Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google searches redirected


  • Please log in to reply
4 replies to this topic

#1 grandvil74

grandvil74

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 13 March 2010 - 04:02 PM

Hello
My computer recently started redirecting me to other websites nearly every time I click on a link following a google search. I've run anti everything to oust this malware, but nothing works (hijack this, malware something, spybot, avg, trend micro, ...). I tried deleting firefox and all of this folders, but nothing helps. I've been at this for two weeks. I would appreciate any help!

Gary

Edited by Orange Blossom, 13 March 2010 - 04:17 PM.
Move to AII. ~ OB


BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:58 AM

Posted 14 March 2010 - 03:14 PM

Hi,

Are there any other problems or symptoms on the PC?

I'd like you just to try this for me:

Please download RKill by Grinler

Link #1
Link #2
Link #3
Link #4
  • Before we begin, you should disable any anti-malware software you have installed so that they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links please let me know
Now try updating and re-running MalwareByte's AntiMalware (MBAM) (I presume this is what you meant by "malware something"). If you do not have MBAM installed:

Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.Download Link 1
Download Link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Post the log.

Casey

Edited by Casey_boy, 14 March 2010 - 03:14 PM.

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 grandvil74

grandvil74
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 20 March 2010 - 05:14 PM

There are no other symptoms. If I open mozilla, a new tab will open to a site that may or may not be blocked by my anti-virus software. And when I click a link following a search, it will open one or two pages to some advertising, parenting, or other site.

The Malware run came up clean. Here it is:

Malwarebytes' Anti-Malware 1.44
Database version: 3863
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

3/20/2010 6:08:07 PM
mbam-log-2010-03-20 (18-08-07).txt

Scan type: Quick Scan
Objects scanned: 118479
Time elapsed: 4 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 grandvil74

grandvil74
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 21 March 2010 - 04:26 PM

Fixed it.
TDSSKiller found the problem and now it is gone. Below is the log. Thank you for your willingness to help.

Gary

20:46:42:031 2520 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20
20:46:42:031 2520 ================================================================================
20:46:42:031 2520 SystemInfo:

20:46:42:031 2520 OS Version: 5.1.2600 ServicePack: 3.0
20:46:42:031 2520 Product type: Workstation
20:46:42:031 2520 ComputerName: BRIEE-DE218FE98
20:46:42:031 2520 UserName: Briee
20:46:42:031 2520 Windows directory: C:\WINDOWS
20:46:42:031 2520 Processor architecture: Intel x86
20:46:42:031 2520 Number of processors: 2
20:46:42:031 2520 Page size: 0x1000
20:46:42:031 2520 Boot type: Normal boot
20:46:42:031 2520 ================================================================================
20:46:42:078 2520 UnloadDriverW: NtUnloadDriver error 2
20:46:42:078 2520 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
20:46:42:250 2520 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
20:46:42:250 2520 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:46:42:250 2520 wfopen_ex: Trying to KLMD file open
20:46:42:250 2520 wfopen_ex: File opened ok (Flags 2)
20:46:42:250 2520 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
20:46:42:250 2520 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:46:42:250 2520 wfopen_ex: Trying to KLMD file open
20:46:42:250 2520 wfopen_ex: File opened ok (Flags 2)
20:46:42:250 2520 Initialize success
20:46:42:250 2520
20:46:42:250 2520 Scanning Services ...
20:46:42:781 2520 GetAdvancedServicesInfo: Raw services enum returned 362 services
20:46:42:781 2520
20:46:42:781 2520 Scanning Kernel memory ...
20:46:42:781 2520 Devices to scan: 4
20:46:42:781 2520
20:46:42:781 2520 Driver Name: Disk
20:46:42:781 2520 IRP_MJ_CREATE : BA0EEBB0
20:46:42:781 2520 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
20:46:42:781 2520 IRP_MJ_CLOSE : BA0EEBB0
20:46:42:781 2520 IRP_MJ_READ : BA0E8D1F
20:46:42:781 2520 IRP_MJ_WRITE : BA0E8D1F
20:46:42:781 2520 IRP_MJ_QUERY_INFORMATION : 804F4562
20:46:42:781 2520 IRP_MJ_SET_INFORMATION : 804F4562
20:46:42:781 2520 IRP_MJ_QUERY_EA : 804F4562
20:46:42:781 2520 IRP_MJ_SET_EA : 804F4562
20:46:42:781 2520 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
20:46:42:781 2520 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
20:46:42:781 2520 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
20:46:42:781 2520 IRP_MJ_DIRECTORY_CONTROL : 804F4562
20:46:42:781 2520 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
20:46:42:781 2520 IRP_MJ_DEVICE_CONTROL : BA0E93BB
20:46:42:781 2520 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
20:46:42:781 2520 IRP_MJ_SHUTDOWN : BA0E92E2
20:46:42:781 2520 IRP_MJ_LOCK_CONTROL : 804F4562
20:46:42:781 2520 IRP_MJ_CLEANUP : 804F4562
20:46:42:781 2520 IRP_MJ_CREATE_MAILSLOT : 804F4562
20:46:42:781 2520 IRP_MJ_QUERY_SECURITY : 804F4562
20:46:42:781 2520 IRP_MJ_SET_SECURITY : 804F4562
20:46:42:781 2520 IRP_MJ_POWER : BA0EAC82
20:46:42:781 2520 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
20:46:42:781 2520 IRP_MJ_DEVICE_CHANGE : 804F4562
20:46:42:781 2520 IRP_MJ_QUERY_QUOTA : 804F4562
20:46:42:781 2520 IRP_MJ_SET_QUOTA : 804F4562
20:46:42:859 2520 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
20:46:42:859 2520
20:46:42:859 2520 Driver Name: Disk
20:46:42:859 2520 IRP_MJ_CREATE : BA0EEBB0
20:46:42:859 2520 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
20:46:42:859 2520 IRP_MJ_CLOSE : BA0EEBB0
20:46:42:859 2520 IRP_MJ_READ : BA0E8D1F
20:46:42:859 2520 IRP_MJ_WRITE : BA0E8D1F
20:46:42:859 2520 IRP_MJ_QUERY_INFORMATION : 804F4562
20:46:42:859 2520 IRP_MJ_SET_INFORMATION : 804F4562
20:46:42:859 2520 IRP_MJ_QUERY_EA : 804F4562
20:46:42:859 2520 IRP_MJ_SET_EA : 804F4562
20:46:42:859 2520 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
20:46:42:859 2520 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
20:46:42:859 2520 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
20:46:42:859 2520 IRP_MJ_DIRECTORY_CONTROL : 804F4562
20:46:42:859 2520 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
20:46:42:859 2520 IRP_MJ_DEVICE_CONTROL : BA0E93BB
20:46:42:859 2520 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
20:46:42:859 2520 IRP_MJ_SHUTDOWN : BA0E92E2
20:46:42:859 2520 IRP_MJ_LOCK_CONTROL : 804F4562
20:46:42:859 2520 IRP_MJ_CLEANUP : 804F4562
20:46:42:859 2520 IRP_MJ_CREATE_MAILSLOT : 804F4562
20:46:42:859 2520 IRP_MJ_QUERY_SECURITY : 804F4562
20:46:42:859 2520 IRP_MJ_SET_SECURITY : 804F4562
20:46:42:859 2520 IRP_MJ_POWER : BA0EAC82
20:46:42:859 2520 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
20:46:42:859 2520 IRP_MJ_DEVICE_CHANGE : 804F4562
20:46:42:859 2520 IRP_MJ_QUERY_QUOTA : 804F4562
20:46:42:859 2520 IRP_MJ_SET_QUOTA : 804F4562
20:46:42:875 2520 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
20:46:42:875 2520
20:46:42:875 2520 Driver Name: Disk
20:46:42:875 2520 IRP_MJ_CREATE : BA0EEBB0
20:46:42:875 2520 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
20:46:42:875 2520 IRP_MJ_CLOSE : BA0EEBB0
20:46:42:875 2520 IRP_MJ_READ : BA0E8D1F
20:46:42:875 2520 IRP_MJ_WRITE : BA0E8D1F
20:46:42:875 2520 IRP_MJ_QUERY_INFORMATION : 804F4562
20:46:42:875 2520 IRP_MJ_SET_INFORMATION : 804F4562
20:46:42:875 2520 IRP_MJ_QUERY_EA : 804F4562
20:46:42:875 2520 IRP_MJ_SET_EA : 804F4562
20:46:42:875 2520 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
20:46:42:875 2520 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
20:46:42:875 2520 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
20:46:42:875 2520 IRP_MJ_DIRECTORY_CONTROL : 804F4562
20:46:42:875 2520 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
20:46:42:875 2520 IRP_MJ_DEVICE_CONTROL : BA0E93BB
20:46:42:875 2520 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
20:46:42:875 2520 IRP_MJ_SHUTDOWN : BA0E92E2
20:46:42:875 2520 IRP_MJ_LOCK_CONTROL : 804F4562
20:46:42:875 2520 IRP_MJ_CLEANUP : 804F4562
20:46:42:875 2520 IRP_MJ_CREATE_MAILSLOT : 804F4562
20:46:42:875 2520 IRP_MJ_QUERY_SECURITY : 804F4562
20:46:42:875 2520 IRP_MJ_SET_SECURITY : 804F4562
20:46:42:875 2520 IRP_MJ_POWER : BA0EAC82
20:46:42:875 2520 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
20:46:42:875 2520 IRP_MJ_DEVICE_CHANGE : 804F4562
20:46:42:875 2520 IRP_MJ_QUERY_QUOTA : 804F4562
20:46:42:875 2520 IRP_MJ_SET_QUOTA : 804F4562
20:46:42:890 2520 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
20:46:42:890 2520
20:46:42:890 2520 Driver Name: atapi
20:46:42:890 2520 IRP_MJ_CREATE : 8A7A9A9A
20:46:42:890 2520 IRP_MJ_CREATE_NAMED_PIPE : 8A7A9A9A
20:46:42:890 2520 IRP_MJ_CLOSE : 8A7A9A9A
20:46:42:890 2520 IRP_MJ_READ : 8A7A9A9A
20:46:42:890 2520 IRP_MJ_WRITE : 8A7A9A9A
20:46:42:890 2520 IRP_MJ_QUERY_INFORMATION : 8A7A9A9A
20:46:42:890 2520 IRP_MJ_SET_INFORMATION : 8A7A9A9A
20:46:42:890 2520 IRP_MJ_QUERY_EA : 8A7A9A9A
20:46:42:890 2520 IRP_MJ_SET_EA : 8A7A9A9A
20:46:42:890 2520 IRP_MJ_FLUSH_BUFFERS : 8A7A9A9A
20:46:42:890 2520 IRP_MJ_QUERY_VOLUME_INFORMATION : 8A7A9A9A
20:46:42:890 2520 IRP_MJ_SET_VOLUME_INFORMATION : 8A7A9A9A
20:46:42:890 2520 IRP_MJ_DIRECTORY_CONTROL : 8A7A9A9A
20:46:42:890 2520 IRP_MJ_FILE_SYSTEM_CONTROL : 8A7A9A9A
20:46:42:890 2520 IRP_MJ_DEVICE_CONTROL : 8A7A9A9A
20:46:42:890 2520 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A7A9A9A
20:46:42:890 2520 IRP_MJ_SHUTDOWN : 8A7A9A9A
20:46:42:890 2520 IRP_MJ_LOCK_CONTROL : 8A7A9A9A
20:46:42:890 2520 IRP_MJ_CLEANUP : 8A7A9A9A
20:46:42:890 2520 IRP_MJ_CREATE_MAILSLOT : 8A7A9A9A
20:46:42:890 2520 IRP_MJ_QUERY_SECURITY : 8A7A9A9A
20:46:42:890 2520 IRP_MJ_SET_SECURITY : 8A7A9A9A
20:46:42:890 2520 IRP_MJ_POWER : 8A7A9A9A
20:46:42:890 2520 IRP_MJ_SYSTEM_CONTROL : 8A7A9A9A
20:46:42:890 2520 IRP_MJ_DEVICE_CHANGE : 8A7A9A9A
20:46:42:890 2520 IRP_MJ_QUERY_QUOTA : 8A7A9A9A
20:46:42:890 2520 IRP_MJ_SET_QUOTA : 8A7A9A9A
20:46:42:890 2520 Driver "atapi" infected by TDSS rootkit!
20:46:42:890 2520 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
20:46:42:890 2520 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 20:46:42:890 2520 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
20:46:42:890 2520 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
20:46:43:468 2520 vfvi6
20:46:43:578 2520 !dsvbh1
20:46:43:984 2520 dsvbh2
20:46:43:984 2520 fdfb2
20:46:43:984 2520 Backup copy found, using it..
20:46:44:031 2520 will be cured on next reboot
20:46:44:031 2520 Reboot required for cure complete..
20:46:44:109 2520 Cure on reboot scheduled successfully
20:46:44:109 2520
20:46:44:109 2520 Completed
20:46:44:109 2520
20:46:44:109 2520 Results:
20:46:44:109 2520 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
20:46:44:109 2520 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
20:46:44:109 2520 File objects infected / cured / cured on reboot: 1 / 0 / 1
20:46:44:109 2520
20:46:44:109 2520 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
20:46:44:109 2520 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
20:46:44:109 2520 UnloadDriverW: NtUnloadDriver error 1
20:46:44:109 2520 KLMD_Unload: UnloadDriverW(klmd21) error 1
20:46:44:125 2520 KLMD(ARK) unloaded successfully

#5 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:58 AM

Posted 22 March 2010 - 07:33 AM

Glad you fixed it :thumbsup:

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users