Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista Redirect Virus - All browsers are dysfunctional


  • This topic is locked This topic is locked
121 replies to this topic

#1 Snadbad

Snadbad

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 18 April 2010 - 10:16 PM

Hello everybody, a few weeks ago I got one of those Antivirus Vista viruses. I got rid of it after using a registry fix. After running the reg fix, I ran MBAM and it allowed me to get rid of it. However, weeks later, I still feel the repercussions. Chrome will not load, Firefox will not start, IE randomly redirects, and so does Opera. I'm currently using Songbird, my media player to write this. I want to know if I'm still infected and if there is any way to fix my browsers.

Note: I tried running GMER and it froze my computer, I had to force restart. I do however, have the logs for DDS.


Thanks so much for your time,

Snadbad

Edit: After posting this, AVG popped up with a rogue exploit threat. A few minutes later, a host process crashed. I'm pretty sure I'm still infected, I just don't know how to get rid of the thing.

Attached Files


Edited by Snadbad, 18 April 2010 - 10:24 PM.


BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:56 PM

Posted 24 April 2010 - 12:24 PM


Hello Snadbad smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





At this time I need to know if you still require assistance.








Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 Snadbad

Snadbad
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 24 April 2010 - 10:21 PM

Hello thewall, I still do need help desperately. I am willing to comply with these small requests and ready to move forward in exterminating this crap.

Thanks,

Snadbad

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:56 PM

Posted 24 April 2010 - 11:31 PM

It appears you have run ComboFix previously. I will need the log from it which is located at C:\ComboFix.txt. Please post the log in the reply window and do not make it an attachment.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 Snadbad

Snadbad
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 25 April 2010 - 02:53 PM

Combofix was never able to run properly. It said it detected a rootkit and had to reboot, so it did. Upon reboot, it didn't start back up again. That said, I've no log for you, sorry. I can try running it again though.

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:56 PM

Posted 25 April 2010 - 03:16 PM

OK, we'll give GMER another try first. Uncheck all of the things I have listed below and see if it will run. If you still have it installed on your desktop just ignore the first part of downloading.




Disable your antivirus along with other security programs such as Windows Defender or TeaTimer before running GMER. That would also include a third party firewall like Zone Alarm. Instructions can be found Here.






Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.



    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Registry
    • Files
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries








If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 Snadbad

Snadbad
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 25 April 2010 - 06:38 PM

Hey thewall,

I tried running GMER and I had no success. This time, I was able to get past the check box part and actually start the scan. Immediately after that, my mouse became mega slow, and then all my monitors shut off saying there was no VGA signal. I decided to let it run and I came back an hour + later and my monitors turned on this time, but they were just blank. The computer was nonresponsive and I had to force a shut down.

Are there any other viable alternatives to GMER?

Thanks,

Snadbad

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:56 PM

Posted 25 April 2010 - 06:49 PM

We can run something else but I would rather have GMER due to the new infections we are dealing with. Give it a try in Safe Mode and if it won't run then don't force the issue just let me know.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 Snadbad

Snadbad
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 25 April 2010 - 07:32 PM

I tried booting up my computer in safemode - no dice. I was able to boot into BIOS and everything, but I just couldn't get to the list of boot options. It recently stopped functioning, why, I have no clue. I've done it many times before, it just hasn't worked the past few times I've tried it.

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:56 PM

Posted 25 April 2010 - 09:31 PM

See if this will run in Normal Mode:

  • Download RootRepeal from the following location and save it to your desktop.
  • Extract the contents of RootRepeal.zip, to your desktop.
  • Double click on your desktop.
  • Click on the report tab, then click scan
  • Check all seven boxes:
    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services
    Shadow SSDT
  • Click Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, Click the Save Report button. Save the log as RootRepeal.txt and post it in your next reply.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:56 PM

Posted 26 April 2010 - 09:01 PM

Since you let me know you can't get RR to run we will try ComboFix although I would have liked to had a ARK scan first. Let's see if CF will have any success. Delete the copy you have now then download and run a new one from the link below.

Run RKill before you attempt to run CF.



RKill by Grinler
Link #1
Link #2
Link #3
Link #4
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.






Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.


When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.




If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#12 Snadbad

Snadbad
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 26 April 2010 - 09:52 PM

I'm not sure how to uninstall combofix. I tried cd Desktop combo-fix /uninstall and instead it just ran the program. I also tried /u - no dice. Should I run RRkill anyways?

#13 Snadbad

Snadbad
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 26 April 2010 - 10:27 PM

RKill Log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Administrator on 04/26/2010 at 23:26:05.


Processes terminated by Rkill or while it was running:


C:\Users\Administrator\Local Settings\Apps\F.lux\flux.exe
C:\Users\Administrator\Desktop\rkill.scr


Rkill completed on 04/26/2010 at 23:26:09.


Note: Flux is a monitor dimming software I read about on lifehacker. It simply dims the intensity of the monitor based on the time so one does not burn their retinas.

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:56 PM

Posted 26 April 2010 - 10:43 PM

I don't want you to uninstall it. Simply delete it from your desktop and download a new one. Run RKill right before you try to run CF.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 Snadbad

Snadbad
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 26 April 2010 - 10:52 PM

I ran RKill, and then I was unable to run CF. I ran RKill again, and then I was able to run CF. I ran CF, but I forgot to run with administrative privileges. It said it detected a rootkit and needed to reboot, so I said okay. I checked C: after but I could find no logs. Should I try running again with admin privileges? There is a folder now in C about Combofix, although I couldn't find the log in there either.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users