Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

REDICT VIRUS


  • Please log in to reply
14 replies to this topic

#1 AshleeJ

AshleeJ

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 30 June 2011 - 01:37 PM

About 6 days ago I noticed that I was being redirected to different sites after clicking on a weblink from Google. Ive done some research which has lead me to believe that I a redict virus. I have searched for the virus TDSS but have been unsuccessful in locating any files stored under that name. I have also looked under the hardware in non plug and drivers section only to come up with nothing. I have also searced thru my host file only to find just my local file host only being there. I have scanned with AVG and nothing showed up unusual. I have Anti Malware Malwarebytes installed on my laptop and it is updated. I have done several full pc scans in which nothing showed up. I will post the results of the latest one done. I have recently downloaded Hitman Pro 3.5 and ran 3 scans. The first scan removed several tracking/tracing cookies and one rookit. Upon the removal/quarantining of the rookit the problem still persists. I will post the results of the latest one done also. I have read in another post about redirecting and performed the first step to the security check and will post the results of that also. Im currently running a Microsoft Windows Malicious Software Removal Tool scan to see if it pulls up anything. I will post results also. Im not sure if this is the aftermath of a redirect virus but I would like any help possible. Thanks, Ashlee



Results from last Anti Malware Scan:
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6969

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/28/2011 3:45:23 PM
mbam-log-2011-06-28 (15-45-22).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 288007
Time elapsed: 2 hour(s), 34 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

RESULTS from LATEST AVG SCAN:

FOUND REMOVED and HEALED NOT REMOVED or HEALED
WARNINGS 1 1 0
INFORMATION 8 ----- -----



Folders selected for scanning: Whole computer scan
Scan started: Tuesday, June 28, 2011 9:02:41AM
Scan finished: Tuesday, June 28, 2011 10:49:23AM(1hour(s)46minutes
Total objects scanned: 787472


the WARNING file was this
"";"C:\Documents and Settings\DAVID JOHNS\Local Settings\Temporary Internet Files\Content.IE5\SHYLBVPF\PageRageSetup[1].exe";"Corrupted executable file";"Moved to Virus Vault"

the INFORMATION files was this ALONG with 7 other similar files
"";"C:\Documents and Settings\DAVID JOHNS\Local Settings\Temp\RarSFX1\dependencies\WindowsXP-KB829558-x86-ENU.exe";"The file is signed with a broken digital signature, issued by: Microsoft Windows XP Publisher.";""


HITMAN PRO 3.5:
_Setupx.dll ROOTKIT Tue 28 Jan 2011 17:10 Quarantined
(C:\Documents and Settings\All Users\Favorites\Application Data\Temp....

Microsoft Windows MSR Tool Scan:
CLEAN....not infected with anything. DOS/Alureon is first on that list of viruses, trojans, and etc



Security Check Scan:
Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
AVG 2011
Norton 360
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner (remove only)
Java™ 6 Update 18
Out of date Java installed!
Adobe Flash Player 10.0.42.34
Adobe Reader 6.0.1
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````End of Log````````````


And thats it.....Im just waiting for further instructions

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,488 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:30 AM

Posted 30 June 2011 - 02:17 PM

Hello,if you suspect tdds it will hide itself. Run the tool in here How to remove Google Redirects .
Post that log.
A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
Copy and paste the contents of that file in your next reply.


Update and rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.



Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u26-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

Remove old and Update AdoAdobe Reader


Please ask any needed questions,post logs and Let us know how the PC is running now.

Edited by boopme, 30 June 2011 - 02:19 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 AshleeJ

AshleeJ
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 01 July 2011 - 10:27 PM

ok im experiencing several problems! the first problems is that i can not get the TDSS to open at all on my laptop whether i rename it or leave it as is. I have tried that at least 6 times. Secondly, after deleting all Java files and rebooting, and then double clicking to install the new Java app it doesnt finish correctly. it goes thru all the steps and SAYS its install but at the very end a pop up emerges and says Installer: Wrapper.CreateFie failed with error 5: Access is denied. I have ran another security check to see if it didnt install or not. Here are the results:
Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
AVG 2011
Norton 360
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner (remove only)
Java™ 6 Update 26
Out of date Java installed!
Adobe Flash Player 10.0.42.34
Adobe Reader 6.0.1
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````End of Log````````````


I havent done the adobe because i ran into trouble with the first 2. Now when i pull my internet browser(yahoo is my homepage)it says 403: Forbidden Permission you dont have permission to access the page. Please help!!!!

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,488 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:30 AM

Posted 03 July 2011 - 02:39 PM

Hello do you have 2 AV's running? Norton and AVG.. Stop one as I believe this is the conflict with everything else.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 AshleeJ

AshleeJ
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 05 July 2011 - 01:56 PM

ok i closed the Norton down. I dont use Norton as a means of protection, the software has expired. once i closed Norton down i proceeded to run the Java app and which the same thing happened. what i did fail to mention the first time is that JAVA prompted for me to close the Internet browser which i did not have pulled up at the moment. This time it did the same thing and i checked my running processes to find that the Iexplorer.exe is running by itself @ 87,640K. even though i clicked ok for the Java app to shut down the browser and proceed, the iexplorer continued to run. Im not sure if thats an problem but im sure that its not supposed to run by itself at that high rate. the TDSS app still will not open. im still stuck. any more suggestions?? oh! i will add that upon my first post i mentioned that i had noticed the redirecting for about a week but it may have been longer than that. I had the Windows XP Repair virus, maybe a little over a month ago, in which i think is completely removed. after the removal i might have been experiencing the redirecting but every web page i opened i used the Cached option and was not redirected. Im at a lost and standstill as to what could be the problem.......but i will wait for more help. thanks so far :)

#6 AshleeJ

AshleeJ
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 06 July 2011 - 02:38 AM

I found this info and its interesting. upon going into me Local Disk drive i noticed that my files had been hidden....interesting by itself. i made the files visible and went to my doc and settings...desktop...and found my icons...i right clicked on the TDSS icon....properties...and under attributes(neither the read only or hidden box are checked) at the very bottom there is an option labeled security and says This file came from another computer and may be blocked to help protect this computer and then it has the option to unblock. this is also the same thing under the java installation icon. could this be hindering the apps from not running when clicked on??

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,488 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:30 AM

Posted 06 July 2011 - 09:36 PM

Please run these next to fix these issues.

This infection family will also hide all the files on your computer from being seen. To make your files visible again, please download the following program to your desktop:

UnHide

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.



Download the FixTDSS.exe

Save the file to your Windows desktop.
Close all running programs.
If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
Double-click the FixTDSS.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
Restart the computer when prompted by the tool.
After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
If you are running Windows XP, re-enable System Restore.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 AshleeJ

AshleeJ
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 08 July 2011 - 06:01 PM

ok....ive done the first step. After running the fixtdss app its says ***Infected Driver: VolSnap.sys. and thats it.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,488 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:30 AM

Posted 08 July 2011 - 07:40 PM

I want to try 1 more tool on this,
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.5.9.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 AshleeJ

AshleeJ
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 08 July 2011 - 09:48 PM

I have downloaded the app for the TDSSkiller and it wont open under any circumstance, whethere i rename it or leave as is. I have windows xp so do i have to worry about running it as an administrator?? I ran another scan using AVG and it picked 3 spyware things....2 for yontoo layers client and one in the prog files for internet explorer. they were all moved to the virus vault but im still having the redirecting problem.

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,488 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:30 AM

Posted 09 July 2011 - 10:02 AM

It should be run as Administrator.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 AshleeJ

AshleeJ
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 09 July 2011 - 03:58 PM

Using the windows xp how would i log into Administrator mode without booting in safe mode??

Edited by AshleeJ, 09 July 2011 - 03:59 PM.


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,488 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:30 AM

Posted 09 July 2011 - 11:12 PM

How to Use the RUN AS Command to Start a Program as an Administrator
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 AshleeJ

AshleeJ
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 15 July 2011 - 03:10 AM

i have tried to run TDSS in administrator mode.....by using the instructions on the site provided!! but it still does not run. I re-named it 123abc.com and it still didnt run!!! im frustrated at this point!!!! what am i doing wrong!!! :(

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,488 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:30 AM

Posted 15 July 2011 - 03:04 PM

As TDSS won't run there is a more sinister malware in here.

We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users