Computer Hope
Software => Computer viruses and spyware => Topic started by: ss1997 on October 21, 2008, 09:08:27 PM
-
hi,
first I'm as beginner as they come to the computer. My problem is that yesterday when we tried to access the internet our home page changed to google. then, whenever I search for something and won't allow me to go to that page. My virus protection is something called Nod 32 that a friend of mine hooked me up on. It even appeared to have trouble operating. Any ideas on what I should do to delete whatever is causing??
thanks
-
Welcome to ComputerHope.
then, whenever I search for something and won't allow me to go to that page.
What do you mean here?
It even appeared to have trouble operating.
Do you mean the antivirus isn't working?
What did you do before the problem? (downloads, installs, hardware changes, ect...)
-
When I do a search and click on the link, it re-directs me to some random page and won't allow me to access the page I won't. As for the nod.32, normally it has an "Eye" box that pops up and then disappears after a couple secs. When this initially happened it the box just stayed up and never disappeared. As to what was done before this I have no idea as I have two kids and a wife that primarily use the internet and no telling what they hit.
-
I suspect a Malware Infection...
Please start here:
http://www.computerhope.com/forum/index.php/topic,46313.0.html
-
when i clicked on the link and hit the download button i got an error that the page was unavailable. there was another link on th eoriginal page to click if unable to download in 30 seconds bt i got the same unavailable page on it as well.....the last 20 minutes my internet has just cut off by the way.
-
Download for what?
-
that link you sent me had a link to a microsoft page with instructions to download windows xp sp1 I believe which I tried with no success.
-
Please print these instructions as they will be needed later when Internet access is not available.
Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/156236231/SDFix.exe.html
When using this tool, you must use the Administrator's account or an account with Administrative rights- Double click SDFix.exe and it will extract the files to %systemdrive%
- (this is the drive that contains the Windows Directory, typically C:\SDFix).
- DO NOT use it just yet.
.Reboot your computer in Safe Mode (http://www.bleepingcomputer.com/tutorials/tutorial61.html) using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
Open the SDFix folder and double click RunThis.bat to start the script.- Type Y to begin the cleanup process.
- It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
- Copy and paste the contents of the results file Report.txt in your next reply.
-
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Rootkit Found :
C:\WINDOWS\system32\drivers\TDSSrfdc.sys - Rootkit.Win32.Agent.cku
Name :
tdssserv
Path :
\systemroot\system32\drivers\TDSSrfdc.sys
tdssserv - Deleted
Restoring Default Security Values
Restoring Default Hosts File
Resetting AppInit_DLLs value
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\system32\TDSSedrm.dll - Deleted
C:\WINDOWS\system32\TDSSjrlv.dll - Deleted
C:\WINDOWS\system32\TDSSfcof.dll - Deleted
C:\WINDOWS\system32\TDSSxnaq.dll - Deleted
C:\WINDOWS\system32\TDSSxbae.dll - Deleted
C:\WINDOWS\system32\TDSSrhcw.dll - Deleted
C:\WINDOWS\SYSTEM32\WINDOW~1.EXE - Deleted
C:\WINDOWS\system32\wini10802.exe - Deleted
C:\WINDOWS\karna.dat - Deleted
C:\WINDOWS\system32\karna.dat - Deleted
C:\WINDOWS\system32\windows_update.exe - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-22 00:15:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Disabled:RealPlayer"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"="C:\\Program Files\\IncrediMail\\bin\\ImApp.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe:*:Enabled:IncrediMail"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Wed 1 Sep 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Wed 1 Sep 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Wed 1 Sep 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Tue 7 Oct 2008 56 ..SHR --- "C:\WINDOWS\system32\0F674B5A86.sys"
Sun 14 Sep 2008 88 ..SHR --- "C:\WINDOWS\system32\865A4B670F.sys"
Tue 7 Oct 2008 5,852 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sun 25 Jun 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 25 Jun 2006 4,348 ...H. --- "C:\Documents and Settings\Hill Stabler\My Documents\My Music\License Backup\drmv1key.bak"
Fri 16 May 2008 20 A..H. --- "C:\Documents and Settings\Hill Stabler\My Documents\My Music\License Backup\drmv1lic.bak"
Thu 17 Aug 2006 400 A.SH. --- "C:\Documents and Settings\Hill Stabler\My Documents\My Music\License Backup\drmv2key.bak"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Hayes Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Hayes Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Hayes Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Hayes Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Sun 15 Apr 2007 8 A..H. --- "C:\Documents and Settings\Hayes Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u5\lock.tmp"
Mon 9 Apr 2007 8 A..H. --- "C:\Documents and Settings\Hill Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Mon 9 Apr 2007 8 A..H. --- "C:\Documents and Settings\Hill Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Mon 9 Apr 2007 8 A..H. --- "C:\Documents and Settings\Hill Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Mon 9 Apr 2007 8 A..H. --- "C:\Documents and Settings\Hill Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Sat 14 Apr 2007 8 A..H. --- "C:\Documents and Settings\Hill Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u5\lock.tmp"
Mon 9 Apr 2007 8 A..H. --- "C:\Documents and Settings\Stephen Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Tue 10 Apr 2007 8 A..H. --- "C:\Documents and Settings\Stephen Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Tue 10 Apr 2007 8 A..H. --- "C:\Documents and Settings\Stephen Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Tue 10 Apr 2007 8 A..H. --- "C:\Documents and Settings\Stephen Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Fri 24 Aug 2007 8 A..H. --- "C:\Documents and Settings\Stephen Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u5\lock.tmp"
Mon 9 Apr 2007 8 A..H. --- "C:\Documents and Settings\Susan Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Mon 9 Apr 2007 8 A..H. --- "C:\Documents and Settings\Susan Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Wed 11 Apr 2007 8 A..H. --- "C:\Documents and Settings\Susan Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Mon 16 Apr 2007 8 A..H. --- "C:\Documents and Settings\Susan Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Mon 16 Apr 2007 8 A..H. --- "C:\Documents and Settings\Susan Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u5\lock.tmp"
Finished!
-
by the way, my internet service now seems to be running normal speed and when i type in a web site, I go to it instead of some random page--mean I'm fixed now?
-
No you are not fixed, but SDFix removed the rootkit that was blocking you from downloading the tools we need to finish the cleanup process.
Go HERE (http://www.computerhope.com/forum/index.php/topic,46313.msg290095.html#msg290095).
Do steps 2, 4, 5 and 6
Post the logs when complete.
-
here is log...appears a trojan type file was the only one detected/removed:
alwarebytes' Anti-Malware 1.29
Database version: 1304
Windows 5.1.2600 Service Pack 2
10/22/2008 1:07:18 AM
mbam-log-2008-10-22 (01-07-18).txt
Scan type: Quick Scan
Objects scanned: 83302
Time elapsed: 15 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\TDSSnmxh.log (Trojan.TDSS) -> Quarantined and deleted successfully.
-
Hi,
I just wanted to say thank you very much for your help as I believe my problem has gone away. Hope another one doesn't surface but appreciate the time you spent helping me get corrected.
SS
-
Without all of the logs we can't be sure it is actually gone.