Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fraudsys/google redirect malware virus - tried everything - HELP!


  • This topic is locked This topic is locked
10 replies to this topic

#1 dazzlingmd

dazzlingmd

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 11 July 2010 - 06:43 PM

Hi. I'm new to the forum and there has been a great deal of useful information that I've tried, but I still can't shake this thing. I'm running Windows XP professional on a Dell E4300 laptop. About 2 weeks ago I got some sort of virus/malware that seems similar to others I've read about. Google search links are redirected to random websites, the sound gets hijacked every once in a while, and then every 20 minutes or so one of those random websites (weather related, home business, a variety of stuff) pops up on its own in a new window.

I've tried superspyware, spybot, malwarebytes anti-malware, cc cleaner, tfc, rkill, vundofix, and other things, sometimes in safe mode, sometimes in normal mode, all according to the instructions of various posts on here. Lots of things are found, then removed, and in every case there are things that can't be removed, do I want to restart, yes, then it restarts and yet the problem never goes away.

Thanks in advance for any help you can provide. I've attached the text of my latest log files from Superspyware and Malwarebytes.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/11/2010 at 12:54 PM

Application Version : 4.40.1002

Core Rules Database Version : 5182
Trace Rules Database Version: 2994

Scan type : Complete Scan
Total Scan Time : 00:21:16

Memory items scanned : 611
Memory threats detected : 0
Registry items scanned : 9445
Registry threats detected : 0
File items scanned : 15929
File threats detected : 9

Adware.Tracking Cookie
C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@bannertgt[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@media6degrees[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@bs.serving-sys[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ads.pubmatic[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ad.yieldmanager[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@rotator.adjuggler[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@serving-sys[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@edgeadx[1].txt

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4303

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

7/11/2010 1:19:45 PM
mbam-log-2010-07-11 (13-19-45).txt

Scan type: Quick scan
Objects scanned: 149369
Time elapsed: 17 minute(s), 38 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
C:\System Volume Information\Microsoft\services.exe (Trojan.Cycler) -> Failed to unload process.
C:\System Volume Information\Microsoft\smss.exe (Trojan.Cycler) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System volume information\Microsoft\services.exe (Trojan.Cycler) -> Delete on reboot.
C:\System volume information\Microsoft\smss.exe (Trojan.Cycler) -> Delete on reboot.

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:29 AM

Posted 11 July 2010 - 06:56 PM

Try this:

http://www.bleepingcomputer.com/virus-remo...sing-tdsskiller
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 dazzlingmd

dazzlingmd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 11 July 2010 - 08:30 PM

Try this:

http://www.bleepingcomputer.com/virus-remo...sing-tdsskiller


Thanks a ton! So far so good. I ran that and then ran another malwarebytes scan (log below) which still found a couple of issues, but since the reboot after the malwarebytes scan, knock on wood, no pop up windows have materialzed and my google search links have been working.

Hopefully that took care of it! If anyone sees an additional issue in the log below that seems to indicate that this didn't fix the problem, please let me know.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4303

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

7/11/2010 7:08:14 PM
mbam-log-2010-07-11 (19-08-14).txt

Scan type: Quick scan
Objects scanned: 159877
Time elapsed: 18 minute(s), 56 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
C:\System Volume Information\Microsoft\services.exe (Trojan.Cycler) -> Failed to unload process.
C:\System Volume Information\Microsoft\smss.exe (Trojan.Cycler) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System volume information\Microsoft\services.exe (Trojan.Cycler) -> Delete on reboot.
C:\System volume information\Microsoft\smss.exe (Trojan.Cycler) -> Delete on reboot.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:29 AM

Posted 11 July 2010 - 08:32 PM

Run the Malwarebytes scan again and post the new log if it finds anything.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 dazzlingmd

dazzlingmd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 11 July 2010 - 09:20 PM

Run the Malwarebytes scan again and post the new log if it finds anything.


Unfortunately I think I spoke too soon. Malwarebytes keeps finding the same 4 files (log is pasted below) and coincidentally I got a pop up "crush alert" about a new crush that someone has on me. Although I'm hopeful that someone, somewhere does indeed have a crush on me, that's one of the pop-ups I've been getting since this all started, and indicates to me that although things are much-improved, there's still something going on.

Thanks for any further assistance you can provide.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4303

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

7/11/2010 8:11:48 PM
mbam-log-2010-07-11 (20-11-48).txt

Scan type: Quick scan
Objects scanned: 161828
Time elapsed: 26 minute(s), 8 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
C:\System Volume Information\Microsoft\services.exe (Trojan.Cycler) -> Failed to unload process.
C:\System Volume Information\Microsoft\smss.exe (Trojan.Cycler) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System volume information\Microsoft\services.exe (Trojan.Cycler) -> Delete on reboot.
C:\System volume information\Microsoft\smss.exe (Trojan.Cycler) -> Delete on reboot.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:29 PM

Posted 11 July 2010 - 09:35 PM

Hi, may I jump in a moment?? This looks like a new piece of malware called Bootkit Whistler. This is a piece of malware that alters the Master Boot Record of your Harddisk. Once it's done that it can facilitate all kinds of malware, as in your case the two processes running from the System Restore directory.

To confirm this, do the following:

In case you don't have an archive extracter installed already:
Please download 7zip and install the program on your computer (we need this program in order to be able to unzip the tool that can delete Bootkit Whistler).

When 7zip is succesfully installed, please download bootkit_remover.rar and save the file to your desktop.

Right click on the file and select "extract/unzip here".

This will create two readme files and remover.exe on your desktop.
Double click on remover.exe; a command window will open. Please copy/paste the text under "MBR Status" and post that in your next repl
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 dazzlingmd

dazzlingmd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 11 July 2010 - 09:49 PM

Hi, may I jump in a moment?? This looks like a new piece of malware called Bootkit Whistler. This is a piece of malware that alters the Master Boot Record of your Harddisk. Once it's done that it can facilitate all kinds of malware, as in your case the two processes running from the System Restore directory.

To confirm this, do the following:

In case you don't have an archive extracter installed already:
Please download 7zip and install the program on your computer (we need this program in order to be able to unzip the tool that can delete Bootkit Whistler).

When 7zip is succesfully installed, please download bootkit_remover.rar and save the file to your desktop.

Right click on the file and select "extract/unzip here".

This will create two readme files and remover.exe on your desktop.
Double click on remover.exe; a command window will open. Please copy/paste the text under "MBR Status" and post that in your next repl


Thanks. Did that and here is what appeared in the command window:

Bootkit Remover version 1.0.0.1
© 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: 33651d4929a84a7ab9d65c115ce1bdc0
CreateFile() ERROR 5

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Press any key to quit...

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:29 PM

Posted 11 July 2010 - 10:23 PM

Hello again,you have an MBR ( Master Boot Record) infection.
We need to move to the Malware Removal forum with this as improper removal can do huge damage...

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Name it Probable MBR infection
Ship the Gmer scan. Instead post this...

Bootkit Remover version 1.0.0.1
© 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: 33651d4929a84a7ab9d65c115ce1bdc0
CreateFile() ERROR 5

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix


Press any key to quit...


Also include the answer to these 3 questions.

And answer these questions...
•Is this a DELL computer?
•Do you have multiple operating systems installed?


Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 dazzlingmd

dazzlingmd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 11 July 2010 - 10:39 PM

Hello again,you have an MBR ( Master Boot Record) infection.
We need to move to the Malware Removal forum with this as improper removal can do huge damage...

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Name it Probable MBR infection
Ship the Gmer scan. Instead post this...

Bootkit Remover version 1.0.0.1
© 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: 33651d4929a84a7ab9d65c115ce1bdc0
CreateFile() ERROR 5

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix


Press any key to quit...


Also include the answer to these 3 questions.

And answer these questions...
•Is this a DELL computer?
•Do you have multiple operating systems installed?


Let me know if that went well.


Unfortunately defogger says I can't run it because I'm not an administrator. This is a work computer (yes, it is a Dell, although I only have 1 operating system on it - Windows XP) so that's probably why I'm not an administrator.

Anything I can do that wouldn't require that? My last resort is sending it to IT to be re-ghosted, but I was hoping to avoid that.

Thanks again.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:29 PM

Posted 11 July 2010 - 10:46 PM

Ok, try with out Defogger include the comment you made.
Unfortunately defogger says I can't run it because I'm not an administrator. This is a work computer (yes, it is a Dell, although I only have 1 operating system on it - Windows XP) so that's probably why I'm not an administrator.

Anything I can do that wouldn't require that? My last resort is sending it to IT to be re-ghosted, but I was hoping to avoid that.

We need to get you in there so just move on.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,944 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:29 PM

Posted 12 July 2010 - 05:14 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/330891/probable-mbr-infection/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:

Edited by Orange Blossom, 12 July 2010 - 05:14 PM.

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users