Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirects - Virus?


  • This topic is locked This topic is locked
16 replies to this topic

#1 Recip

Recip

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 06 January 2010 - 08:38 PM

Hi! I've been referred here from this thread.

After clicking a google search result, the browser takes me to a parked domain with advertisements.

I've attached "Attach.txt" and "DDS.txt" from "dds.scr".

I've also attached "ark.txt" from RootRepeal.
Note: Each time I open RootRepeal, it displays, "Error - invalid PE image found! ". I went ahead with the scan anyways.



Help would be appreciated! Thanks!

Attached Files

  • Attached File  Attach.txt   19.09KB   12 downloads
  • Attached File  DDS.txt   11.81KB   10 downloads
  • Attached File  ark.txt   2.64KB   11 downloads

Edited by Recip, 06 January 2010 - 08:40 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:03 PM

Posted 07 January 2010 - 08:52 AM

Hello! smile.gif
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT




  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.



=============

The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Recip

Recip
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 07 January 2010 - 12:05 PM

Hello Sam and thanks for helping!

I tried downloading OTL, but it wouldn't download on Opera, Firefox, or IE. It said the error was unknown. I tried downloading it to another location, but that displayed the same results.

I downloaded GMER after such. After double-clicking it, it opened up and started running, under the "RootKits/Malware" tab (or some name like that). The scan finished. After that, everything froze. Nothing would work, so I manually powered it down. I tried powering it back up, but now it goes through this process:

1-Displays the 'start-up screen', with "DELL" showing.
2-Shows the "Windows Recovery Console", b/c I've previously had to use ComboFix
3-Shows the screen saying, "Start with: Safe Mode, Safe Mode with Networking, Safe Mode <with something else?>, Last Known Good Configuration, and Start Windows Normally"
4-I've tried Last Known Good Configuration, Start Windows Normally, and lastly Safe Mode. All of them resort to the Blue Screen, although when in Safe Mode, it shows some things in DOS, then goes to the Blue Screen.

Help! I'd appreciate any help you can give!

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:03 PM

Posted 08 January 2010 - 08:38 AM

It looks we will need to repair your master boot record. For that we need to access the Recovery Console. You may have it installed already, or if not you will need a setup disc. If you don't have the setup disc you can burn a bootable recovery disc on another computer by following the directions here.
http://www.bleepingcomputer.com/forums/t/276527/how-to-create-a-bootable-xp-recovery-console-cd/

Accessing the Recovery Console

From the Setup CD-ROM

Insert the Setup compact disc (CD) and restart the computer. If prompted, select any options required to boot from the CD.
When the text-based part of Setup begins, follow the prompts; choose the repair or recover option by pressing R. If you have a dual-boot or multiple-boot system, choose the installation that you need to access from the Recovery Console. When prompted, type the Administrator password or just hit enter.

To exit the Recovery Console and restart the computer, type exit.

If you have already installed the Recovery Console

During Startup, select Recovery Console from the startup options menu. If you have a dual-boot or multiple-boot system, choose the installation that you need to access from the Recovery Console. When prompted, type the Administrator password or just hit enter To exit the Recovery Console and restart the computer, type exit.

Once you're into the recovery console
Type following command:

FIXMBR


You may get a prompt that says:

This computer appears to have a non-standard or invalid master boot record. FIXMBR may damage your partition tables if you proceed. This could cause all the partitions on the current hard disk to become inaccessible. If you are not having problems accessing your drive, do not continue. Are you sure you want to write a new MBR?

Answer Y

After that, type exit to reboot back into normal mode.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:03 PM

Posted 08 January 2010 - 08:39 AM

Let me know how that goes and we'll take it from there.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 Recip

Recip
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 08 January 2010 - 05:31 PM

Alright. I've downloaded, burned, and verified the iso.

I changed the settings so it boots from the CD. I put the CD in.

"Press any key to continue...or something" - I push a key

"<it's starting up, or something>"

Then, it goes to a blue screen, with pci.sys listed.

Here is video of it:



What should I do?

Edited by Recip, 08 January 2010 - 06:40 PM.


#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:03 PM

Posted 09 January 2010 - 10:50 AM

Nice touch, the video. Never had someone do that in a response before.

First check the recovery disc that you burned on another computer to make sure it works. If you find the disc is bad then burn another one, this time using this iso.
http://www.webtree.ca/windowsxp/tools/boot.../xp_rec_con.zip


If the recovery disc works properly on another computer then we move on to the next option. For this you will need a Windows XP setup disc. Then you create a slipstream version of XP with SP3.
http://www.webtree.ca/windowsxp/slipstream.htm


Let me know when you have one of these working discs and we'll proceed from there.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 Recip

Recip
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 09 January 2010 - 01:12 PM

I'm cautious of trying the disc on another computer because I don't want to be liable for any possible damage. Instead, I burnt another from the new location you gave and verified it. I put it in the broken computer. Same result as last time: pci.sys.

In the meantime, I'll be looking for my XP setup disc, downloading SP3, and setting up the slipstream.

Would this erase my music and other files?

Edited by Recip, 09 January 2010 - 01:48 PM.


#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:03 PM

Posted 10 January 2010 - 10:58 AM

We've got a couple options once you have the setup disc and neither should erase any of your data or files. We should be able to access the Recovery Console with that disc and then run the fixmbr command. That should repair the master boot record and allow you to boot up normally again. If for some reason we run into trouble doing that we will be able to do a repair installation.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 Recip

Recip
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 12 January 2010 - 09:47 AM

Okay. I found the setup disc. How would I access the recovery console? Once I do, I'm guessing I type in the command, fixmbr.

Edited by Recip, 12 January 2010 - 09:47 AM.


#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:03 PM

Posted 12 January 2010 - 06:31 PM

Just refer back to post #4 above and follow those directions.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 Recip

Recip
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 13 January 2010 - 10:36 AM

Okay. I accessed the Windows Recovery Console from the XP setup disc, ran "fixmbr","y", then "exit". I restarted in Noraml mode and I still got a blue screen. What should I do as for the other option, since this option didn't work?

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:03 PM

Posted 13 January 2010 - 07:16 PM

Let's try one more thing from the Recovery Console.
Enter in this command.

fixboot

Then just like before, type exit and then reboot.


If that doesn't get you anywhere then it's time to do a repair installation.
Review the info here and follow those directions.

http://michaelstevenstech.com/XPrepairinstall.htm


Let me know how it goes.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 Recip

Recip
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 14 January 2010 - 04:32 PM

"fixboot" didn't work either.

Will a repair installation have any chance of deleting files from the hard drive? Even if it doesn't, how would I transfer files on that hard drive to another?

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:03 PM

Posted 15 January 2010 - 08:08 AM

A repair installation, if done successfully just reinstalls Windows on top of what you already have in place. Nothing gets removed or deleted.

You should be able to access your files using a Knoppix cd. I'm not familiar enough with it to give step by step instructions, but here's a link for you.
http://www.knopper.net/knoppix/index-en.html
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users