Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect


  • Please log in to reply
6 replies to this topic

#1 mnanthony

mnanthony

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 05 October 2011 - 10:11 PM

I have about 16 hours into this and am going nuts. I can no longer use google; I am constantly redirected to other sites.

I followed the procedure here http://deletemalware.blogspot.com/2010/02/remove-google-redirect-virus.html

I ran every program and followed every instruction, except that I cannot run combofix, which gives me an unexpected engin message.
(I disabled AVG but it still seems to think it is running)

At one point AVG found a trojan, deleted it, and could not reboot - had to system restore.

I have tried a few other things - cannot resolve this. Its get some help or format C:
Unfortunately, it would probably be cheaper and easier to buy a new PC than format (one of those factory computers
upgraded piece by piece, and it never came with a disk), so I am hoping someone has an idea.

BTW Spybot has about a million things in my host file, but I think that is a good thing.

Edit: Moved topic from Vista to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:18 AM

Posted 05 October 2011 - 10:29 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 mnanthony

mnanthony
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 05 October 2011 - 10:53 PM

Thx , I am too tired to do this tonight but I will start fresh when I can. I believe the problem is with consrv.dll, which has a trojan - but if I delete it, the computer will not boot. It seems I have found the problem, but I cannot fix it.

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:18 AM

Posted 05 October 2011 - 11:22 PM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    :filefind
    consrv.dll
    winsrv.dll
    :reg
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems /s
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 mnanthony

mnanthony
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 05 October 2011 - 11:49 PM

The log is as follows, but I really really think I found the problem. My registry line reads consrv where it should read winsrv. But, I cannot change it - it won't save! If I change the filename, it will save, but if I leave the name intact (which I have to...) it does not save. Ugg...anyway here is the log

SystemLook 30.07.11 by jpshortstuff
Log created at 00:45 on 06/10/2011 by BBY
Administrator - Elevation successful

========== filefind ==========

Searching for "consrv.dll"
No files found.

Searching for "winsrv.dll"
C:\Windows\System32\winsrv.dll --a---- 451072 bytes [16:56 05/10/2011] [16:16 17/06/2011] 316FCE1F71320844790E83B1C5CDEA99
C:\Windows\system64\winsrv.dll --a---- 451072 bytes [16:56 05/10/2011] [16:16 17/06/2011] 316FCE1F71320844790E83B1C5CDEA99
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.0.6001.18000_none_129d322654b2a6e1\winsrv.dll --a---- 450048 bytes [02:49 21/01/2008] [02:49 21/01/2008] A9C654098A5CA39618DA9D022A6691B8
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.0.6001.18638_none_1284d01654c3b456\winsrv.dll --a---- 450048 bytes [16:55 05/10/2011] [15:16 20/04/2011] 2D94E4CE322F12061D3FA7DBE65E9AC5
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.0.6001.22904_none_132adf496dcc953f\winsrv.dll --a---- 450048 bytes [16:55 05/10/2011] [14:59 20/04/2011] CCCFC223E76D14E622D8F2BB5E90B58D
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.0.6002.18005_none_1488ab3251d4722d\winsrv.dll --a---- 450560 bytes [07:20 18/09/2009] [07:11 11/04/2009] 36F234FD1AA7BAE559BB1C483FC76286
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.0.6002.18456_none_1453a37851fc0bd5\winsrv.dll --a---- 451072 bytes [16:55 05/10/2011] [16:03 20/04/2011] E5E5E593D4850B0AA24CF58B552147F3
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.0.6002.18484_none_1431332052162cfa\winsrv.dll --a---- 451072 bytes [16:56 05/10/2011] [16:16 17/06/2011] 316FCE1F71320844790E83B1C5CDEA99
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.0.6002.22628_none_14ffb2816aff87a1\winsrv.dll --a---- 450560 bytes [16:55 05/10/2011] [15:38 20/04/2011] 33353C4E98C0CCF7E2A817536EB58985
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.0.6002.22662_none_14ce71156b255f5b\winsrv.dll --a---- 451072 bytes [16:56 05/10/2011] [15:31 17/06/2011] 1963C9D71F401DA6E01741D0DBFD82CB

========== reg ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
"Debug"=""
@="mnmsrvc"
"Kmode"="\SystemRoot\System32\win32k.sys"
"Optional"="Posix"
"Posix"="%SystemRoot%\system32\psxss.exe"
"Required"="Debug Windows"
"Windows"="%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=consrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\CSRSS]
"CsrSrvSharedSectionBase"= 0x0000000000 (0)


-= EOF =-

#6 mnanthony

mnanthony
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 05 October 2011 - 11:51 PM

BTW, I have already deleted the consrv.dll file...if I reboot the computer, I won't have a computer. That is why it doesn't show in log. I thought I could easily fix this once I found the incorrect registry entry in csrss.exe loader.

#7 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:18 AM

Posted 06 October 2011 - 12:04 AM

It looks like ZeroAccess rootkit, so....

With the information you have provided I believe you will need help from the malware removal team.
Please make sure that you read the information about getting started first.
Then start a new thread HERE and include or required logs.
Including a link to this thread will be helpful.

Good luck and be patient. Help is on the way!

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users