Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Hijacked / Rootkit? / Virus?


  • This topic is locked This topic is locked
3 replies to this topic

#1 AWILD1

AWILD1

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 29 April 2010 - 12:11 PM

Hi, I have this Virus/Rootkit I can't seem to get rid of. A few days ago my PC, with Windows XP Professional, SP3 started acting weird with my Google searches being hijacked and then later, I had a fake program popup named "XP Smart Security" alerting to a bunch of fake virus's, etc., which also the program had disabled regedit, msconfig, and several other programs. After a day of trying, I was able to get everything working again and the fake program removed. Now I have a constant treat warning from my NOD32 that my C:\WINDOWS\system32\drivers\agp440.sys is infected with Win32/Olmarik.XG Patched. Also the same file located in my C:\WINDOWS\system32\dllcache folder. I was able to replace both at one time with a good version but later was replaced again with the same virus. Also, all my Google searches seem to be hijacked still with Malwarebytes constantly blocking the IP address range 213.163.89.104 - 213.163.89.107 mainly with an occasional block of IP 91.212.226.7 and a less frequent block of a couple other IP's.

I have tried several programs such as Malwarebytes, Ad-aware, Spybot Search and Destroy, SUPERAntiSpyware, UnHackMe, Hitman Pro 3.5, TDSSKiller, HijackThis, CCleaner, SDFIx all of which have been fully updated up to now and still no luck. I had tried a system restore a couple days ago back to what I believed was before any of this and still no luck. I tried Combofix but somehow it rendered my computer unbootable into Windows after it was not able to finish running it's course. After a day of messing with things I was able to fix that problem. After reading about Combofix more, I do not feel comfortable enough to use it without professional help so as to hopefully not run ito the same problem. I have Google searched and read for several hours all 4 symptoms ( Google searches HIjacked, The "XP SMART SECURITY" Virus, The IP's being blocked by Malwarebytes when a Google search is made and the constant agp440.sys virus alert) and they all seem to be linked in some way but I'm not finding anything working for me and all seem to use the Combofix which again, I'm not comfortable using on my own. I NEED HELP!

BC AdBot (Login to Remove)

 


#2 mikeleger

mikeleger

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 29 April 2010 - 12:39 PM

If you are truly convinced that the agp440.sys file is related to your problem, trying making your good copy "READ ONLY" before copying it to your infected system making it less likely to be replaced again by an infected version.

#3 meastwoo

meastwoo

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 29 April 2010 - 10:58 PM

Hey, I have the same exact problem... but finally got it mostly under control, thought I was clean but just now spotted the 91.212.226.7 IP address pop up in my What'sRunning program (the red highlight I think meant it was being blocked) which this time I wrote down. Searched on that term and found this post. Glad to meet you, and boy were we hit with a nasty one or what? My wife was doing some Google searches when the little netbook was taken over, windows popping up and out all over the place and she finally just shut it off. When I got to it I found a real mess.

First, the DNS IP address was manually set to something 91 or 96 ish (didn't write it down) which was something another system of mine suffered last year with another malware attack. I experienced nearly all the same symptoms and thwarted efforts to clean the system as I went from safe mode running Malwarebytes, SpybotS&D, Norton Antivirus, etc. finding various files resisting deletion (Malwarebytes has a powerful delete tool that overcame the permissions of one malfile). Over a few days I also fought to regain control and tooks steps backward and forward like you described. I did not take good notes but my scan logs might be useful - let me know if I should post them.

After getting most of my functionality back, the main thing that bugged me is that I could not turn off system restore to eliminate restore point files (where Norton had found some virus files but could not eliminate). That led me to a posting describing turning off the system restore service manually, setting it to manual starting, rebooting, then restarting. Should have cleared those restore point files, but now I still see the checkbox grayed out with the message "disabled by Group Policy".

So, I think I am still infected, though not acting like a maniac botted mess like before. Now I worry something more subtle and insidious and threatening is going on.

Will post more as I learn more.

Oh, and I cannot get to the Windows Update service anymore. Gets blocked/thwarted... and Firefox gives a sorry, connection reset by foreign host message. And now that I think more, Internet Explorer and Firefox don't always start up the first time. Yeah, I'm still infected, or just really messed up. Any thoughts?

M.

Edited by meastwoo, 29 April 2010 - 11:12 PM.


#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:04 PM

Posted 04 May 2010 - 06:10 PM

Hello AWILD1,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/314659/google-hijacked-rootkit-virus/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users