Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirect


  • This topic is locked This topic is locked
27 replies to this topic

#1 tester12345

tester12345

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 16 May 2010 - 11:25 AM

Hi smile.gif

I see more people had this virus/trojan and you guys helped them solve it.
I've read those topics and tried some things out myself (since i think of myself that i am above amateur level and wont screw up things)
That didn't really work out tough!


Symptoms:
a once or twice per day redirect to an obscure searchengine website. (mfeed is most popular) (all those sites are blocked by a tool i have named "peerblock" this is a tool that blocks around 800 million IP's from all over the world.)

and i had a "random 6 characters .exe" in my "C:\Documents and Settings\kikker\Local Settings\temp" folder (kikker is my main and only user on this PC)
I manually deleted this in several folders. (as far as i know it isn't on the computer anymore, but i am 100% certain that it is not running in the taskmanager when i am looking.

Tools installed before/when everything happend:
Zonealarm firewall (antivirus disabled)
AVG Free antivirus
Adaware
Spybot Search and Destroy
Ccleaner

All these tools are up to date.
My Win XP Pro SP2 edition is NOT updated with the latest updates. last update was around may 2009. (i dont think the Windows Genuine Advantage is really an advantage in my situation ^_^)

What i did so far:
Installed and used:
Sophos Anti-Rootkit
Malwarebytes' Anti-Malware
Super AntiSpyware
Radix
Combofix
SystemLook
Gmer
Kaspersky online virusscan of the c:\windows folder

There was no report of any virus or trojan detected with any above named tool.

Combofix did say it detected a rootkit. But when i restarted, nothing happend. So it probably is still there.

And i have tried to replace my "C:\WINDOWS\system32\drivers\atapi.sys" file with:
C:\cmdcons\ATAPI.SY_ (used the expand command for it)
C:\WINDOWS\system32\dllcache\atapi.sys
and from a zip file "CurrentControlSet-Atapi.zip" i found somewhere on these forums.


I also did a scan with GMER. The problem with this scanner is that if i use ANYthing else me computer freezes. (i can still move the mouse, but thats about it)
Therefore it will not make a logfile! ohmy.gif (i tried 4 full scans and 2 scans with less options on, but that doesnt matter.)

I think the most important things out of this scan is:
C:\WINDOWS\system32\drivers\kl1.sys (suspicifious modification)
C:\WINDOWS\system32\drivers\atapi.sys (suspicifious modification)

Logfiles of DDS.scr and hijackthis in attachment. i used defrogger to disable emulation software.


If you need more info, just ask for it :D
THANKS


EDIT:
added Radix log.txt
Big note: Radix crashes EVERYtime on the same spot. (see last line of logfile)

btw, some logs do have the dutch language in it. If you need translation just say what parts need to be translated!

Edit 2:
Did a sophos antirootkit scan: nothing big. like 300 hidden files but none of them had a risk. (no logfiles)
Also did an mbam scan again, see logfile.

Attached Files


Edited by tester12345, 16 May 2010 - 02:33 PM.


BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:47 PM

Posted 16 May 2010 - 01:20 PM

Hi,


Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 tester12345

tester12345
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 16 May 2010 - 01:29 PM

i hope the above reply is an automatic standard reply?
O_o

QUOTE
We apologize for the delay in responding to your request for help.

delay of 2 hours, isnt really much of a delay ;)

QUOTE
... the rest of the post ...

Did that except for the Gmer log, but also explained that.


But thanks for the reply anyway O_o

edit:
Did a sophos antirootkit scan: nothing big. like 300 hidden files but none of them had a risk. (no logfiles)
Also did an mbam scan again, see logfile in first post.


--

I'm off now. i will be back around 17:00 amsterdam time tomorrow. (so just 17 and a half hours after this edit)

--

BACK

Edited by tester12345, 17 May 2010 - 08:08 AM.


#4 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:47 PM

Posted 18 May 2010 - 01:15 PM

Hello tester12345 ! welcome.gif



I am Blind Faith or Elle(it's easier to remember,I think) and I will help you with your malware related problems.
As you can see I am still a trainee and that means my work is revised by a coach.
Therefore, it will take a bit longer for me to reply.
So don't be impatient because I won't leave your case suspended in the air,waiting forever.

NOTE: Do not make any type of changes to your system during the cleaning process.The steps you are following are based on strict information from your system.So changes which I did not give instructions for are not recommended.

I will need some time to research the files on your system so please click the Options button at the top bar of this topic and Track this Topic, where you should choose email notifications to know when I replied.



During the cleaning process many files may be hidden so please unhide them by following the instructions listed here: How to show hidden files and folders.

Remember to check your topic for new replies.

Probably, it will take a couple of days until the next reply but after that everything will go faster.

Also please let me know if you still need help after you have read this.



And yes, it was a standard reply to see if you still need help and get new logs.



Elle





Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#5 tester12345

tester12345
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 18 May 2010 - 01:39 PM

Hi!

Thanks for your reply!
I probably will be using your nickname rather then your realname, since the nickname is standing next to your post ^_^

I think it is a great thing that you are being coached here. Good luck!!


There are alot of cases on this forum that are related to website redirects. Somehow i did not manage to get rid of it myself (hence me calling for help).
But since there are so much cases, maybe you know if this virus i have is known to have any keylogging system in it or sharing desktop functions?
The thing is, I'm using the online banking feature of my bank and i want to know if I'm safe.
(i already changed my password AND username of it on a clean pc just to be sure) but hey, i have more accounts then just banking and i hate to change all the passwords of every account i have.

If you are not sure, just say so. I won't yell. ;)

Edit:
FYI, it's bedtime now. Will be active again in 17 hours smile.gif

Edited by tester12345, 18 May 2010 - 04:43 PM.


#6 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:47 PM

Posted 19 May 2010 - 04:34 AM

Hi,


One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.



The following is referring to Emule.
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.



First,
  1. Go to this page and Download TDSSKiller.zip to your Desktop.
  2. Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
  3. Vista Start logo >All Programs> Accessories> RIGHT-click on Command Prompt and Select Run As Administrator. Copy/paste the following bolded command and hit Enter.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  4. If TDSSKiller alerts you that the system needs to reboot, please consent.
  5. When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.


Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#7 tester12345

tester12345
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 19 May 2010 - 04:58 AM

You found a folder named emule on my pc? smile.gif it is just a name i still handle but i deinstalled that downloadclient like 4 years ago.

first a sidenote: the cmd command you gave me didnt work properly. (file not found error) this is because i'm using a dutch version of XP (desktop is replaced with the word bureaublad) maybe it is worth to mention it in future for less experienced people.

anyway, i executed it and it found something!
uploaded the logfile

I did another scan to see if it is really gone and to see the backupfile of kl1.sys was not infected also. nothing found! (see second log)

Edit:
i DO use a registry cleaner called "Ccleaner". It keeps backups of cleaned registry keys.. so if it screwed up, you can easily use the backups again. (never needed to use this tough)

Edit2:
Im away for a while now, will be back in about 6 hours.


btw, i don't know for 100% if the kl1.sys was the real issue of the browser redirects. maybe i was infected with more then one thing. (or was this kl1.sys file the infection in other reports to?)

Since i get only one or two redirects per day (with normal / heavy usage of search engine's) I'm going to wait like a week before im convinced that it is really gone.
If i get a redirect, you are the first to know.

Attached Files


Edited by tester12345, 19 May 2010 - 05:16 AM.


#8 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:47 PM

Posted 19 May 2010 - 07:39 AM

Hi,



We will try to scan once more with ComboFix to see if it finds something. smile.gif
The infections seems to be gone though.




1. Please Download ComboFix
Here is a Tutorial on using ComboFix: A guide and tutorial on using ComboFix
  • Save it to your Desktop
  • Do NOT run ComboFix yet
  • Here is an alternative link to download ComboFix, if the above one is not working for you:
2. Disable Your AntiVirus and AntiSpyware Programs
  • You should be able to Right-Click on the program's icon in the System Tray and get an option to shut-down/disable each program.
  • These programs may interfere with our fix. We will re-enable them when we are done.
3. Double click on ComboFix.exe that you just saved to your Desktop
  • Follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. The Recovery Console will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • It is strongly recommended to have the Recovery Console installed on your machine before doing any malware removal.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

NOTE: If the Microsoft Windows Recovery Console is already installed, you will not receive a prompt from ComboFix regarding the Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
4. Re-enable Your AntiVirus and AntiSpyware Programs That You Disabled in Step 2.

5. What I need in Your Next Reply:
  • ComboFix.txt


Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#9 tester12345

tester12345
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 19 May 2010 - 11:38 AM

it seems it deleted some logfiles of my settlers 7.

but here it is, the log.

i see some suspicious things in it myself:
deployJava1.dll (threat?)
zllictbl.dat (zonealarm key(gen?)?)

c:\windows\Internet Logs\
tvDebug.Zip
and some others in that folder (is it safe to delete the content in this folder? 10ish .zip files and 20ish .tmp files there)


o wait.. im doing your job now, haha smile.gif

Attached Files


Edited by tester12345, 19 May 2010 - 11:44 AM.


#10 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:47 PM

Posted 21 May 2010 - 04:51 PM

Hi,


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
File::
c:\windows\system32\XDva332.sys
c:\windows\system32\XDva344.sys
c:\windows\system32\XDva346.sys
c:\windows\system32\XDva347.sys
Driver::
XDva332
XDva344
XDva346
XDva347
DeQuarantine::
C:\Qoobox\Quarantine\c\documents and settings\kikker\Mijn documenten\Settlers7


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Also,please include new DDS logs.

Please also tell me how the PC is going after running Combofix again. smile.gif


Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#11 tester12345

tester12345
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 22 May 2010 - 06:03 AM

Hi thanks for the reply.

I'm offline for this weekend, so i can't perform this scan yet.

Will do on thuesday

Edited by tester12345, 22 May 2010 - 06:03 AM.


#12 tester12345

tester12345
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 25 May 2010 - 01:34 PM

Hi I'm back!
I did what you asked me to do, see the logfiles in the attachment.

I did NOT get ANY redirects the last week, so it seems that the redirect problem is over smile.gif

Do you see anything suspicious in the logfiles?

Attached Files



#13 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:47 PM

Posted 28 May 2010 - 07:16 AM

Hello,



Sorry for the delay, I needed to wait for my post to be revised.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
File::
c:\windows\system32\xdva349.sys
Driver::
XDva349


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Also,please include new DDS logs.



Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1


Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#14 tester12345

tester12345
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 28 May 2010 - 10:29 AM

I did the scans and removed the java updates

one question:
I also have a java installation called "Java™ 6 Update 20" do i need to deinstall this one to?
(btw, why must i deinstall these updates? )


for logfiles, see attachments smile.gif wink.gif

Attached Files



#15 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:47 PM

Posted 29 May 2010 - 03:46 PM

Hi,

QUOTE
I also have a java installation called "Java™ 6 Update 20" do i need to deinstall this one to?
(btw, why must i deinstall these updates? )


No, you don't need to uninstall that one because it is the latest version of Java which should have the latest security improvements released.The other ones I told you to uninstall were vulnerable because they were out of date versions of Java which contain vulnerabilities and represent an open door for exploits. smile.gif


Also uninstall these ones if they are present:

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 9



Besides that your log looks clean. smile.gif


Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in "Combofix /Uninstall" in the runbox and click OK. (Notice the space between the "x" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
  • This will uninstall Combofix and anything associated with it.
We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator[/purple]
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select [color=purple]Yes.
  • Restart your computer when prompted.
Please set your system to hide all hidden files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.



Windows XP System Restore Guide

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Visit Microsoft's Windows Update Site Frequently -
* It is important that you visit http://www.windowsupdate.com regularly.
* This will ensure your computer has always the latest security updates available installed on your computer.
* If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Next, I would recommend the download and installation of some or all of the following programs, and the updating of them regularly

Install SUPERAntiSpyware - Install and download SUPERAntiSpyware .
* You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
* Information on installing & using this product can be found here:
* Click here for more info -->SUPERAntiSpyware official site

Install Javacools© SpywareBlaster -
* SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
* A article on anti-malware products with links for this program and others can be found here:
* Click here for more info -->Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

If you have any addition questions just ask...



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users