not repeat the procedure using the letter E in place of D; procede through the alphabet until you get the right drive letter.


4.Copy the clean file to the System 32 folder

Type the following substituting the ? with the drive letter for your removable media

copy ?:\ws2_32.dll c:\windows\system32

Then press enter


Now you can remove your CD or flashdrive and type exit at the command prompt to reboot the system.

Now please rerun Combofix and post the log it produces. :(
Posted Image
m0le is a proud member of UNITE

#9 Jingo

Jingo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 11 January 2010 - 05:07 PM

Hi m0le,

Slight problem. This is an old work laptop. I don't have the XP CD. I've managed to get a clean copy of the .dll file, so I thought I'd try running the Recovery Console from the bootup option, but no joy. It just gave me a blank black screen with a flashing cursor. Any workaround possible?

Thanks,
Jingo

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:42 PM

Posted 11 January 2010 - 06:49 PM

Last option is to boot using a recovery console bootable CD below.

Please download the Recovery Console Bootable CD iso
Unzip the file and user your favourite burning application to burn the iso to a CD. Note, this is not the same as just burning the iso file on a CD.
  • Insert the CD-ROM into the CD-ROM drive, and then restart the computer.
  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
  • Your PC should now boot from your CD.
    Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.

  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

  • When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

  • Then the command prompt will open and you can continue from the fourth line of the second step.

Posted Image
m0le is a proud member of UNITE

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:42 PM

Posted 16 January 2010 - 09:53 PM

Hi,

I have not had a reply from you for 5 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#12 Jingo

Jingo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 19 January 2010 - 09:21 PM

Hi m0le,

I'm sorry for the delay in replying, it's been crazy at work recently. This might sound silly, but I don't know how to burn onto a CD. :( Do I need a special program for that?

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:42 PM

Posted 20 January 2010 - 08:40 AM

Here's a tutorial on how to do it
Posted Image
m0le is a proud member of UNITE

#14 Jingo

Jingo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 21 January 2010 - 08:09 PM

Bah! This is proving more complicated. The burn doesn't seem to be working. The ImgBurn seems to get to a certain point and then the disc is ejected and it says something like "the drive can't be kept shut - this is to be expected with slimline laptops. Close the drive manually and press ok" and I keep trying again and again, but I get the same issue. I don't know what to do. :(

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:42 PM

Posted 22 January 2010 - 04:14 PM

Let's start back a bit.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Go to Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\$NtServicePackUninstall$\ws2_32.dll

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at VirusTotal

Edited by m0le, 22 January 2010 - 04:17 PM.
Change instructions

Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users