Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Google redirect virus


  • This topic is locked This topic is locked
32 replies to this topic

#1 vancouverdude

vancouverdude

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 25 December 2010 - 03:24 AM

Hello, I seem to be having the same problem as pretty much everyone else right now, my google is going insane. At first I thought it might be only google but it's also bing, then I thought it might be the new ad blocker plus I installed yesterday but it's not that either.

I ran malwarbytes and nothing showed up. I ran the kit from the link and a locked file showed up.

It's c:\windows\system32\drivers\sptd.sys.

I'm not sure whether I should delete it or not though, I don't know what it does. Since it says it's locked I'm not sure if I could even actually delete it. If it helps at all, when I was going into the folder to look for myself I noticed the modified date for the 'drivers' folder is from yesterday, or about 12 hours ago which is when all this started. I haven't looked at or modified the folder until just now but it says it was modified yesterday.

I'm going to try to delete it, re-boot and see what happens. If nothing happens and it keeps re-directing I'm going try this 'fileassassin' that's on malwarbytes.

Or maybe the internet is just plain old being attacked right now.

BC AdBot (Login to Remove)

 


#2 vancouverdude

vancouverdude
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 25 December 2010 - 04:24 AM

Well I seem to have fixed it. It wasn't the file or any add-on or any trojan or malware, it was a setting on the Java console thing. I went to control panel, then java, then the 'advanced' tab, then the miscellaneous part and un-clicked the 'java quick starter' button.

I also disabled any 'java' add-ons for firefox.

Hopefully that fixes it, if it's good tomorrow I'll say it's fixed.

everything ive googled so far sends me directly to where i want to go, no redirections so far

Edited by vancouverdude, 25 December 2010 - 04:26 AM.


#3 vancouverdude

vancouverdude
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 25 December 2010 - 08:08 AM

Well now it's back again. I don't know what's going on. Some sort of fake program said it was scanning my computer and needed to be installed to fix it. I tried to close it but it wouldn't close, so I closed it with task manager. I started firefox again and it tried to start up so I unplugged the internet, ran ccleaner to clear everything out, plugged the cable in again then tried to click a google link and got redirected again.

I tried tdsskiller and malwarebytes but both turned up nothing. I even tried spybot and still nothing. I deleted the sptd.sys file thing too but it seemed harmless.

I'm stumped, it seems to turn on and off. I seem to get mainly redirected to investopedia and some address or something, 66.111.212.229. If I trace back a few days the only things I downloaded were 2 movies, Predators and Black Swan and a utorrent update. The only thing that seemed fishy was when I updated malwarebytes or ad block plus and got some sort of list of countries and had to choose one for the 'source' of my update.

I have no clue what to do lol.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:10 PM

Posted 25 December 2010 - 01:46 PM

Hello I created your own topic , best way and a lot less confusing then helping 3 people in one toppic..
I think we can get this in a couple steps. Let's do these first and see.


Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


Please perform a scan with Eset Online Antiivirus Scanner.
This scan requires Internet Explorer to work. Vista/Windows 7 users need to run Internet Explorer as Administrator.
To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 vancouverdude

vancouverdude
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 27 December 2010 - 02:42 PM

Hmm, well I no longer have access to my computer now lol. Right now I'm in Ontario so I can't get back to my computer until 2 weeks or so.

I scanned it with this eset which brought up one file that said it was a trojan. It gave one file but seemed to have it in 2 places or something. At first I quarantined it which did nothing, after that I outright deleted it. The program said something about "win32/bamital" but at the same time the eset program named it as sys32/drivers/ms.dll which said it was a trojan. It was the only thing esat brought up.

Like I said, I quarantined it first but that did nothing, figuring the program "had it" I deleted the file and shut down the computer figuring it would re-start fine. Now, after I deleted it the computer gets as far as the 'loading' screen then shuts down, re-starts and tries to start again and again before it keeps getting shut down, Window's never loads. I can't even get into safe mode, just mini XP.

From mini XP I tried to do a system restore but it says system restore is only available to computers that run on XP and later versions.

Basically I'm locked out of fixing my computer. Is there a way I can somehow copy the ms.dll from some other place and put it back in the drivers section by command prompt or something?

My computer is pretty old anyway, anyway computer at least 2 years old will blow my computer out of the water. If I have to buy a new computer I'll just buy a new one. I'm sort of figuring the virus won on this one lol.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:10 PM

Posted 27 December 2010 - 08:47 PM

That dll is the infection. http://www.threatexpert.com/files/ms.dll.html

Trojan:Win32/Bamital
Did you Run TDDS?

These are Backdoor infections.
This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 vancouverdude

vancouverdude
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 29 December 2010 - 04:50 PM

Hmm, I think I ran the right program lol. I ran tdsskiller (from the link above) but from what I remember nothing popped up. The program that found the file was eset.

I must have had this file/trojan for quite a while. Before all this started my facebook account sent out tons of spam. Apparently I had given some "3rd party site" access to my profile, I had to change my password and change my privacy settings. While all that was going on my hotmail was also sending out spam to my contacts list, I had to delete them all and now I don't use that account anymore.

Then after I thought I had fixed it all this happened. Even still whenever I log in to facebook or my (hacked) hotmail I get asked for my phone number all the time but I'm not going to enter my info.

Last year my internet got cut off and for a while I had to go to a cafe to get on the internet, that's when everything started, all those computers were pretty infected. It probably "sat" in my accounts until I got my regular internet back then infected my computer as the other ones were already infected.

Yes, I do some banking on my computer but mostly just to check my balance, there's rarely any money in there anyway hehehe. The bank stuff is the only stuff that has my real info.

----------------------

So, any advice as to how I can access/fix my computer when I get back to Vancouver?

As I said I can't get into safe mode, the only thing I can get into is mini-XP but that might be from the bootCD I used. Curious though, from mini-XP I can still get into my pictures and pretty much all of XP, it's when I start my computer, it gets to the Windows "loading" screen just before you get into Windows, but then it just shuts off and re-starts. It does this over and over never actually allowing me into XP.

Also, I only deleted one file, the ms.dll file.

Seeing as I have access to my files and some programs, couldn't I copy the ms.dll file onto a thumb/stick drive, plug in it and copy it back the the driver file on sys32?

After I got shut out I sort of figured "ms" stood for "microsoft" lol, meaning I possibly deleted a very important file. But of course I couldn't get on the internet after I deleted it.

I cost me $200 to rebuild a computer from 2003 lol (P4, 256 ram, pathetic). I might just bite the bullet and buy a "new-old" computer from 2-3 years back.

If I could though I'd like to fix it if I could. Thanks for all the help though, seriously.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:10 PM

Posted 29 December 2010 - 09:37 PM

Try to get your connection like this.

-open control, internet options, connections tab, lan settings, uncheck the box next to "use proxy...."
OR
Go to Start ... Run and type in cmd
A dos Window will appear.
Type in the dos window: netsh winsock reset
Click on the enter key.

Reboot your system to complete the process.
><><><><><><><
You can try running SFC for that DLL.
Please run SFC (System File Checker)
Please run System File Checker sfc /scannow... For more information on this tool see How To Use Sfc.exe To Repair System Files

NOTE for Vista/WIN 7 users..The command needs to be run from an Elevated Command Prompt.Click Start, type cmd into the Start/Search box,
right-click cmd.exe in the list above and select 'Run as Administrator'


You will need your operating system CD handy.

Open Windows Task Manager....by pressing CTRL+SHIFT+ESC

Then click File.. then New Task(Run)

In the box that opens type sfc /scannow ......There is a space between c and /

Click OK
Let it run and insert the CD when asked.

><><><><><><><>
SAFE MODESafeBootKeyRepair.exe
Let us see if we can get Safe mode to run.

Please download and run SafeBootKeyRepair.exe.

Once it has completed, please try booting into Safe Mode.

<><><><><>><><
TOOLS to copy to a CD or a Flash drive

Please download the Avira AntiVir Rescue System.
alternate download link
Place a blank CD in your burner and double-click on the rescue system package (rescuecd.exe) to burn it to a CD/DVD which you can then use to boot your computer and run a scan. For detailed instructions, refer to the Tutorial for Avira Rescue CD. If you encounter problems running Avira AntiVir Rescue System, you can get further assistance at the Avira Tools Support Forum.



MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware



ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
Close all open browsers before using, especially FireFox. <-Important!!!
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 vancouverdude

vancouverdude
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 04 January 2011 - 01:52 PM

Ok, I'll give this all a try when I get back to Vancouver next week.

I'm unable to get into Windows (XP) period. It only goes as far as the Windows "loading" screen then shuts off and repeats over and over. I'm also unable to get into safe-mode or any mode.

I tried the "safe mode with networking" but even that didn't work. I only got into the mini-XP from the Hiren's bootCD I burned a couple years ago. That's why after I got shut out of my computer I figured "ms.dll" was a very important file seeing as it's the only one I deleted that seemed important.

Anyway, I don't have a thumb drive/USB stick so I guess I'm going to have to burn those installers onto a disc and try to install them from there, although seeing as how my internet won't connect I don't see how I'll DL the list of threats. From what I remember, the mini-XP was running off of my RAM. If I had more RAM I could have run Recuva, recovered the ms.dll file, restored it and see if that did anything but again, not enough RAM.

Also, when I got this computer re-built it didn't come with a disc for Windows. The only disc I have is for the mobo.

----------------

So, to summarize, I'm unable to get into any form of 'normal' Windows, normal or safe mode.

I deleted 2 files but I got shut out only after deleting the ms.dll file that was in the drivers folder.

I don't have the operating CD for it, I only have the CD for the mobo and a Hirens bootCD disc.

#10 vancouverdude

vancouverdude
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 18 January 2011 - 07:19 PM

Ok, I'm back in Vancouver now. So here's what popped up and what I wrote down before I left Vancouver.

I forget which program, but this popped up after a scan: sys32/ms/dll. It was described as "variant of win32/bamital.dv trojan."

After I got "locked out" I tried to getting into safe mode but none of that worked (SM w/ networking, last known working config etc), this one message popped up though.
"Stop: fatal system error: 0xc0000005"

Does that help at all? lol.

Anyway I'm going to try one of these "repair" discs or try to find an old XP disc.

Is it "dead" or fixable?

edit: well I just did some google-ing and apparently windows has some XP boot discs for download, I'm unsure if it's the right stuff though. I suppose I'm going to have to burn some program onto a disc, take it home and try to fix it from there.

It's strange how one little file did all this lol.

Edited by vancouverdude, 18 January 2011 - 07:32 PM.


#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:10 PM

Posted 18 January 2011 - 08:56 PM

It's defiantely fixable
The error 0xC0000005 is generated by an illegal "memory access violation". This can be caused by anything from faulty RAM, an incorrect/corrupt device driver, poorly written/updated software and more commonly under Windows XP Service pack 2, malware/adware installations.

You are at this point still???
I'm unable to get into Windows (XP) period. It only goes as far as the Windows "loading" screen then shuts off and repeats over and over. I'm also unable to get into safe-mode or any mode.


I can ask someone to help you boot this.

Or You can try this. AVIRA RESCUE CD
Try creating this disk and boot off of it. You will need another computer to make this disk on.
Avira AntiVir Rescue System
Tutorial for Avira Rescue CD
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 vancouverdude

vancouverdude
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 19 January 2011 - 04:44 PM

Well I burned the "rescue disc" last night, popped it in my computer, it was already set to boot off the disc. Anyway, it "ran" the program up to a certain point and seemed to be loading it. It installed/mounted whatever it installs but didn't load after it had finally finally loaded.

It appeared to run/set up what it needed to set up but again, when the programs should have started the screen was just black. It seems to do this to everything, loads to a certain point then never actually gets to the programs "start" screens.

So basically the only thing I can get into is mini-XP. I'm doing this at school right now and I'm out of time lol.

Hmm, any advice?

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:10 PM

Posted 19 January 2011 - 08:58 PM

We have only a few options
Can you dat a DDS log from here and post it in a new topic?
Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Skip GMER.

Let me know if that went well.

Or you will need to format and reinstall the OS.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 vancouverdude

vancouverdude
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 19 January 2011 - 09:24 PM

Hmm, it seems like some sort of start up file got deleted or something, maybe. Through this mini-XP on this old Hirens bootCD I have I can still change/delete/copy most files or run certain programs. I tried eset and tdsskiller but I get this "unsupported action" message.

All the files are still there, it's just that Windows won't start. It will load to a certain point to the "Windows loading" screen with the loading bar, then it just goes black and re-starts and does it all over again.

I can't run these programs because I can't connect to the internet at my place. I can copy the installer onto my computer but that's about it.

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:10 PM

Posted 19 January 2011 - 10:41 PM

is your Xp legitimate,as mini isn't and that could be causing the problems.

My option is to have someone that boots these dead machines look her but they won't if it's not a possibility to run your legal system.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users