Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help removing a redirect virus, when malwarebytes didnt work.


  • Please log in to reply
7 replies to this topic

#1 Evilcon

Evilcon

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 18 February 2012 - 03:13 AM

Ok, so I've tried running many diffrent types of anti spyware programs, to no avail. Malwarebytes, Ad-Aware, and Spybot Search and destroy have all come up empty. They don't pick up any type of infection, yet I still have a google redirect virus. Any tips or suggestions?

Edited by hamluis, 18 February 2012 - 07:40 AM.
Moved from Win 7 to Am I Infected.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:20 PM

Posted 18 February 2012 - 07:46 AM

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Restart your PC

Please download GMER from here(doesnot work on 64 bit OS)

http://www2.gmer.net/download.php

Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)

If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.


Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

#3 Evilcon

Evilcon
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 18 February 2012 - 05:46 PM

I'm running a 64 bit OS, so I cant use GMER, what should I do? Also, Ive got a an Anti-Virus installed and up to date. And for some reason the TDSSKiller isn't running for some reason.

Edited by Evilcon, 18 February 2012 - 05:50 PM.


#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:20 PM

Posted 18 February 2012 - 06:44 PM

See if you can run ASWMBR in safemode

#5 Evilcon

Evilcon
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 19 February 2012 - 03:50 AM

Ok, so after I run it do I wanna click fix MBR? it gave me a warning and I was kind of worried about clicking confirm because I didn't want to mess up anything.

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:20 PM

Posted 19 February 2012 - 09:00 AM

Do not click on FIX MBR.Please save the log and post the contents here

#7 Evilcon

Evilcon
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 19 February 2012 - 06:24 PM

Here's the log. I couldn't find out how to attach it so. I just copied and pasted the contents.

aswMBR version 0.9.9.1618 Copyright© 2011 AVAST Software
Run date: 2012-02-19 15:20:32
-----------------------------
15:20:32.308 OS Version: Windows x64 6.1.7601 Service Pack 1
15:20:32.308 Number of processors: 2 586 0x170A
15:20:32.308 ComputerName: HYTONRONG-PC UserName: Hyton Rong
15:20:36.208 Initialize success
15:20:43.528 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
15:20:43.528 Disk 0 Vendor: ST9500325AS 0003HPM1 Size: 476940MB BusType: 11
15:20:43.544 Disk 1 \Device\Harddisk1\SR0 -> \Device\SdBus-0
15:20:43.544 Disk 1 Vendor: ( Size: 7580MB BusType: 12
15:20:43.575 Disk 0 MBR read successfully
15:20:43.575 Disk 0 MBR scan
15:20:43.575 Disk 0 Windows 7 default MBR code
15:20:43.590 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 100 MB offset 2048
15:20:43.590 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 463958 MB offset 206848
15:20:43.637 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 12878 MB offset 950392832
15:20:43.653 Disk 0 Partition 4 80 (A) 17 Hidd HPFS/NTFS NTFS 3 MB offset 976766976
15:20:43.653 Disk 0 Partition 4 **SUSPICIOUS**
15:20:43.668 Service scanning
15:21:12.653 Modules scanning
15:21:12.653 Disk 0 trace - called modules:
15:21:12.981 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa8004c9c334]<<hpdskflt.sys ACPI.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
15:21:12.981 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004c7d060]
15:21:12.981 3 CLASSPNP.SYS[fffff8800148c43f] -> nt!IofCallDriver -> [0xfffffa8004c7c950]
15:21:12.981 \Driver\hpdskflt[0xfffffa8004bd3c50] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa8004c9c334
15:21:12.981 5 hpdskflt.sys[fffff880019b7189] -> nt!IofCallDriver -> [0xfffffa8004b02510]
15:21:12.981 7 ACPI.sys[fffff88000ec37a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004add060]
15:21:12.981 Scan finished successfully
15:22:57.875 Disk 0 MBR has been saved successfully to "C:\Users\Hyton Rong\Desktop\MBR.dat"
15:22:57.891 The log file has been saved successfully to "C:\Users\Hyton Rong\Desktop\aswMBR.txt"

#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:20 PM

Posted 19 February 2012 - 06:35 PM

15:20:43.653 Disk 0 Partition 4 80 (A) 17 Hidd HPFS/NTFS NTFS 3 MB offset 976766976
15:20:43.653 Disk 0 Partition 4 **SUSPICIOUS**


That's a TDL4 ROOTKIT.We need advanced tools to remove it.

Read the guide here on preparing logs

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here with LOGS

http://www.bleepingcomputer.com/forums/forum22.html

Good luck

Edited by narenxp, 19 February 2012 - 06:36 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users