All AV's scans stop unexpectedly & Google redirects

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Dean010, Jul 22, 2011.

  1. Dean010

    Dean010 Private E-2

    Before I get into the problems I am having, I am new to this website and am relying on it as my last hope to fix the problem I am facing. If I post anything I shouldn't post please correct me. I have had good experience with viruses and malware and am used to cleaning them but this one had me worked up for days!

    OS: Windows Vista Home Basic, Service pack 2.

    Here is how it started and the problems I am facing, hope you can help. Thanks in advanced.
    Computer has been running normally for a long time and then all of a sudden after a friend used the laptop I started facing a few problems. The first time I noticed something was wrong is when Windows Firewall kept popping up after every exe program was opened. It kept asking me to Block or Unblock the program. I ignored this issue as I thought it was just the firewall playing up. I then noticed that my AVG has stopped working and wouldnt let me update. I thought I'd remove AVG and install it again. Once I tried to do this a virus (serious rootkit I believe) was stopping me from installing it. I immediately tried running Malwarebytes scan and it started normally but then a few seconds into the scan it disappeared.

    I then restarted my computer and ran it in safe mode. The same thing happened, scan started and then got stopped by the virus. Soon as that happened I knew that the virus was stopping me from running any anti virus software. I tried Avast, Malwarebytes, GMER, Spybot search & destroy...etc and kept getting the same thing happen. Once the scan starts, it stops after a few seconds. I have also found out that once I try open the AV that has been stopped, I get this message saying "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item". I am on a admin account on safe mode and I have the full rights so its the virus stopping me from running the AV.

    Another thing I tried was creating a bootable Kaspersky Rescue Disk. I did this successfully and after 8 hours of scanning it found 13 viruses and removed them. I then scanned it again to make sure that it removed them and it did not find anything. I still had the same problem once I logged onto a user account. The bootable rescue disk did not find the virus that is stopping me from running AVs. As Kaspersky Rescue Disk found a few viruses, I thought id try my luck with another bootable disk as that was the only way I was able to complete a scan without the virus stopping it. I tried AOSS boot cd and once again found 3 viruses and removed them. Was STILL facing the same problem. The bootables I created have found minor viruses but not the main one that is effecting me. This is just one problem and the MAIN one I need help with.

    The other problem is Google being redirected to 100ksearches.com. I found this virus by running Kaspersky Virus Removal Tool (Only AV I was able to run without getting interupted). Here is the name of what it found but was not able to remove:
    Object: C:\Windows\assembly\GAC_MSIL\Desktop.ini
    Trojan program: Backdoor.Win32.ZAccess.dg
    I believe this one is responsible for the redirects im getting. I don't think its the one stopping me from running AVs but I may be wrong.

    Like I said I am new to this site so if I missed out information please let me know. Thanks.
     
    Dean010, Jul 22, 2011
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Welcome to Major Geeks!

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click and choose Run as Administrator

    You only need to get one of them to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    1. Rkill.exe
    2. Rkill.com
    3. Rkill.scr
    4. Rkill.pif
    Once you've gotten one of them to run then try to immediately run the following.


    Download and save the below to your PC (save it anywhere you can find it. The Desktop is fine). Then double click on it to run it.

    AVPFind.bat

    It should take a couple minutes to run. You will see a black command prompt window while it is running and it should close when it is finished. Once it finishes, attach the c:\avplog.txt file that is will hopefully create as long as the malware does not block the batch file from running. (See: HOW TO: Attach Items To Your Post )


    Now download and Run exeHelper
    • Please download exeHelper to your desktop.
    • Double-click on exeHelper.com to run the fix.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file named log.txt will be created in the directory where you ran exeHelper.com
    • Attach the log.txt file to your next message.
    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


    Also please try running the below online scan:

    http://www.superantispyware.com/onlinescan.html

    Reboot immediately after scanning if it finds and removes anything. Let me know if anything was found. See if you can save a log with it.

    I want you to run TDSSKiller so refer to the below for how to do so.

    TDSSkiller - How to run


    Then try running these instructions: Using MGtools


    Attach the below logs when finished with all of the above:
    • C:\avplog.txt - from AVPfind
    • a log from online SAS scan if you could make one
    • log.txt - from exeHelper
    • C:\MGlogs.zip - from MGtools
    The C:\ assumes that drive C is you Windows boot drive. If you boot from another drive, then use the correct drive letter above.
     
    Kestrel13!, Jul 22, 2011
    #2
  3. Dean010

    Dean010 Private E-2

    Hey. Thanks for helping. Here are my results.

    The SAS scan detected 2 Trojan.Dropper/SVCHost-Fake but was stopped by the virus before it was able to finish. (I believe its this trojan that is redirecting me, might be wrong)

    Also would you like me to add the rkill log as it might be helpful to see what processes it stopped?

    The TDSSKiller found something but its default action was set to Skip. I was not sure if I needed to change that to Cure or Quarantine. Please correct me if I made a mistake.

    With MGTools at the stage where it said "Checking Testing DNS servers with nslookup" I got an error pop up saying "The ordinal 1108 could not be located in the dynamic link library WSOCK32.dll"

    Thanks.
     

    Attached Files:

    Dean010, Jul 22, 2011
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    What are you using for antivirus?

    Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode

    Do all of these users of this machine REALLY need to have admin priv's?


    • Yes | Administrator
    • Yes | Dajana
    • Yes | Dejan
    • | Guest (Disabled)
    • Yes | Maja
    • Yes | Smilja

    Uninstall the below outdated java.
    • Java(TM) 6 Update 24
    • Java(TM) SE Development Kit 6 Update 22

    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    Code:
    
:reg
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7FF99715-3016-4381-84CE-E4E4C9673020}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7402}]


:files
C:\Users\Smilja\AppData\Local\88gsx12rpbf61i415lko21cr8m734nnc73475
C:\Users\Smilja\AppData\Roaming\Microsoft\Windows\Templates\88gsx12rpbf61i415lko21cr8m734nnc73475
C:\ProgramData\88gsx12rpbf61i415lko21cr8m734nnc73475
C:\Users\Smilja\AppData\Local\{0ECA2D0A-C790-495D-9B2B-3D04439A74F2}
C:\Users\Smilja\AppData\Local\{168F79DD-58D6-476E-8C31-13DB6A72D0A9}
C:\Users\Smilja\AppData\Local\{2273AFFF-BDBE-410A-8233-711167723ABA}
C:\Users\Smilja\AppData\Local\{4568D3E4-0046-433E-A36E-AC5C9C675D11}
C:\Users\Smilja\AppData\Local\{46548682-D261-4026-BA28-8DD40BD4B70A}
C:\Users\Smilja\AppData\Local\{46EEBCB7-2AB8-4179-AB07-13EFC48901CE}
C:\Users\Smilja\AppData\Local\{50B1C9FB-F5E9-4CAC-98A6-EC1EC4F8F716}
C:\Users\Smilja\AppData\Local\{6A2E7E78-302C-45DD-B34A-2CEF12D52D15}
C:\Users\Smilja\AppData\Local\{7A11569A-05E3-4596-BFF0-A750F9F62F51}
C:\Users\Smilja\AppData\Local\{93295A3C-8410-4FEA-BD75-F8B4CD91F5C4}
C:\Users\Smilja\AppData\Local\{99ACDA3F-3E22-4AF7-AFA1-286719DFA2CC}
C:\Users\Smilja\AppData\Local\{A34168FD-E651-49B6-B139-4D38428A4C85}
C:\Users\Smilja\AppData\Local\{A92B1A0E-75E3-487E-84D2-CB420885EF83}
C:\Users\Smilja\AppData\Local\{AD80AC09-C37D-4D6C-9EB7-323B632D2A09}
C:\Users\Smilja\AppData\Local\{B5C52D9A-FDBB-4388-83DA-1DCF1B23273A}
C:\Users\Smilja\AppData\Local\{C346750A-F9B3-4457-B26F-0F21D269D3CA}
C:\Users\Smilja\AppData\Local\{DD1F3ACB-8055-444E-858C-888D2E00F2FE}
C:\Users\Smilja\AppData\Local\{DF40B5D6-4317-4D95-9FD8-2489EDCDBD49}
C:\Users\Smilja\AppData\Local\{E9048BD0-4852-4227-B559-BF06F443FF44}
C:\Users\Smilja\AppData\Local\{F6B85C11-88F3-4704-BB6A-E26392B06DAC}
C:\Users\Smilja\AppData\Local\{FC44BCCD-A96B-48F1-A094-0F000E2D06D7}
C:\windows\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb
C:\Users\Smilja\AppData\Local\Temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb

:Commands
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

    Reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

    Are you still being redirected?
     
    Kestrel13!, Jul 24, 2011
    #4
  5. Dean010

    Dean010 Private E-2

    Thanks for replying.

    I changed it to Normal Startup.

    I had AVG installed. Was told to try reinstalling it once it stopped working. When I did this I couldn't install it again because of the virus. I can install it. But it wont scan, update or run because of the virus.

    Not every account needs to admin no. But I set it up like that when we started facing some security issues. Its stupid I know. Hopefully if this virus can be removed I will set all the proper permissions again.

    I couldnt uninstall the outdate Java files. Everytime I clicked on uninstall the the green bar got to the end and then went all the way back reversing the removal. I then tried it in safe mode I got the following message:

    "The windows installer service could not be accessed. THis can occur if the windows installer is not correctly installed. COntact your support personel for assistance."

    I tried uninstalling another program just incase it was the windows installer but other program uninstalled successfully.

    Should I proceed with the rest of the steps even though Java was not uninstalled?

    Thanks.
     
    Dean010, Jul 25, 2011
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Sorry for the late response. Yes please. Do continue on. :)
     
    Kestrel13!, Jul 27, 2011
    #6
  7. Dean010

    Dean010 Private E-2

    Here are my logs. I will restart now and check if I still got the redirecting proble. THanks a lot
     

    Attached Files:

    Dean010, Jul 28, 2011
    #7
  8. Dean010

    Dean010 Private E-2

    I am still getting the redirects
     
    Dean010, Jul 28, 2011
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Tell me exactly, or show me with a screenshot what is inside of these folders, please.

    • C:\ProgramData\{61D227D1-25DF-4A97-9428-6C9A27015CDA}
    • C:\Program Files\WI9130~1

    I am also looking at these files, not sure what they are for, Have you any idea? All have 28th July date.

    • C:\Windows\System32\Datei0
    • C:\Windows\System32\Datei1
    • C:\Windows\System32\Datei10
    • C:\Windows\System32\Datei2
    • C:\Windows\System32\Datei3
    • C:\Windows\System32\Datei4
    • C:\Windows\System32\Datei5
    • C:\Windows\System32\Datei6
    • C:\Windows\System32\Datei7
    • C:\Windows\System32\Datei8
    • C:\Windows\System32\Datei9

    Zip a couple up for me using this method

    To do this, see the below:

    Please go to start > Run and paste in the following:
    log retrievable @ C:\collect.zip

    Please go to virustotal and upload the following files for analysis, and let me know the results.
    • C:\Windows\System32\Datei8
    • C:\Windows\System32\Datei9



    Code:
    :files
C:\Users\Dejan\AppData\Roaming\Microsoft\svchost.exe
C:\Users\Smilja\AppData\Local\Temp\{0190B7FB-FB68-4E8A-A959-C9FE09C798FC}
C:\Users\Smilja\AppData\Local\Temp\{B98C837E-4B27-4DF2-9FC1-BF6FCB657AB8}
C:\Users\Smilja\AppData\Local\Temp\{C07152F4-3517-4602-806C-2BC1DDA2D4E9}
C:\Users\Smilja\AppData\Local\Temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb
C:\Users\Smilja\AppData\Local\Temp\252E.tmp
C:\Users\Smilja\AppData\Local\Temp\2938.tmp
C:\Users\Smilja\AppData\Local\Temp\2BD0.tmp
C:\Users\Smilja\AppData\Local\Temp\317B.tmp
C:\Users\Smilja\AppData\Local\Temp\668F.tmp
C:\Users\Smilja\AppData\Local\Temp\6901.tmp
C:\Users\Smilja\AppData\Local\Temp\8085.tmp
C:\Users\Smilja\AppData\Local\Temp\84C8.tmp
C:\Users\Smilja\AppData\Local\Temp\9240.tmp
C:\Users\Smilja\AppData\Local\Temp\9DA5.tmp
C:\Users\Smilja\AppData\Local\Temp\A87E.tmp
C:\Users\Smilja\AppData\Local\Temp\AC07.tmp
C:\Users\Smilja\AppData\Local\Temp\AE48.tmp
C:\Windows\Temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb
C:\Users\Smilja\AppData\Local\{0A7FFD26-CDC0-4542-932E-BDF42EA2AE1F}
C:\Users\Smilja\AppData\Local\{519D5AE8-374F-46FC-960B-C185C6517D37}
C:\Users\Smilja\AppData\Local\{72BA4841-6A56-4A23-92AF-16AB043125FD}
C:\Users\Smilja\AppData\Local\{8D77F559-4BAD-4F9C-BEA9-2C26B65826A2}
C:\Users\Smilja\AppData\Local\{9B09BC92-F3A8-4883-B19B-410968137685}
C:\Users\Smilja\AppData\Local\{A3665094-EF62-41ED-935C-DEE4FB5C32A0}
C:\Users\Smilja\AppData\Local\{AC4CD139-C685-437B-B9B2-535C765553DE}
C:\Users\Smilja\AppData\Local\{C1CF7D5B-C584-42F8-8165-0135701EAE3E}
C:\Users\Smilja\AppData\Local\{DA5B7C43-8969-4E9E-8B43-110ECCE016E0}
C:\Users\Smilja\AppData\Local\{DD9F92E1-03F6-49D6-A582-D79B53EAD6C7}
C:\Users\Smilja\AppData\Local\{EDE60EAF-4821-4873-884F-58189338199D}
C:\Users\Smilja\AppData\Local\{F7F7CEEE-4648-4EAC-96CA-EE4ED490EDD4}

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"svchost"=-

:Commands
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

    Next ........

    Please download and run Combofix as per the instructions in the R&R.


    Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

    • cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    • procdll<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    • analyse <-- this attempts to run HijackThis. Be sure to click the Accept button twice in the license agreement popup or it will just sit there and wait.
    • GetRunKey <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    • ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.


    Please also download MBRCheck to your desktop.

    See the download links under this icon http://www.majorgeeks.com/images/dll.gif
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

    Now look for the C:\MGlogs.zip file and attach it no matter what happened while doing the above.


    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

    Still having redirects?

    IMPORTANT:-
    • Do all browsers direct or just one browser? Try different browsers and let me know
    • Do you use a router?
    • Do you have your Vista boot CD?
     
    Kestrel13!, Jul 28, 2011
    #9
  10. Dean010

    Dean010 Private E-2

    I will be going away on holiday tomorrow. Will this post get closed? Is it possible to put it on hold until I come back?

    Thanks.
     
    Dean010, Jul 30, 2011
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    It will remain open of course. :) When you return from holiday, follow my instructions, answer any questions I may have asked and attach the requested logs.
     
    Kestrel13!, Jul 30, 2011
    #11
  12. Dean010

    Dean010 Private E-2

    Thanks a lot for your help. I will get back to you.
     
    Dean010, Jul 30, 2011
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds