Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect


  • This topic is locked This topic is locked
19 replies to this topic

#1 RIMB

RIMB

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 10 April 2010 - 02:59 PM

I already used Malwarebytes and spybot, but I cannot get rid of the redirect. I appreciate any help in this.

This the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:56:07 PM, on 4/10/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Diego\My Documents\Downloads\OTL.exe
C:\Documents and Settings\Diego\Desktop\HiJackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe

--
End of file - 3873 bytes





BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 AM

Posted 12 April 2010 - 09:07 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log. I apologize for the delay.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a GMER log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or GMER log please refer to this page and in step #6 and Step #7 and Step #8 for further instructions on downloading and running DDS & GMER. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-GMER log
-Description of any remaining problems you may still have.


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 RIMB

RIMB
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 13 April 2010 - 05:36 PM

Thanks for the reply.

Attached are the logs requested. I had a problem when running GMER, the first time I tried it I got a blue screen error related to iastor.sys.
The google redirect problem persists, I haven't noted any other issue.

Regards,

RIMB

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 AM

Posted 13 April 2010 - 06:24 PM

Hello again. smile.gif

One of the infection you have here is the TDL3 rootkit, more information here: http://rootbiez.blogspot.com/2009/11/rootk...s-lets-put.html

If you wish to continue with removing this, let's begin...

We need to do two things here. First, let's run Combofix and then Systemlook to take a look at some of replacement copies to replace a system file that's infected currently.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    CODE
    :filefind
    iastor.*
    rasacd.*
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 RIMB

RIMB
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 13 April 2010 - 07:00 PM

Attached are both logs.

Attached Files



#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 AM

Posted 13 April 2010 - 07:22 PM

The previous log shows you have Windows Recovery Console installed through Combofix, we are going to use that to deal with this infection.

Please restart your computer. Then at the loading screen you have only 2 seconds to select the Operating System. Choose the Windows Recovery Console by using your arrow keys and pressing enter on your keyboard.

The Recovery Console, will now load, follow the prompts.
Type in the number of the Windows installation you want to repair (usually 1), then press Enter.
Type in the Administrator password (leave blank if you are unsure what it is or if you do not have one) and press Enter.
At the C:\Windows prompt type in the following codes below in bold and press enter after typing each line.

cd c:\windows\system32\drivers
ren rasacd.sys rasacd.old
copy C:\i386\rasacd.sys c:\windows\system32\drivers


You should see a message '1 file copied'. If you did not see that message, try again and ensure there is a space after the word copy and another space between the file paths.

Type exit and press 'Enter'. Your computer should reboot.

--
Now...

Go Start > Run and copy/paste the following in bold below command into the Run box and click Ok:

cmd /c "mbr -t" >Log.txt&Log.txt&del Log.txt

A Notepad file will open. Post the contents of Log.txt in your next reply.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 RIMB

RIMB
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 13 April 2010 - 10:30 PM

When I try to enter the Windows Recovery Console I get a blue screen with the following information:

Check for viruses on your computer. Remove any newly installed hard drives or hard drive controllers. check your hard drive to make sure it is properly configured and terminated. run chkdsk /F to check for hard drive corruption, and then restart your computer."

Technical information:
*** Stop: oxoooooo7b (oxF7a88524, oxcooooo34, oxoooooooo, oxoooooooo)


I ran chkdsk /f, and when it rebooted I tried again the Windows Recovery Console with the same results.

Any ideas?

Regards,

RIMB

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 AM

Posted 14 April 2010 - 08:00 PM

Do you have your Windows XP Disk still with you?

If not, then let's create a bootable CD.

You will need a flash drive to move information from the sick computer to a working computer, so we can see the progress of our actions. Save these instructions in your flash drive as a text file (use notepad) so you can have access to these while in an external environment (PE).

First

Download ISOBurner. Click Here for ISOBurner Instructions. Install the program, and follow the next set of steps.

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 276.7MB in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Boot the Non working computer using the boot CD you just created.
  • In order to do so, the computer must be set to boot from the CD first
    Note : For information click here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to All
    • Change Standart Registry to All
    • Under the Custom Scan box paste this in

      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      userinit.exe
      explorer.exe
      ntoskrnl.exe
      /md5stop
      %SYSTEMDRIVE%\*.*
      %systemroot%\*. /mp /s
      %systemroot%\System32\config\*.sav
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive.
  • Please post the contents of the C:\OTL.txt file in your reply.
[/quote]

Post that log in your next reply so I can take a look.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 RIMB

RIMB
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 14 April 2010 - 09:22 PM

Attached is the OTL log

Attached Files

  • Attached File  OTL.zip   21.73KB   3 downloads


#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 AM

Posted 16 April 2010 - 03:09 PM

Hello again.

Sorry for the delay. I had some things I needed to do and could not respond. Back now, so let's get back to work.

--
Just to confirm, I believe you do not have your Windows XP disk with you? Correct?

Anyways, let's continue with this...

Save the following text to your USB stick as fix.txt It must be named this, or the automated fix won't work.
  • Copy the following into a notepad (Start>Run>"notepad") in your GOOD computer. Do not copy the word "code"

    CODE
    :files
    C:\WINDOWS\System32\drivers\rasacd.sys|C:\i386\rasacd.sys /replace

  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input fix.txt.
  • Hit OK.

Boot back into the OTLPE enviroment.

* Double-click on the OTLPE icon.
* When asked "Do you wish to load the remote registry", select Yes
* When asked "Do you wish to load remote user profile(s) for scanning", select Yes
* Ensure the box "Automatically Load All Remaining Users" is checked and press OK
* OTL should now start.
* Click the red Run Fix button.
* You should be presented with a message "No Fix has been Provided! Do you want to load it from a file? Click Yes.
* Browse to the fix.txt file on your USB stick, and click Open. The fix will then appear in the Custom Scans/Fixes window.
* Click the red Run Fix button again.
* OTL may ask to reboot the machine. Please do so.
* If OTL did not reboot the machine, click OK and the log will open. Save this to your USB stick. Post the contents of the log in your next reply.
* If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

Thanks.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 RIMB

RIMB
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 16 April 2010 - 05:53 PM

Thanks for your reply. No I dont have the XP disk with me.

Attached is the log file.

Regards

Attached Files



#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 AM

Posted 17 April 2010 - 02:16 PM

Please boot back in to Normal Mode and run Combofix once more. Post the log once done.

Thanks.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 RIMB

RIMB
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 17 April 2010 - 02:36 PM

attached is the combofix log.

Attached Files



#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 AM

Posted 17 April 2010 - 02:58 PM

Yes, we got the infection down. Let's get an online scan now. It's looking good so far.

Run ESET Online Scan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
You can refer to this animation by neomage if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 RIMB

RIMB
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 18 April 2010 - 09:52 AM

Attached are both logs.

I do not see any other problem with the computer so far.

Regards,

Attached Files

  • Attached File  eset.txt   212bytes   3 downloads
  • Attached File  ark.txt   9.85KB   4 downloads

Edited by RIMB, 18 April 2010 - 09:53 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users