VERY persistent xp antivirus/browser redirect problems!

Last Thursday April 21 my XP sp2 laptop was invaded by XP antivirus 2011 virus, perhaps by carelessly downloading a music conversion program (amazingmidi) without scanning first.

Before actually finding this website, here are the steps I took: I logged out and booted back up in safe mode and doing a scan with my AVG antivirus software unsuccessfully – malware had blocked the program. I then downloaded malwarebytes anti malware and Kaspersky’s removal tool from a different machine, copied onto a usb memory stick, somehow got them to scan the infected laptop and isolate a few malware files:

rootkit.TDSS.gen
Trojan.FakeAlert
Hijack.ExeFile
PUM.Disabled.SecurityCenter
PUM.Hijack.TaskManager
Broken.OpenCommand
Hijack.StartMenuInternet

All of these were deleted.

I thought this would solve the problem. After deleting the files and rebooting, my laptop’s shortcuts were still all non functional, and none of my programs actually worked. I thought that fixing the registry would help and tried downloading a new version of PC Tools Registry Mechanic and ran that, with no success at enabling my programs to run (adobe dreamweaver, fireworks, etc.) For awhile the laptop was completely non functional – I booted in ‘diagnostic mode’ using msconfig, was able to get the laptop to boot, do a few more scans, delete a few more Trojans and finally get the machine to boot successfully. Still shortcuts had disappeared and some programs were non-functional.

Since I had done the scans with malwarebytes and Kaspersky’s, I thought the laptop would be virus free, so I thought the problem was perhaps windows XP being damaged by the virus. I tried to do a repair-reinstall of windows xp sp2 (with the xp disc sent with the computer) with no improvement. A few more scans with malware bytes and Kaspersky’s virus tool resulted in no malware found, but desktop shortcuts don’t work, some programs don’t run and with every single browser I have available (safari for windows, firefox, chrome, netscape and ie) I was getting constant re-directs to junk websites. At least I was able to boot the laptop normally though and could connect to the internet.

Also, I ran Trend Micro’s Rootkit Buster and it found the and found a TDL3 infection, which I deleted, but still am experiencing constant redirects and was still unable to open and/or re-install programs previously on my laptop.

After all of this, many searches for solutions brought me to this website, so I’ve taken the initial steps recommended for the browser re-direct problem and followed the Fixing Google Redirection/Hijacking Problems steps:
1. Downloaded and ran ATF-cleaner.exe to clear all browsers
2. flushed the Java Cache
3. flushed the DNS cache
4. downloaded TDSSKiller from kaspersky – was not able to get it to run either in safe mode or normal windows mode – it hangs when about 80% installed each time
5. I then followed the directions for malware removal since I was apparently still infected and I continued to get constant redirects on all browsers so I continued to the next steps:
6. I uninstalled all but one antivirus program (Super anti spyware)
7. Made sure there were not multiple firewalls installed and running
8. Went to add/remove programs and removed all uncessary programs and looked for the ones on your list (to uninstall).
9. Updated Sun java to the latest version – Java 6 update 25
10. Made sure all quarantine folders were emptied
11. emptied the recycle bin
12. Downloaded and installed CCleaner and ran with default options
13. checked to make sure I had 32-bit version of windows
14. Enabled viewing of hidden files, system files and extensions
15. Made sure msconfig was set for normal startup mode – laptop is now booting normally.
16. uninstalled any known malware programs (none on your list were found installed)
17. Disabled any disk emulation software
18. followed directions for cleaning XP by downloading:
a. superantispyware – log is attached
b. malwarebytes anti-malware - log is attached
c. combofix.exe - log is attached
d. rootrepeal – log is attached
e. MG tools – I downloaded and saved at c:\mgtools.exe and attempted to run it, it created an ‘MGtools’ folder on C:\drive, but did not generate an MGLogs.zip file. A command prompt window flashed open briefly but closed and it stopped running. I couldn't find a log file to upload

 

Thank you so much for your reply! Regarding TDSSKiller, I attempted to run that several ways and the virus is definitely not letting me. It stalls after initializing about 80%, and that's if I try to run the program from the C: drive with it's original name, OR renamed to something like 123.com. In addition, I even tried to run it both ways (using both the original name and fake name) in safe mode from the command prompt and it still hung up and generated an error saying 'TDSS rootkit removing tool has encountered a problem and needs to close.' each time I tried.

I was able to run each of the nwksts, getrunkey and shownew commands from the command prompt in the c:\mgtools directory. The MGlogs.zip file is attached - thanks so much for your help figuring out this stubborn, amazingly annoying hidden virus.

 

Interesting things have been happening when I try to reboot into safe mode with command prompt. It seems to go through a list of files, then hangs on windows/system32/90671312.sys, then hangs for awhile, then I get a blue screen, with an error message that says

a problem has been detected and windows has been show down to prevent damage to your computer

INVALID_QUEUE_ITEM

If this is the first time you've seen this stop error screen, restart your computer. If this screen appears again, follow these steps:

check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manuf. for any windows updates you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing.

Technical Information:

***STOP: ox00000096 (0xF78EAD24, 0x805694C0, 0x805694C0, 0x8A8546DA)

Beginning dump of physical memory
Dumping physical memory to disk:​

So, I turned the computer off, rebooted in safe mode (without command prompt or networking), and the same error occurred. So, I rebooted in safe mode with networking (the only way it seems to let me boot in safe mode), then it allowed me to log on, so I hit 'start', then 'run' then 'cmd' to get the command prompt, then typed in the tdsskiller.exe command at the C:\ prompt and got the same error as before - the 'TDSS rootkit removing tool has encountered a problem and needs to close'.

For good measure, I tried typing in the other fake names that I renamed tdsskiller.exe file as (I copied the file with different names in the c:\ directory) with the same result -- hanging at 80% initialization then the error message.

 

Hi, I'm at the recovery console c:\> prompt, and typed in tdsskiller.exe and the response was

'the command is not recognized Type HELP for a list of supported commands'.

I guess I need help on actually running a program from the recovery console.

 

should I run the fixmbr command from recovery console, then try tdsskiller?

 

I went ahead and ran fixmbr at the recovery console's c:\ prompt with success, then was able to run TDSSkiller.exe (while in safe mode).

Yay, the automatic redirects have stopped, and the laptop seems to be running well. A few programs cannot run though (like Adobe Dreamweaver) and I'm unable to re-install them from disc. After install program initializes, it just quits and nothing happens.

Icons on desktop are still looking different (transparent) and quick launch has moved to right side of bottom screen, oddly.

I tried to run an additional scan (for good measure) from trend micro's housecall, but couldn't get that program to run (a blank window when program tries to load).

I did additional scans with kaspersky's virus removal tool and super anti spyware.

Logs for TDSSKiller.exe and Super anti spyware are attached.

 

Thanks - Here are the MGTools logs.

Is there a simple way to make sure files aren't being set to read only or hidden?

I have a question regarding windows after removing (hopefully) a virus like this. Is it recommended to do a repair-install of windows xp with the XP disc that came with the laptop once the system is cleaned of malware? Are there 3rd party programs that you recommend that can fix windows after something like this happens?

 

Thanks, the desktop folder did turn out to be 'hidden'. The problem with that program (adobe dreamweaver) being unable to run or be re-installed seems to be the only problem. Is that a result of the virus or perhaps a sign of some malware still present?

After a virus like this, is the stability of the system compromised?

Judging from the logs I posted yesterday, do you think I'm rid of this annoying virus, or should I run a few more scans?

Your help is sure appreciated!