Thread: Browser Redirects to "go.google.com" (or nowhere at all)
View Single Post
Join Date: Sep 2008
Posts: 12
Reputation: ptatums315 is an unknown quantity at this point 
Solved Threads: 0
ptatums315 ptatums315 is offline Offline
Newbie Poster

Re: Browser Redirects to "go.google.com" (or nowhere at all)

 
0
  #6
Sep 13th, 2008
I was able to download some of the suggested cleanup tools to a flash drive at my place of employment, and I copied these to the desktop of the infected computer.

Following PhilliePhan's instructions:

4) I looked through the Control Panel's "Add/Remove Programs" and didn't find anything that was obviously suspicious. (Take that with a grain of salt; program names wouldn't need to be all that cleverly disguised to get past me...)

5) I enabled viewing of hidden files.

6) I attempted to download the "Microsoft Windows Malicious Software Removal Tool", but, although I could get to the Microsoft download site, the download would fail with an error. So this step is incomplete.

7) I ran ATF-Cleaner.exe with no apparent problems. I'm using FireFox at the moment based on suggestions from people at my workplace who are far more knowledgeable about this stuff than me, so I followed the ATF-Cleaner instructions specific to FireFox as well.

8) I ran Malwarebytes' Anti-Malware tool as detailed. It appeared to download updates properly. After clicking "Remove All", the results of the scan follow:

Malwarebytes' Anti-Malware 1.28
Database version: 1143
Windows 5.1.2600 Service Pack 2

9/12/2008 11:44:08 PM
mbam-log-2008-09-12 (23-44-08).txt

Scan type: Full Scan (C:\|)
Objects scanned: 120051
Time elapsed: 38 minute(s), 58 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
C:\WINDOWS\SYSTEM32\DRIVERS\SVCHOST.EXE (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\DRIVERS\SVCHOST.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tdssserf.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tdssmain.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tdssinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tdssservers.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\DRIVERS\tdssserv.sys (Trojan.Agent) -> Delete on reboot.



I haven't gone to step #9 -- I hate to be the anal-retentive engineer, but Malwarebytes' Anti-Malware tells me that my "computer needs to be restarted to complete the removal process" and asks if I would like to continue, but PhilliePhan's instructions don't address this. Should I restart before continuing with the ESET scan?

Thanks,
Pete
Reply With Quote