Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect rootkit


  • This topic is locked This topic is locked
7 replies to this topic

#1 exxelion

exxelion

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 12 May 2010 - 01:09 AM

I'm using Mozilla Firefox 3.6.3 on an Acer Aspire One netbook. A couple days back I realized that whenever I click on a search result provided by Google search, it'll redirect me to other sites (some are shopping sites, some are just completely random), or in some occasion, it'll pop up a new tab and open a weird website.

I've tried GooRed Fix, Hitman Pro, and TDSS killer. No Luck. Whenever I tried using TDSS killer, it'll find a kernel memory rootkit, and it told me that it'll be removed after reboot. Well, it didn't, I still get redirected (Hitman Pro also found a rootkit called "intelppm.sys", whenever I tried to delete it, it'd tell me to insert my OS disk, of which I don't have).

I found a very similar post like this already, but since my computer skill is so bad, I don't want to take my chances to follow all the instructions given on this topic:

http://www.bleepingcomputer.com/forums/t/308460/persistent-redirect-rootkit-makes-me-feel-like-this/

I ran out of ideas, and very clueless now. Since I'm a college student, google search is very vital to have. I really greatly appreciate some help.

ps: I just joined this forum, and this is my first time to be in a forum, so apologize in advance if I violate the forum rules at the point of this posting, I'll try my best to follow the forum's guidelines. Also English is not my native language so please be patient upon helping

Thanks

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:36 AM

Posted 12 May 2010 - 06:00 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
    1.Please do not run any other tool untill instructed to do so!
    2.Please reply to this thread, do not start another!
    3.Please tell me about any problems that have occurred during the fix.
    4.Please tell me of any other symptoms you may be having as these can help also.
    5.Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

I would like to get a better look at your system, please do the following so I can get some more detailed logs.


DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Gmer

Download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Note: Do not run any programs while Gmer is running.


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from GMER
      3.let me know of any problems you may have had

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 exxelion

exxelion
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 12 May 2010 - 03:44 PM

Gringo,

I followed all the instructions you gave me from the De Fogger up to the DDS log. Up to that point everything went fine and I have the log with me. However, when I try to run Gmer, I had to abort the scan midway because I forgot my firefox is still open on the side. So I canceled my scan. Then I rescanned again. just about 2-3 minutes later(I went to the restroom) and it seemed to have rebooted, and there's a notification that "Windows just recovered from a serious error".

What should I do? Should I continue on and do the Gmer scan again? And is it normal that it take quite some time scanning my system drive (C:) ?

Thanks for the patience

Just so we can get started I uploaded the DDS and the Attach Log.

Attached Files



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:36 AM

Posted 12 May 2010 - 04:06 PM

Hello exxelion

yes please do keep trying, if it keeps giving problems then try it this way.

GMER:

I would like you to download this "special version of gmer." and save it to your desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • devices(don't miss this one) <--this one is different than the picture
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If Gmer runs then please give me the log and pass on the next step.

If Gmer still does not run and Only if it does not run please do the following.

I would like you to try and run Gmer in Safe mode to enter safe mode do the following.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

If Gmer does run to the end please send me the log in your next reply and If it still does not run please let me know and we will try something else

"information and logs"
    In your next post I need the following
    1. log from Gmer
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 exxelion

exxelion
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 12 May 2010 - 08:08 PM

Gringo,

I've downloaded the other version of Gmer that you told me to download. I started scanning, and it gives me "blue screen" right away (it crashes) and the computer restarted.

Whenever you told me to not run any anti-malware or any application that does include anti-virus as well correct? I have mcafee and I disabled the OAS before starting Gmer. Do I have to terminate it using task manager? or disabling from the taskbar like I did should be enough?

A little off topic here, whenever I start my netbook, it always gives me a RUNDLL error. It says something about C:/Windows/Asamsip.dll and it couldn't load the specific module. could that be the trigger that messes Gmer?

What step should I take now? Should I go ahead and use the safe mode option you told me?

I'm extremely worry about my netbook's health if it keeps crashing, since my old one died due to the constant crashing.

Again, thanks for the patience and for the help!!
Exxelion

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:36 AM

Posted 12 May 2010 - 09:16 PM

Hello exxelion

try it in safe mode, I have not heard of it hurting a computer yet. It will cause blue screens at time because it is accessing the kernal of the OS.

But don't worry I won't try it to many times.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:36 AM

Posted 15 May 2010 - 11:52 AM

Hello

three day bump

It has been Three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 24hrs you have not replied to this thread then it will have to be closed!

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:36 AM

Posted 18 May 2010 - 01:38 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

The fixes and advice in this thread are for this machine only.
Do not apply the instructions from this thread to your own machine.
Please start a new thread describing your issue and someone will be along to assist you.


With Regards,
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users