Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Websites Randomly redirecting


  • This topic is locked This topic is locked
50 replies to this topic

#1 Steven Lamb

Steven Lamb

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 24 December 2011 - 06:05 PM

I am running vista Business. Kasperski 12.0.0.374 as my anti-virus. on a Toshiba laptop that is a few years old.

Kasperski started complaining about Heur:Trojan.Win32.Generic in c:\windows\system32\drivers\tdx.sys which it was unable to disinfect. at some point after this i noted that webpages would randomly go to places i did not direct them to "some sort of proxy or redirect" I attempted to run MalwareBytes and it didn't seem to detect anything.

Before reading the instructions for this forum i ran a copy of Combofix, hopefully that will not screw up the process.

attached is both dds logs and gmer log

Thank you in advance for any help you can give.

Steven Lamb

Edit: Moved topic from Vista to the more appropriate forum. ~ Animal

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,692 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:03 AM

Posted 24 December 2011 - 09:52 PM

:welcome:

Download the latest version of TDSSKiller from here and save it to your Desktop.


  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

    Posted Image
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Steven Lamb

Steven Lamb
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 28 December 2011 - 09:02 PM

Thank you for your response.

alfaFF an UnsignedFile.Multi.Generic was the only thing found. Skipped it as instructed.

nothing else found.

log attached

sorry for the slow reply somehow I didnt see an email. I will watch more diligently.

Attached Files



#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,692 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:03 AM

Posted 29 December 2011 - 12:50 AM

The file detected by Kasperski is legit. Are you still experiencing the redirects?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 Steven Lamb

Steven Lamb
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 29 December 2011 - 02:22 PM

the redirects are very infrequent. I am seeing the following file still listed as an unprocessed item by my installed anti Virus.

I will run a scan with my Anti virus tonight and see if it still detects this file.

c:\windows\system32\drivers\tdx.sys

#6 Steven Lamb

Steven Lamb
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 29 December 2011 - 08:26 PM

well i have to admit i am confused. I ran another scan with Kasperski. It came up with nothing. all i can figure is maybe combo fix removed something.


I would like to request leaving this open for a few days in case it pops up again.

I would like to thank you in advance for the help either way. I will update this probably on Monday to request closure.

#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,692 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:03 AM

Posted 30 December 2011 - 01:53 AM

Open an Administrator Command prompt (Click on Start, type CMD, right click on the CMD.exe on top of the start menu and select "Run as an administrator"). At the prompt copy and paste the following command and press Enter:

bcdedit /enum all /v >%userprofile%\desktop\bcd.txt

Type Exit and press Enter to return to Windows. On your desktop should be a new file, bcd.txt. Please post the contents of that file in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 Steven Lamb

Steven Lamb
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 31 December 2011 - 02:19 PM

Here is the file requested


I now have new symptoms.

While browsing, i get a popup that requests that c:\windows\explorer.exe requires escalation. needless to say this was a red flag for me. i loaded safe mode updated malware bytes and it found to infected files. which i deleted. i have also attached the log.

now my keyboard and mouse have stopped working. this is an early tablet pc so my pen/touch interface still works, also attaching a usb keyboard seems to work. but the integrated touch pad and keyboard have stopped working. (this was after the malware bytes and reboot back into normal mode.

sorry for running these extra things without being directed. i have to admit that i thought that you had decided it was fixed.(as did i) i will wait for further direction before proceeding.

Attached Files



#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,692 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:03 AM

Posted 31 December 2011 - 03:23 PM

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link or this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If any of these applications will not uninstall, it is first recommended to uninstall it with AppRemover by Opswat. http://www.appremover.com/supported-applications. Do not use AppRemover on Norton

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 Steven Lamb

Steven Lamb
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 31 December 2011 - 04:58 PM

here is combofix.log

please note that although i disabled and closed kasperski it combofix still belived it was running

it said i had zero access rootkit. as well as a rootkit that infected the tcpip stack. it actually popped up twice for each of these messages. it rebooted removed some files and them returned to windows creating the log posted.

My kasperski did not load upon combofix rebooting. i will be shutting the computer down until i get a reply.

Attached Files



#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,692 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:03 AM

Posted 31 December 2011 - 08:22 PM

I believe your Vista is 32 bit.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 Steven Lamb

Steven Lamb
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 31 December 2011 - 08:58 PM

Yes i beleive i have vista business 32bit

I dont have a Repair your computer option under my f8 menu

i have

safe mode
safe mode with networking
safe mode with command prompt

enable boot logging
enable low-resolution video
last know good configuration
directory services Restore Mode
debugging mode
disable automatic restart on system failure
disable driver signature enforcement

start windows normally

#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,692 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:03 AM

Posted 01 January 2012 - 12:37 AM

That's Ok. Lets perform an online scan.

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista or Windows 7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • First please Disable any Antivirus you have active, as shown in This topic.
  • Note: Don't forget to re-enable it after the scan.
  • Next hold down Control then click on the following link to open a new window to ESET online scannner.
  • Select the option YES, I accept the Terms of Use then click on Start.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.

  • All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    Scan for potentially unwanted applications
    Scan for potentially unsafe applications
    Enable Anti-Stealth Technology

  • Now click on Start.
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on Finish.
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 Steven Lamb

Steven Lamb
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 01 January 2012 - 11:47 AM

I think you lost me somewhere.


did you want me to complete the first scan or do you want me to skip that now?

#15 Steven Lamb

Steven Lamb
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 01 January 2012 - 01:10 PM

I ran farbar from the directory recovery mode
here is the file

i also ran the eset and here is what it found.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users