Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Virus -- TDSSKiller won't run


  • Please log in to reply
8 replies to this topic

#1 Mintos

Mintos

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 21 June 2011 - 08:14 PM

Yesterday I got the "Windows XP Repair" virus through (I think) a very old version of Java. When you only have 5g of bandwidth a month it's hard to keep things updating without eating everything. I run on XP Media Center Edition version 2002 on SP3.

I think I destroyed the Windows Repair virus since there's no more pop-ups or invisible icons, but now I'm stuck with the redirect virus. I tried everything to try and find it, but to no avail. I ran Malware Bytes (freshly updated) and it did delete a number of things, I tried to run TDSSKiller under multiple names and extensions but nothing would come up after it asked permission to run, I ran SUPERAntiSpyware and it found and deleted a ton of things, then I ran GooredFix and OTM which gave this log:

------------

All processes killed
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Holly\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Holly\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: Holly
->Temp folder emptied: 933132 bytes
->Temporary Internet Files folder emptied: 186828441 bytes
->Java cache emptied: 84911067 bytes
->FireFox cache emptied: 64495799 bytes
->Flash cache emptied: 3296980 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 32969 bytes

User: NetworkService
->Temp folder emptied: 87990 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 29930209 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes
RecycleBin emptied: 509203994 bytes

Total Files Cleaned = 839.00 mb

Restore point Set: OTM Restore Point (0)

OTM by OldTimer - Version 3.1.18.0 log created on 06212011_172308

Files moved on Reboot...

Registry entries deleted on Reboot...

------------------






GooredFix gave me this log:

GooredFix by jpshortstuff (03.07.10.1)
Log created at 17:31 on 21/06/2011 (Holly)
Firefox version 3.6.15 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [08:31 30/03/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [03:58 25/04/2009]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [18:36 13/03/2010]

C:\Documents and Settings\Holly\Application Data\Mozilla\Firefox\Profiles\76z2cj1f.default\extensions\
rapportive@rapportive.com [07:42 05/06/2011]
{59c81df5-4b7a-477b-912d-4e0fdf64e5f2} [02:06 29/04/2011]
{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [05:35 30/08/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{000a9d1c-beef-4f90-9363-039d445309b8}"="C:\Program Files\Google\Google Gears\Firefox\" [20:51 18/10/2010]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [16:15 01/06/2011]

-=E.O.F=-

----------------

So then I deleted Java, Wild Tangent, and Firefox while hoping some of the files preventing TDSSKiller from running were in those programs. I used Rkil and it found no processes to destroy, though it stopped working similar to TDSSkiller until I disabled a process called Iexplorer and it would then run, but still would find nothing. As a last resort I tried a system restore, but my computer says it cannot restore to whatever date I select. I've backed up my registries with ERUNT. My D drive seems to be clean and was never affected with the System Repair Virus. Can it hop drives? I scanned the D drive anyway to be safe and nothing was found. The D drive is nothing but extra file storage for me. When my browser is redirected it brings me to seemingly random places like the yellowpages.com. Internet Explorer and Firefox were being redirected, internet explorer seemingly more so. I just installed Chrome to come to this website and it's affected too.

It seems some programs like paint are still invisible from the repair virus. I do have unhide.exe, but I'd rather worry about killing the virus first.

And this is what Malware Bytes scans now:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 6905

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/21/2011 8:02:20 PM
mbam-log-2011-06-21 (20-02-20).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 296522
Time elapsed: 1 hour(s), 25 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

------

One thing I've been unable to do is save TDSSKiller as a different name BEFORE downloading it because I'm never given the option to "Save As". Anyway to do that?

EDIT: I figured out how to. Still won't run.

Edited by Mintos, 21 June 2011 - 08:18 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:54 PM

Posted 21 June 2011 - 09:18 PM

Hello. this is Odd..your MBAM log shows>>>
Malwarebytes' Anti-Malware 1.46 <<< This is very old, nw 1.50.
www.malwarebytes.org

Database version: 6905 <<< this is close enough 6914.. odd
Before we reinstall

Eun EXE HELPER
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).



1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
2. Restart your computer (very important).
3. Download and run this utility. Mbam clean
4. It will ask to restart your computer (please allow it to).
5. After the computer restarts, install the latest version from here. http://www.malwarebytes.org/mbam-download.php
Note: You will need to reactivate the program using the license you were sent.
Note: If using Free version, ignore the part about putting in your license key and activating.
Launch the program and set the Protection and Registration.
Then go to the UPDATE tab if not done during installation and check for updates.
Restart the computer again and verify that MBAM is in the task tray and run a Quick Scan and post that log.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Mintos

Mintos
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 22 June 2011 - 12:44 AM

I couldn't update Malware directly so had to transport the update file to this computer hence why the version probably looked odd. Does that mean it wasn't fully updated after all? Ah well.

EXE Helper log is:

exeHelper by Raktor
Build 20100414
Run at 00:13:06 on 06/22/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--



When I used the cleaning tool I got several errors:

From vbAccelerator SGrid II Control -- Run-time error '0'

From Malwarebytes -- Run-time error '440' Automatron error

From Malwarebytes -- MBam_Error_Enumerate_Languages (3,0) System can't find the path specified

Forgive me but the error messages may have overlapped there, I scribbled it on a very full tablet that caused a lot breaking up for the errors.

Malewarebytes does not appear in my system tray after restarting nor does it show even when I'm running it. AdAware and SUPERAntiSpyware were the only ones up. The log from Malwarebytes says:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6916

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/22/2011 12:43:05 AM
mbam-log-2011-06-22 (00-43-05).txt

Scan type: Quick scan
Objects scanned: 166773
Time elapsed: 4 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Mintos, 22 June 2011 - 12:45 AM.


#4 Mintos

Mintos
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 22 June 2011 - 10:24 PM

I think we resolved it. My boyfriend discovered that TDSSKiller would run from a flash drive after it was downloaded from a clean computer and given a new name. It found 1 virus and 1 suspicious program and both were deleted. After that the redirecting has stopped and nothing unusual has been occuring. Sadly I cannot post the log files because my boyfriend didn't know that I had wanted him to save it for me, so I can't say what location it had been in at the time. I ran Malwarebytes and Superantispyware several more times just to be safe until they found nothing. After restarting and running TDSSKiller one more time there was nothing there anymore.

Thanks for the help. If anything else shows up I'll post back here.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:54 PM

Posted 22 June 2011 - 10:27 PM

Good job, as long as the second run came back clean and the otherstoo I say you're good.
If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Mintos

Mintos
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 23 June 2011 - 05:08 PM

Oh-ho we've just stumbled over a pretty big problem. System restore is gone. It's not in the start menu, its not in administrative tools in control panel, and when I tried to run it late last night it said it couldn't (I don't remember the specific error message) and when I tried to restart the computer I was met with system32/config/system is corrupt or missing.

My computer is 6 years old and never came with a repair disk. All it offers is a restore option. While trying to see if I could just insert the damaged registries back in somehow I misclicked and missed my chance to pull up the restore counsel and to my surprise my computer booted up normally. I had changed nothing from the point of it getting corrupted. We had installed XP Professional without a license to just try and save some files, but that's about all we did. After it started running normally again I used ccleaner to hopefully fix the registry..

And so I remain stuck with no system restore. I ran Superantispyware again but all it found was some tracking cookies. TDSSKiller found nothing, so I'm assuming this is the damage it left. I'm also missing paint and some other programs from the start menu. I used unhide.exe several times. Pretty much I would just like to do a system restore and reinstall what I need.

Well, I found paint. Looks like the shortcut was just deleted for it. I'm not sure where it was originally located (I would assume programs), but it's now stuffed in my system32 folder.

I'll edit this post if I try anything else.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:54 PM

Posted 23 June 2011 - 07:37 PM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    :dir
    %Temp%\smtmp /s
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Mintos

Mintos
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 24 June 2011 - 04:58 AM

SystemLook 04.09.10 by jpshortstuff
Log created at 04:57 on 24/06/2011 by Holly
Administrator - Elevation successful

========== dir ==========

C:\DOCUME~1\Holly\LOCALS~1\Temp\smtmp - Unable to find folder.

-= EOF =-

Edited by Mintos, 24 June 2011 - 03:05 PM.


#9 brian0918

brian0918

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 08 July 2011 - 09:36 PM

Mintos:

I had this same issue today. Even though I tried renaming tdsskiller.exe to asdf.com, it still would not open. I guessed that the rootkit virus was examining the executable's description/company/product information (which Kaspersky foolishly includes in the file).

I found a utility called verpatch which modifies the tdsskiller file properties, using the following command:

verpatch tdsskiller.exe /s description "12345" /s company "asdf" /s product "qwerty" /s copyright "abc123"


After making this change, just right-click the tdsskiller and go to Properties, and you will see that the information has been changed.

Then just rename the program back to asdf.com, double-click it, and it may start up. In my case, it immediately found the rootkit, removed it, and now I am no longer experiencing the Google Redirect virus.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users