Solved Google redirect problem [DDS fails], browsers crash

Geri,

I disabled my AV and Firewall, ran it again, the same green bar went across the screen as if it was going to work, but there is no c-fix.txt file anywhere, no subdirectory anywhewre off of my C drive. As a matter of fact the only two files on my computer with c-fix in their name are the c-fix.exe and a prefetch file (which I have no idea about) named C-FIX.EXE-3A6AC0FE.pf.

 

Geri,

I've been doing some research today and found an unusual folder off my C drive. This link points to the exact same thing that is on my computer.

http://www.threatexpert.com/report.aspx?md5=61dd8e3a4300611e9b5493f1e74c5101

Most files have a date of 8/31/2000.

Unfortunately the site doesn't explain anything to me. I don't know if it will help or not, but here it is.

I hope we can resolve this. I do not want to have to wipe my laptop. Plus I have an external drive for backup purposes hooked to that laptop, is it going to be infected, too?

 

Hi Niki

OK, lets try this.

Download Dr.Webs CureIt to your desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Double-click the drweb-cureit.exe file and allow it to run the express scan.
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  
• Once the short scan has finished, select the drives that you want to scan.
  
• Select all drives. A red dot shows which drives have been chosen.
  
• Click the green arrow > to the right and the scan will begin.
  
• At the first infection, select 'Yes to all' if it asks if you want to cure/move the file.
  
• When the scan has finished, click the "Select all" toggle button (if available) next to the files found
  
• Then click the green cup icon right below and select Move incurable
  
• This will move any infected files to the %userprofile%\DoctorWeb\quarantaine-folder that can't be cured (in case if we need samples).
  
• Then, from the main Dr.Web CureIt menu (top left), click File and choose save report list
  Save the report to your desktop. The report will be called DrWeb.csv
  
• Close Dr.Web Cureit and Restart your computer to completely remove any stubborn files in reboot.

Please post the report here.

Thanks
Geri

 

Wow, that took me forever to accomplish. Here it is.

autorun.inf;e:;Probably Win32.HLLW.Autoruner.corrupted;Moved.;
sprtsync.dll;c:\program files\twc\medicsp2\bin;Probably DLOADER.Trojan;Incurable.Moved.;
c.bat;C:\32788R22FWJFW;Probably BATCH.Virus;Incurable.Moved.;
psexec.cfexe;C:\32788R22FWJFW;Program.PsExec.171;Incurable.Moved.;
medic6.exe\data014;C:\Documents and Settings\Niki\medic6.exe;Probably DLOADER.Trojan;;
medic6.exe;C:\Documents and Settings\Niki;Archive contains infected objects;Moved.;
C-Fix.exe/data002\32788R22FWJFW\c.bat;C:\Documents and Settings\Niki\Desktop\C-Fix.exe/data002;Probably BATCH.Virus;;
C-Fix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Niki\Desktop\C-Fix.exe/data002;Program.PsExec.171;;
data002;C:\Documents and Settings\Niki\Desktop;Archive contains infected objects;;
C-Fix.exe;C:\Documents and Settings\Niki\Desktop;Container contains infected objects;Moved.;
xampp-win32-1.6.4-installer.exe\data195;C:\Documents and Settings\Niki\Desktop\xampp-win32-1.6.4-installer.exe;Program.PrcView.3725;;
xampp-win32-1.6.4-installer.exe;C:\Documents and Settings\Niki\Desktop;Archive contains infected objects;Moved.;
delfolder.exe;C:\Program Files\DellSupport\GTCoach;Trojan.MulDrop.30652;Deleted.;
delfolder.exe;C:\Program Files\WebCyberCoach\b_Dell;Trojan.MulDrop.30652;Deleted.;
A0096088.lnk;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP595;Modification of Trojan.Delreg.302;Moved.;
A0097775.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP606;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0109830.bat;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP658;Probably BATCH.Virus;Incurable.Moved.;
A0109981.bat;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP660;Probably BATCH.Virus;Incurable.Moved.;
A0111081.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP660;Probably DLOADER.Trojan;Incurable.Moved.;
A0111082.exe\data014;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP660\A0111082.exe;Probably DLOADER.Trojan;;
A0111082.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP660;Archive contains infected objects;Moved.;
A0111084.exe\data195;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP660\A0111084.exe;Program.PrcView.3725;;
A0111084.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP660;Archive contains infected objects;Moved.;
A0111101.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP661;Trojan.MulDrop.30652;Deleted.;
A0111102.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP661;Trojan.MulDrop.30652;Deleted.;
xampp-win32-1.6.4-installer.exe\data195;E:\Memeo\Laptop Backup\C_\Documents and Settings\Niki\Desktop\xampp-win32-1.6.4-installer.exe;Program.PrcView.3725;;
xampp-win32-1.6.4-installer.exe;E:\Memeo\Laptop Backup\C_\Documents and Settings\Niki\Desktop;Archive contains infected objects;Moved.;
A0111103.exe\data195;E:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP661\A0111103.exe;Program.PrcView.3725;;
A0111103.exe;E:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP661;Archive contains infected objects;Moved.;

 

Hi
OK Lets try Combofix again now.

Delete the one you have and download, Rename and save it to your Desktop.

See if it will run as previous instructions.

Thanks
Geri

 

First I turned off my AV and FW, closed down all open programs.

1. The ComboFix I had was gone off my desktop.
2. When I try to even visit bleepingcomputers, my browser screen is totally blank
3. I went to a different mirror and re-downloded ComboFix, renamed it CobbmboFix and double clicked
4. The small green bar showed up for a moment, then disappeared.
5. I went to the file and chose Run as, then a white bar showed up and sat there, doing nothing.
6. I tried typing this into the Start, Run area: "%userprofile%\desktop\cobbmbofix.exe" and the green bar showed up for an instant, then disappeared.
7. I then tried to run DDS again, no results.

 

Geri,

I ran another Mr. Web CureIt scan last night. The CobbmboFix I tried to launch last night now shows up in the results. And sure enough, I looked in the quarantined files from my first scan, and that's where the C-Fix.exe file was, that's why I couldn't find it on my desktop.

c.bat;C:\32788R22FWJFW;Probably BATCH.Virus;Incurable.Moved.;
psexec.cfexe;C:\32788R22FWJFW;Program.PsExec.171;Incurable.Moved.;
CobbmboFix.exe/data002\32788R22FWJFW\c.bat;C:\Documents and Settings\Niki\Desktop\CobbmboFix.exe/data002;Probably BATCH.Virus;;
CobbmboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Niki\Desktop\CobbmboFix.exe/data002;Program.PsExec.171;;
data002;C:\Documents and Settings\Niki\Desktop;Archive contains infected objects;;
CobbmboFix.exe;C:\Documents and Settings\Niki\Desktop;Container contains infected objects;Moved.;
A0111104.bat;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP661;Probably BATCH.Virus;Incurable.Moved.;

Thanks.

Niki

 

Now I can't get to a cmd line and the redirects are back. (((((

 

Hi Niki
ARRRR.

OK please download and run this.

Download GMER

Right click and extract it to it's own folder on the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for "˜Show All’.
Click on Scan.
When the scan has completed, click Copy and paste the results (if any) into this topic.

Thanks
Geri

 

When I double-click on the GMER.exe icon, all my icons disappear and then come back and nothing happens. If I right click on the icon, choose run as, I get several errors,

CreateFile "C:\DOCUME~1\Niki\LOCALS~1\Temp\aujasnkj.sys ": Access is denied
CreateFile "C:\aujasnkj.sys ": Access is denied
LoadDriver( "C:\aujasnkj.sys" ) error 0xC0000061: Access is denied
C:\WINDOWS\system32\config\system: Access is denied

THEN the program opens but all the buttons on the right under the Rootkit tab are grayed out except Services, Registry, Files (even Show All). So...I'm not sure if I should try and scan from this screen or not. I looked at the other tabs, most of them are grayed out, too.

 

Hi Niki
Did you put it into it's own folder?

 

Yes, on the desktop

 

Yes, I did, on the desktop.

Sorry for the double post. I was on my desktop, which when I pressed Quick Reply to answer you, redirected me first to eBay, then the second time, to a different place.

OMG two computers? Unreal.

 

Hi Niki
Lets hold off for now.
I'm going to ask a friend to look in here. So it may be tomorrow before she see me.

If she posts to you please follow her instructions, or she may tell me what is happening with GMER.
Her user name is Ried.

Thanks
Geri

 

OK, thank you so much Geri.

 

Hello Nickolette,

First, let me reassure you that folder is nothing to worry about. It is ComboFix.

Let's see if we can get gmer to run this way:

Open Notepad and copy/paste the contents in the code box below, into Notepad.

Save this as niko.bat Choose to "Save type as - All Files "

It should look like this:

Place the batch next to gmer & double click niko.bat to launch it.

Please configure the scan as follows:

If asked to allow gmer.sys driver to load, please consent .

• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.log "
• Save it where you can easily find it, such as your desktop so you may post the contents in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

 

If gmer is taking too long to complete its run, stop the scan. Save the log if it will allow it, and post it here.

I'd also like you to do the following. It should only takes seconds to return the log:

Open Notepad and copy/paste the contents in the quotebox below, into Notepad.

Save this as look.bat Choose to "Save type as - All Files "

It should look like this:

Double click on look.bat & allow it to run. Then post the log which it produces

 

Ried,

The halted GMER log is huge, 1.25MB, is there a place to send a file?

 

Here's the look.bat file:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midimapper "= "midimap.dll "
"msacm.imaadpcm "= "imaadp32.acm "
"msacm.msadpcm "= "msadp32.acm "
"msacm.msg711 "= "msg711.acm "
"msacm.msgsm610 "= "msgsm32.acm "
"msacm.trspch "= "tssoft32.acm "
"vidc.cvid "= "iccvid.dll "
"vidc.I420 "= "msh263.drv "
"vidc.iv31 "= "ir32_32.dll "
"vidc.iv32 "= "ir32_32.dll "
"vidc.iv41 "= "ir41_32.ax "
"vidc.iyuv "= "iyuv_32.dll "
"vidc.mrle "= "msrle32.dll "
"vidc.msvc "= "msvidc32.dll "
"vidc.uyvy "= "msyuv.dll "
"vidc.yuy2 "= "msyuv.dll "
"vidc.yvu9 "= "tsbyuv.dll "
"vidc.yvyu "= "msyuv.dll "
"wavemapper "= "msacm32.drv "
"msacm.msg723 "= "msg723.acm "
"vidc.M263 "= "msh263.drv "
"vidc.M261 "= "msh261.drv "
"msacm.msaudio1 "= "msaud32.acm "
"msacm.sl_anet "= "sl_anet.acm "
"msacm.iac2 "= "C:\\WINDOWS\\system32\\iac25_32.ax "
"vidc.iv50 "= "ir50_32.dll "
"msacm.l3acm "= "C:\\WINDOWS\\system32\\l3codeca.acm "
"wave "= "wdmaud.drv "
"midi "= "wdmaud.drv "
"mixer "= "wdmaud.drv "
"vidc.tscc "= "tsccvid.dll "
"MSVideo "= "CSvidcap.dll "
"vidc.DIVX "= "DivX.dll "
"vidc.yv12 "= "DivX.dll "
"vidc.3IV2 "= "3ivxVfWCodec.dll "
"aux "= "C:\\WINDOWS\\system32\\..\\jum.ysk "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP]
"wave "= "rdpsnd.dll "
"mixer "= "rdpsnd.dll "
"MaxBandwidth "=dword:000056b9
"wavemapper "= "msacm32.drv "
"EnableMP3Codec "=dword:00000001
"midimapper "= "midimap.dll "

 

It should not be that large. Did you configure it the way I specified?

Let's just keep moving along.

Open HijackThis. Click on Open the Misc Tools Section.

• On the screen, click on "Delete a file on reboot... ".
• Copy/paste the following path into the dialog box that popped up, and click 'Open':
  C:\WINDOWS\jum.ysk
• HJT will ask you if you want to reboot, now. Click "NO ".

===================

Open notepad and copy/paste the entire text in the quote box below: (don't forget to copy and paste REGEDIT4)

Save the file as "delete.reg ". Make sure to save it with the quotes. Choose to "Save type as - All Files "
It should look like this:

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

===================

Now reboot your system and run ComboFix.exe by double clicking on it. Post the log it produces. (it shouldn't take more than 10 or 15 minutes to complete)