Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Rootkit


  • This topic is locked This topic is locked
26 replies to this topic

#1 SpicyCrab

SpicyCrab

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 18 November 2010 - 10:23 PM

I was recently infected with a piece of malware called "SecurityTool"

I recognized what it was immediately and took steps to remove it. As far as I can tell I succeeded.

However, ever since I removed it I have been getting that annoying google redirect problem. Sometimes popups open on their own, but mostly, if I click a link from a google search there is about a 50% chance I'll be redirected to a bizarre and pointless ad site. (1-800 kidneys? really?)

I ran Hitman Pro and it told me that it detected a "possible variant of the TDL3 Rootkit."

Then I ran combofix which seemed to run without a hitch (this was before I even knew this site existed.)

However, when I powered up my system again, I was still experiencing the redirect. Hitman Pro is still reporting that it detects the rootkit.

I am a very computer savvy person, in fact, I do tech support for a living. However, I have been unable to remove this virus on my own.

I am running Windows 7 OEM, but i installed it on a second computer so it is technically unregistered. I have to click through two "your windows isn't registered" boxes when my Windows first starts up. I don't know if this matters.

Thank you all in advance for any help you can provide. I will be refraining from taking any more steps on my own so I eagerly await your assistance.

I have attached the DDS logs, and...

Edit: On my second try I was able to run GMER. I have also attached the GMER log (ark.log) GMER reported after scan that it had "detected evidence of rootkit activity."

Attached Files


Edited by SpicyCrab, 18 November 2010 - 10:43 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:37 AM

Posted 27 November 2010 - 11:37 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply



Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • extract RKUnhooker to your desktop
    Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file
    you can get a free one from here - http://www.7-zip.org/
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

In your next post I need the following

1.logs from DDS
2.log from RKUnHooker
3.let me know of any problems you may have had
[/list]
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 SpicyCrab

SpicyCrab
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 30 November 2010 - 03:10 PM

Hey,

I am sorry it took so long for me to respond. Thank you so much for helping me! I am going to perform these steps as soon as I get home. Please don't close the topic.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:37 AM

Posted 30 November 2010 - 03:22 PM

Hello

Don't worry I will be around


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 SpicyCrab

SpicyCrab
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 30 November 2010 - 11:10 PM

Hey,

Here are the requested logs.

Thank you again so much.

Attached Files



#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:37 AM

Posted 30 November 2010 - 11:18 PM

Hello

I like your nickname.

update combofix

I would like you to download an updated virsion of combofix.

Delete the version of combofix you have now on your desktop and download a new one from here

Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall
[/list]

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 SpicyCrab

SpicyCrab
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 02 December 2010 - 01:48 PM

I tried to run combo fix from the link you provided. It asked me to update combofix before it scanned so I did.

It then told me that it detected a rootkit and that it wanted to restart. I wasn't sure what to do because I know I am just trying to get a report generated. It appeared to be the only option so I said yes.

It booted in to combofix, and began scanning.

About fifteen minutes in to the scan it gave me a blue screen of death.

PS: There is a glitch on my computer which causes it to fail to boot in to windows sometimes (only a blackscreen displays on startup.) This is actually what happened when I ran combofix, although the startup scan still ran until the bluescreen. I can circumvent this issue by loading in to my alternate user account (SpicyTest.)

Should I run combofix from SpicyTest?

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:37 AM

Posted 02 December 2010 - 03:09 PM

Hello

Does it have admin privileges if so then try it


Gringo

Edited by gringo_pr, 02 December 2010 - 03:10 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 SpicyCrab

SpicyCrab
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 02 December 2010 - 10:27 PM

Hey,

I can't run combofix. Every time I trie I get to about stage 7 and then I get a BSOD.

Is it hopeless?

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:37 AM

Posted 03 December 2010 - 08:00 AM

Hello

Sorry I was out last night.

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 SpicyCrab

SpicyCrab
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 04 December 2010 - 05:24 PM

Success!

I don't have much time to elaborate but here it is.

Thanks again!

Attached Files



#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:37 AM

Posted 04 December 2010 - 07:01 PM

Hello

It looks like the rootkit is still active. I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 SpicyCrab

SpicyCrab
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 04 December 2010 - 07:58 PM

It ran, said it detected the rootkit.

It gave me a file location, and said that it would clean the rootkit after reboot.

Reboot happened without a hitch.

Log attached.

Attached Files



#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:37 AM

Posted 04 December 2010 - 09:08 PM

Greetings

Good That cleaned up the rootkit but I see something in the combofix report that needs to be removed

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

File::
c:\users\SpicyCrab\AppData\Local\Pluhadanapiq.bin


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 SpicyCrab

SpicyCrab
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 04 December 2010 - 10:51 PM

Here it is,

I hope I did it right.

I haven't noticed any new issues, and all of the gradually worsening ones I was experiencing seem to be gone.

The computer is running much better, I haven't noticed any thing wrong so far but I will post here if I do.

Attached Files


Edited by SpicyCrab, 04 December 2010 - 10:52 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users