1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive Google redirect virus that TDSS cant kill

Discussion in 'Malware and Virus Removal Archive' started by sgtpepper23, 2011/02/06.

Thread Status:
Not open for further replies.
  1. 2011/02/06
    sgtpepper23

    sgtpepper23 Inactive Thread Starter

    Joined:
    2011/02/06
    Messages:
    2
    Likes Received:
    0
    [Inactive] Google redirect virus that TDSS cant kill

    hey guys, i randomly had a virus one day that wouldnt let me on certain websites (kaspersky, microsoft) and kept redirecting me to "hugosearch, licosearch" etc

    I tried the rkill and TDSSkiller but it wasnt detecting anything.

    I formatted and reinstalled windows xp and its STILL redirecting me everywhere,

    its getting really annoying and NO antivirus is detecting it









    ComboFix 11-02-05.01 - Owner 06/02/2011 20:37:52.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.446.238 [GMT 0:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((( Files Created from 2011-01-06 to 2011-02-06 )))))))))))))))))))))))))))))))
    .

    2011-02-06 20:11 . 2011-02-06 20:11 -------- d-----w- C:\9e00facdbe0cb0c4693e140043985b

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
    "nwiz "= "nwiz.exe" [2006-08-23 1617920]
    "NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2006-08-23 86016]
    "SigmatelSysTrayApp "= "stsystra.exe" [2006-07-27 455109]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "EditLevel "= 0 (0x0)
    "NoCommonGroups "= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "%windir%\\system32\\sessmgr.exe "=


    --- Other Services/Drivers In Memory ---

    *Deregistered* - klmd25
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-06 20:39
    Windows 5.1.2600 Service Pack 3 NTFS

    detected NTDLL code modification:
    ZwQueryDirectoryFile

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    c:\documents and settings\Owner\Start Menu\Programs\Startup\gtwydidx.exe 167278 bytes executable

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    Completion time: 2011-02-06 20:40:33
    ComboFix-quarantined-files.txt 2011-02-06 20:40

    Pre-Run: 111,597,662,208 bytes free
    Post-Run: 111,694,000,128 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug= "do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    - - End Of File - - 974FFEDB2D7877C63B5FD8A9AB9FB2B2
     
    sgtpepper23,
    #1
  2. 2011/02/06
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Welcome aboard :)

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===============================================================

    We can get back and check your computer, but before we go there....your router may be infected.
    BTW, I don't see any AV program installed?
    Is Windows firewall on?
    Was your computer physically connected to the internet while reinstalling Windows?

    Now....

    Go Start>Run (Start search in Vista), type in:
    cmd
    Click OK (in Vista and Windows 7, while holding CTRL, and SHIFT, press Enter).

    In Command Prompt window, type in following commands, and hit Enter after each one:
    ipconfig /flushdns
    ipconfig /registerdns
    ipconfig /release
    ipconfig /renew
    net stop "dns client "
    net start "dns client "


    Turn the computer off.

    On your router, you'll find a pinhole marked "Reset ".
    Keep pushing the hole, using a pencil, or a paperclip until all lights briefly come off and on.
    NOTE. Simple router disconnecting from a power source will NOT do.
    Restart computer and check for redirections.

    NOTE. You may need to re-check your router security settings, as described HERE
     
    broni,
    #2


  3. to hide this advert.

  4. 2011/02/06
    sgtpepper23

    sgtpepper23 Inactive Thread Starter

    Joined:
    2011/02/06
    Messages:
    2
    Likes Received:
    0
    did all that, problem still here :(
     
    sgtpepper23,
    #3
  5. 2011/02/06
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You didn't answer my other questions.
     
    broni,
    #4
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...