Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with google redirect / rootkit ???


  • Please log in to reply
6 replies to this topic

#1 Sounders

Sounders

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 14 April 2010 - 03:39 AM

It looks like I am not the only one with this problem as there are a few other topics on this. Apologies that I haven't been able to find the cure in those posts, but hopefully someone can walk me through it. ... and I'm running windows XP.

Here's the history. ... the first thing that i noticed last Friday (I believe) was that my gigabyte audio panel kept saying new device installed for the speakers. I thought nothing of it and thought it was a loose cord. (and it still could be completely unrelated).

Sunday I started getting the fake windows security alert popups. That was due to ave.exe and I think that I mostly manually took care of that and "contained" it.

However at the same time random sites were popping up in new tabs in firefox. I close them before they load if I am not familiar with the sites so I can not tell you which sites they are, but I am sure they can't be great sites.

Also, Google links are redirecting. That is still occurring.

This is what I have done and figured out.

First, I manually took out ave.exe, other programs finished the job (see below)
I ran system scan with Mcafee OAS - nothing found.
Downloaded and ran adaware - nothing found.
downloaded and ran Dr. Web cure it. It found tddsrootkit in the memory (svchosts) and killed it, but nothing more.
Downloaded and ran tddskiller from kaspersky. It found one Tdds rootkit still in the memory and one in a file and didn't get rid of either.
Downloaded and ran Stinger which finished the job on Ave.exe and killed Dr.Web and tddskiller. But it did nothing with the other problems.

From what I can tell the nvidia driver running the MCP61 Serial ATA Controller is infected - File ...drivers\nvata.sys

my ... drivers\etc\hosts file is fine, but that's the only one I checked.

Also another weird issue is that I can not start up in safe mode. When I try to reboot in safe mode, I hit F8 and once i get into the DOS prompts, my USB wireless keyboard, or my USB wired keyboard does not talk to the computer.

Lastly, when I look at device manager I find nothing containing the name 'TDSS' and nothing irregular, except that I have two entries for the serial ATA controller (and others).

So right now google is redirecting and I'm infrequently getting new tabs opening loading "random pages."

Any ideas and/or help would be great. Basic instructions are ideal as I know just enough about the operating system to get me into loads and loads of trouble!

Thanks!

BC AdBot (Login to Remove)

 


#2 Sounders

Sounders
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 14 April 2010 - 03:57 AM

Oh, for those with similar problems, when I used stinger, the first run found nothing. under preferences I changed the sensitivity to very high (report only for the first run) and then it found those issues.

#3 didu007

didu007

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 14 April 2010 - 06:22 AM

Hi there, I am having similar problem and by reading the posts on here it does seem to be rife at the moment. I am currently awaiting feedback myself from the great techie guys on here as i have posted the details on the virus log section. Hope you get sorted mate.

#4 firefly77

firefly77

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 14 April 2010 - 06:44 AM

I have the same problem also. Google redirects to the most bizzare websites and Internet Explorer and Firefox both randomly open new tabs to websites I've never seen before. Had this problem over a week now and tried alsorts to get rid of it. I had Macafee Internet security on my Windows 7 machine but that didnt pick anything up so I took it of and installed Norton 360. Norton also found nothing so after browsing the forums i tried Combofix, Hijackthis!, Superantispyware and Malwarebytes all of which found nothing more than a couple of tracking cookies. Something else I should mention is when closing either Internet Explorer or Firefox they both report that they have crashed and must be either closed or restarted. ANy help on this would be great as its now starting to drive me mad.

Thanks in advance :thumbsup:

#5 Sounders

Sounders
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 16 April 2010 - 12:58 AM

For an update, malwarebytes also found nothing. I also can't use the keyboard (either wireless USB, or USB keyboards) - device manager says that the driver can't be loaded because another instance of it already exists. disabling/enabling/ etc etc the device doesn't appear to work. So now i am stuck with mouse only (and a laptop on the side). Any help wold still be appreciated. Thanks!

Edited by Sounders, 16 April 2010 - 12:59 AM.


#6 Sounders

Sounders
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 16 April 2010 - 07:35 PM

Yet another update. ... the fact that the keyboard was not loading was no coincidence. I ran TDDSremover from esagelab and that found only one problem - a hidden registry entry for the keyboard driver. I went and renamed the driver file but it came back. again and again .... it kept repopulating itself. Luckily my laptop had the same driver (kbdhid.sys) file and I made it read only which kept it from repopulating itself.

I had renamed the original file (twice) to xxkbdhid and xxxkbdhid. I reran tddsremover and it identified both xxkbdhid and xxxkbdhid as "Rootkit.Win32.TDSS.y" I then just deleted the two files and emptied the recyle bin.

I ran tddskiller and it found no infections (as opposed to incurable infections as before)
I ran MBAM and again nothing.

The weird thing is that the hidden registry file that was incurable by TDDSremover was not identified again.

It looks like the system is back up and running, but I fear that I just blocked the problem from propagating itself and didn't get rid of the source. Please let me know if anyone has more ideas.

Thanks.

#7 Wen703

Wen703

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 04 July 2011 - 08:39 PM

I used that TDDSSkit and it workout on the first try...

thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users