Redirect virus infection - Free Antivirus Forum

Redirect virus infection

BullGuard Antivirus Forum > Virus Removal > Removal Help > Redirect virus infection

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

vashtache
New Member

Date Joined Sep 2008
Total Posts : 3

Posted 9-30-2008 8:55 (GMT +1)

Hi,

I've read what I can on getting rid of the google redirect virus, but haven't been able to do so myself.

I installed Kaspersky Anti-virus this morning after my McAfee detected, but ignored, a trojan. I have uninstalled McAfee.

I managed to get HostsXpert, but it didn't work. I also have CCleaner, though it didn't appear to help either. Anything by Google gets redirected. I got Opera and it works until I use Google or don't have the webpage address in hand for the speed dial function.

I cannot restart in Safe mode with networking- every time I try, the screen stops loading and gives me a quick flash of the blue error screen, which I can't read, and proceeds to reboot again under the normal mode unless I tap F8 again. I get the same result each time.

I did full scans with Kasperky but it hasn't identified anything more than the 800+ suspicious programs and 64 trojans that were in my PC. I believe it's blocked, disinfected or deleted what it can. There appear to be some that it only detected but I can't manually deal with them- the quarantine function isn't working. The scans have ranged between 1.5hrs to 5 hrs each...which I found strange because they all had the same parameters. Also, I can't update when it tells me to. I figure that's b/c of the redirect virus. Now and then a request to accept a Kaspersky root certificate pops up, but I don't know if I can trust it so I don't install it.

Okay. I finally got a hold of a website the virus didn't recognise from one of the other posts (thank you, Touch!). It's the Cnet download.com one. I ran Malwarebytes twice- the first time, the reboot went wonky (blue error screen before blacking out) and after restarting it, I tried to get the log. The notepad kept coming up with errors and wouldn't display the file. Also, Kaspersky finally started updating, though very slowly.

The 1st log:

Malwarebytes' Anti-Malware 1.28
Database version: 1225
Windows 5.1.2600 Service Pack 2

9/30/2008 9:53:53 PM
mbam-log-2008-09-30 (21-53-53).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 100455
Time elapsed: 21 minute(s), 20 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\ (Trojan.Agent) -> Delete on reboot.

-----------------------

After running Malwarebytes a 2nd time:

Malwarebytes' Anti-Malware 1.28
Database version: 1225
Windows 5.1.2600 Service Pack 2

9/30/2008 10:43:34 PM
mbam-log-2008-09-30 (22-43-34).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 100705
Time elapsed: 39 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP573\A0107683.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\ (Trojan.Agent) -> Delete on reboot.
--------------------------

The 2nd reboot froze on the shutting down screen for several minutes. I manually shut it down. When it started again, Kaspersky had to be updated again- though it installed components beforehand. It's not connecting again. The trojans were quarantined in Malwarebytes and I then deleted them, but something is still around.

I'm going to try and run the Hijackthis program to see if it can help- after the Malwarebytes again b/c the notepad had errors again...

Any help is much appreciated! Cheers.

Post Edited (vashtache) : 01-10-2008 00:11:42 GMT

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13594

Posted 10-1-2008 5:59 (GMT +1)

Hello

See if you download and run combofix ->

Please download Combofix:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

And save to the desktop.

Close all other browser windows.

Important-> Temporarily disable your anti-virus, real-time protection before performing a scan. They can interfere with combofix or remove some of its embedded files which may cause "unpredictable results".

Go to Start->Run and copy/paste: ComboFix /snapshot and hit OK. It should run Combofix.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When finished, it will produce a logfile located at C:\combofix.txt.

Post the contents of that log in your next reply

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

vashtache
New Member

Date Joined Sep 2008
Total Posts : 3

Posted 10-1-2008 11:51 (GMT +1)

Thank you SO MUCH for your quick reply

Here it is:

ComboFix 08-09-30.03 - Vashea 2008-10-01 11:40:13.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.638 [GMT 1:00]
Running from: C:\Documents and Settings\Vashea\Local Settings\Application Data\Opera\Opera\profile\cache4\temporary_download\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\autorun.ini
C:\WINDOWS\system32\drivers\tdssserv.sys
C:\WINDOWS\system32\TDSSerrors.log
C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\tdssl.dll
C:\WINDOWS\system32\tdsslog.dll
C:\WINDOWS\system32\tdssmain.dll
C:\WINDOWS\system32\tdssserf.dll
C:\WINDOWS\system32\TDSSserf1.dll
C:\WINDOWS\system32\tdssservers.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_TDSSserv
-------\Service_Viewpoint Manager Service

((((((((((((((((((((((((( Files Created from 2008-09-01 to 2008-10-01 )))))))))))))))))))))))))))))))
.

2008-10-01 11:43 . 2008-10-01 11:43 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-10-01 11:43 . 2008-10-01 11:43 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-10-01 11:43 . 2008-10-01 11:43 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-10-01 11:43 . 2008-10-01 11:43 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-10-01 02:39 . 2008-10-01 02:39 61,440 --a------ C:\WINDOWS\system32\drivers\ksgjwbf.sys
2008-09-30 23:24 . 2008-09-30 23:24 <DIR> d-------- C:\Program Files\Opera
2008-09-30 21:31 . 2008-09-30 21:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-30 21:31 . 2008-09-30 21:31 <DIR> d-------- C:\Documents and Settings\Vashea\Application Data\Malwarebytes
2008-09-30 21:31 . 2008-09-30 21:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-30 21:31 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-30 21:31 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-30 17:57 . 2008-09-30 17:57 0 --a------ C:\WINDOWS\nsreg.dat
2008-09-30 12:03 . 2008-09-30 12:03 <DIR> d-------- C:\Program Files\CCleaner
2008-09-30 00:52 . 2008-10-01 11:33 96,976 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-09-30 00:52 . 2008-09-30 00:52 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-09-30 00:49 . 2008-09-30 00:49 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-09-30 00:49 . 2008-09-30 00:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-09-30 00:47 . 2008-09-30 00:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-30 21:43 332 ----a-w C:\Program Files\fupeb.txt
2008-09-30 19:05 90,112 ----a-w C:\WINDOWS\DUMP14b0.tmp
2008-09-30 19:03 90,112 ----a-w C:\WINDOWS\DUMP14c0.tmp
2008-09-30 18:53 90,112 ----a-w C:\WINDOWS\DUMP1443.tmp
2008-09-30 17:42 90,112 ----a-w C:\WINDOWS\DUMP1414.tmp
2008-09-30 17:37 90,112 ----a-w C:\WINDOWS\DUMP13e5.tmp
2008-09-30 15:36 90,112 ----a-w C:\WINDOWS\DUMP1424.tmp
2008-07-29 19:21 218,376 ----a-w C:\WINDOWS\system32\klogon.dll
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 21:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 21:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-18 13:34 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
2008-07-07 15:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 15:32 253,952 ----a-w C:\WINDOWS\system32\dllcache\es.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"CTZDetec.exe"="C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe" [2007-05-15 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-07 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-07 688218]
"SiS Windows KeyHook"="C:\WINDOWS\system32\keyhook.exe" [2005-03-04 32768]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"LManager"="C:\Program Files\Launch Manager\QtZgAcer.EXE" [2005-03-28 315392]
"eRecoveryService"="C:\Windows\System32\Check.exe" [2005-03-23 245760]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-07-29 206088]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-07 C:\WINDOWS\AGRSMMSG.exe]
"SiSPower"="SiSPower.dll" [2005-02-25 C:\WINDOWS\system32\SiSPower.dll]
"SoundMan"="SOUNDMAN.EXE" [2005-02-24 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2005-03-07 331776]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-10-17 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 32784]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-03-04 8704]
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 4010]
R3 int15.sys;int15.sys;C:\Program Files\acer\eRecovery\int15.sys [2005-01-13 69632]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-04-30 24592]
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys [2004-11-05 32768]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ares - C:\Program Files\Ares\Ares.exe
HKLM-Run-PCMService - C:\Program Files\Arcade\PCMService.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Vashea\Application Data\Mozilla\Firefox\Profiles\mc5g9qjq.default\
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-01 11:44:06
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\ACER\EMANAGER\ANBMSERV.EXE
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\PROGRAM FILES\CREATIVE\SHARED FILES\CTDEVSRV.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM32\WDFMGR.EXE
C:\PROGRAM FILES\CANON\CAL\CALMAIN.EXE
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\WINDOWS\SYSTEM32\WSCNTFY.EXE
C:\PROGRAM FILES\ACER\ERECOVERY\MONITOR.EXE
.
**************************************************************************
.
Completion time: 2008-10-01 11:45:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-01 10:45:56

Pre-Run: 3,506,438,144 bytes free
Post-Run: 3,537,731,584 bytes free

152 --- E O F --- 2008-09-25 04:46:50

Seems alright? Muxas gracias!

vashtache
New Member

Date Joined Sep 2008
Total Posts : 3

Posted 10-1-2008 11:57 (GMT +1)

Kaspersky also picked up a virus Rootkit.Win32.Clbd.kr and deleted C:\Windows\system32\tdssadw.dll

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13594

Posted 10-1-2008 1:02 (GMT +1)

It looks clean ;-)

How are things running now ?

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

vashtache
New Member

Date Joined Sep 2008
Total Posts : 3

Posted 10-1-2008 1:22 (GMT +1)

Opera's a bit slow, but all is well!

You ROCK. Thank you for your time and expertise!

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13594

Posted 10-1-2008 5:19 (GMT +1)

I was glad to help smile

Uninstall ComboFix

Go to Start->Run, and type in ComboFix /u
Make sure there is a space between ComboFix and /u
Click Enter

This will ->

Uninstall ComboFix. Delete its related folders and files.

Reset your clock settings. Hide file extensions.

Hide the system/hidden files. And resets System Restore again.

Also, please read this article by Tony Klein: How I got Infected in the First Place

Since this issue appears resolved ... this Topic is closed.

If you would like it to be reopened please contact Me.

Thank you !

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Forum Information

Currently it is Thursday, November 20, 2008 5:25 PM (GMT +1)
There are a total of 63.934 posts in 15.821 threads.
In the last 3 days there were 33 new threads and 157 reply posts. View Active Threads