Help Request: Google Redirect, can't run latest TDSS Killer

Hi. I’ve been a lurker in the past and have been pointed in the direction of useful tools by this forum. So, let me start off by thanking you for your previous help.

Unfortunately, I’ve got some sort of malware/virus on my 6 year old Windows XP computer that has me stumped. I would appreciate any assistance you could provide.

Here are my symptoms and the actions I’ve taken to date:

About a week ago, I got what I think was the Windows Recovery Virus. I followed the removal procedure from bleepingcomputer and that successfully helped unhide all of my files and I no longer get the fake virus removal pop-up. However, I now get redirected from Google links to unwanted websites.

I have accomplished the browser redirect steps suggested in this forum. But, the latest version of TDSS Killer will not run from my desktop. I’ve tried renaming it with several different random combinations with no success. Interestingly, I have an older version of TDSS Killer on my PC that does run, but it does not find anything to “cure”.

I have gone through the READ & RUN ME instructions. I tried to go through the detailed instructions thoroughly. The only error I made was first running ComboFix with my McAfee AV and FW on. That caused some errors. I re-ran it with it off with McAfee off and did not have the errors.

My logs are attached. Note that the TDSS log is from an outdated version (2.4.10.1), the latest version wouldn't run.

Thanks in advance for taking the time to help me through this.

 

Here are the last few logs. Note that the first scan of ComboFix was with McAfee on, the second scan was with McAfee off.

Thanks again.

 

YOU HAVE AN INFECTED MASTER BOOT RECORD (MBR)!​

_________________________________________________________________​

WARNING​

MBR infections are only worsening and sometimes (rarely) make the computer unbootable after attempting to correct it. We recommend that you back up your data before hand. Then continue with the below if you wish to attempt to remove this infection:
_________________________________________________________________​

Do you have your Windows XP CD? We need to it restore a clean MBR.
If you do not have your Windows XP CD, you can create one with the Recovery Console (which is really all we need), here: Download Windows XP Recovery Console

Then see if you can boot from this CD and get into the Recovery Console. See the second section in the below link where it says "How to use the Recovery Console"

http://support.microsoft.com/kb/307654

If you can get to the command prompt of the Recovery Console, type fixmbr and hit enter. After it finishes type exit to reboot and remove the CD to allow Windows to boot normally.

If you were able to run fixmbr, rerun MBRCheck and attach a new log. Also tell me how things are working.

 

I was able to start the Windows Recovery Console and commanded "fixmbr" as instructed. I ran MBRCheck and attached the log. Also, I can now run the latest TDSS Killer version, log attached.

I haven't had a Google link redirected in the dozen or so attempts since accomplishing your steps (yay!!).

Do you have any further cleanup suggestions?

Thank you for your time and expertise, it is really appreciated.

 

Now we need to make use of ComboFix by sUBs

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
  • If it is not on your desktop, the below will not work.
• Shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

KillAll::
File::
C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fz
C:\foo.txt
FileLook::
C:\WINDOWS\system32\serwvdrv.dll
DirLook::
C:\bbdd6ff4a1a532a3a8e5d87e
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6e,2f,46,fd,3e,3f,09,44,b8,62,0b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6e,2f,46,fd,3e,3f,09,44,b8,62,0b,\

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
• At this point, you must exit all browsers now before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• This shall launch ComboFix.
  Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
• Allow ComboFix to update itself if prompted.
• When it finishes, a log will be produced at C:\ComboFix.txt
  Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
• Attach this log to your next message. (How to attach items to your post)

Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS
Also let me know if you are experiencing any problems with hidden/missing desktop icons/start menu/program files/quick launch, etc.
​

 

Accomplished all instructions. Logs Attached.

My PC is running good. A little slow, but that is not uncommon. No Google redirects recently. No issues with hidden files, start menu or icons after running ComboFix.

Thank you for your help. Please let me know what else I can do on my end.

 

Do you know what this file is? bullet.com.exe. It's on your desktop.

If not, I would delete this. The rest of your logs are clean.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

"bullet.com.exe" is the renamed outdated version of TDSS Killer I had. I will delete it.

Thank you very much for your help!!!

 

You're welcome.