Viruses, Spyware and...

go.google nightmare pls help. Thanks

Thread Solved

Last »

•

Join Date: Jul 2008

Posts: 3,082

Reputation: jholland1964 is a name known to all

Solved Threads: 175

jholland1964 jholland1964 is offline

Offline

Posting Sensei

Re: go.google nightmare pls help. Thanks

#11

Sep 29th, 2008

Forgive me for getting a bit confused here but in your first post here you said

•

I also used Eset

I thought at that time you meant the Online Scanner. Sorry for my confusion.

I would like you to try to boot the computer into Safe mode with Networking. To do this do the following;
Using the F8 Method

1. Restart your computer.
2. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
3. Select the option for Safe Mode using the arrow keys.
4. Then press enter on your keyboard to boot into Safe Mode with Networking.
This should allow you to go online without unnecessary programs running in the background, hopefully whatever infection is causing this problem.

When you are in Safe Mode, first try the ESET Online Scanner link again and see if you can access.
If you can then do the scan and save the log.

If you cannot access it then do this please;
Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.
Reboot the computer to NORMAL mode.
Once you have rebooted you MUST do the following;
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix It is VITAL that you do this or the program may not run correctly.
* Doubleclick the combofix icon on the desktop to run the program.

Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.
Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

When all is complete then please post back here with that log.
Judy

Last edited by jholland1964; Sep 29th, 2008 at 12:25 am.

•

Join Date: Sep 2008

Posts: 37

Reputation: skiesaregrey is an unknown quantity at this point

Solved Threads: 0

skiesaregrey skiesaregrey is offline

Offline

Light Poster

Re: go.google nightmare pls help. Thanks

#12

Sep 29th, 2008

Hi,

I went online in safe networking mode. The net still will not let me access ESET. I tried to download combofix from bleeping computer but it also would not let me go on that site. After a lot of scouting around I eventually found it on someone elses site who had mirrored it?? anyway i saved it to the desktop. Rebooted the pc turned off my virus checked, firewall etc and then double clicked on the icon. A prompt came up saying Combo fix had detected Rootkit activity and need to reboot the machine. So it rebooted, i clicked again, same message. This is the final point i have reached...
(what a nightmare!!!)
Thankyou for your continued support, much oblidged

•

Join Date: Jul 2008

Posts: 3,082

Reputation: jholland1964 is a name known to all

Solved Threads: 175

jholland1964 jholland1964 is offline

Offline

Posting Sensei

Re: go.google nightmare pls help. Thanks

#13

Sep 29th, 2008

Ok you are going to need to run Blacklight which is a rootkit revealer and remover. Just click on the above in Blue & hopefully you can download it onto your computer, if not then see if you can find a way to download to another computer and bring it to yours. You do NOT need to go to the site itself, this is a stand alone installer

Please follow the instructions below which I have copy/pasted from BleepingComputer's Using Blacklight to detect and remove Rootkits from your computer

•

Once you click on the download link you will be presented with a prompt asking what you would like to do with the file. I suggest you save the file directly to your desktop where we will run it from there. Once the file has finished downloading you will see the program icon on your desktop.
To start the program simply double-click on the blbeta.exe icon and you will be presented with the license agreemen.t Select the option that is labeled I accept the agreement and then press the Next button.
You will now be presented with a new screen with a Scan button on the lower left.
To start scanning your computer for possible rootkits, press the Scan button. Blacklight will now start scanning your computer for any hidden files or processes. As it scans your processes and files it will update its status to reflect what it is scanning and if it has found any hidden items.
When the scanning is done, the Next button will become available and you should click on it. If Blacklight did not find any hidden items you will see a screen showing that no hidden items were found. You can then press the Exit button to exit the program as Blacklight did not find any rootkits on your computer. If on the other hand, Blacklight did find some hidden items, you will be presented with a screen showing a list of the processes and files hidden on your computer.
In the Clean hidden items screen you will see a list of the processes and programs that are hidden on your computer.
In order to tag a particular file or process that you would like to clean, you need to left-click once on an entry with your mouse so that it is highlighted, and then press the Rename button. When you do this, the action will change from None to Rename. Once you set a file to Rename, you can untag it by pressing the None button so that no action is performed on this particular item.

If you would like more information about the entry, you can double-click on it with your mouse. This will bring up a small screen showing you more detailed information about the file or process such as the location of the file, the description information, and the company information. It is common for the description and company information to be blank so do not be worried if there is nothing listed there.
It is important to note that rootkits can hide legitimate processes and files. So when selecting the files you would like to rename please make sure you are only renaming the malware files as renaming the wrong files can cause problems with your Windows installation.

After you have selected all of the files you would like to rename, you should press the Next button. A warning screen will now show stating that renaming legitimate files can cause Windows not to operate properly. If you would still like to continue renaming the files, put a checkmark in the checkbox labeled I have understood the warning and wish to continue and then press the OK button. You should then press the Restart Now, and then the OK button again, to restart your computer and rename the select files.
When the computer reboots it will rename the files with a .ren extension. Because these files are no longer be loaded at startup, they will now become visible so that you can delete them. For example, if we had renamed the files:

klgcptini.dat
fux87.ini

They would now be named:

klgcptini.dat.ren
fux87.ini.ren

As long as these files are confirmed as being malware, you can then delete them from your computer. Blacklight when it performs a scan will create a log file in the same folder that you ran the program from. If you followed the steps in this tutorial, that folder would be your Windows Desktop. The file name of the log file will start with fsbl- followed by the data and some other numbers. An example is fsbl-20060518203951.log.

Once these rootkit files have been deleted, it is advised that you scan your computer with an antivirus and an antispyware software in order to remove any leftover files.

Let us know how things go and post that Blacklight log here when complete.
Judy

Last edited by jholland1964; Sep 29th, 2008 at 10:40 am.

•

Join Date: Sep 2008

Posts: 37

Reputation: skiesaregrey is an unknown quantity at this point

Solved Threads: 0

skiesaregrey skiesaregrey is offline

Offline

Light Poster

Re: go.google nightmare pls help. Thanks

#14

Sep 29th, 2008

Hi Judy,

Blacklight did not find anything...
heres the generated report.

09/29/08 15:25:44 [Info]: BlackLight Engine 1.0.70 initialized
09/29/08 15:25:44 [Info]: OS: 5.1 build 2600 (Service Pack 3)
09/29/08 15:25:45 [Note]: 7019 4
09/29/08 15:25:45 [Note]: 7005 0
09/29/08 15:25:54 [Note]: 7006 0
09/29/08 15:25:54 [Note]: 7011 1752
09/29/08 15:25:54 [Note]: 7035 0
09/29/08 15:25:54 [Note]: 7026 0
09/29/08 15:25:54 [Note]: 7026 0
09/29/08 15:25:57 [Note]: FSRAW library version 1.7.1024
09/29/08 15:26:47 [Note]: 7007 0

thanks

•

Join Date: Jul 2008

Posts: 3,082

Reputation: jholland1964 is a name known to all

Solved Threads: 175

jholland1964 jholland1964 is offline

Offline

Posting Sensei

Re: go.google nightmare pls help. Thanks

#15

Sep 29th, 2008

Ok that's good. Let's try one more time with Combofix and see if it will run. If it will not then try this, Right Click on the combofix icon and choose Rename.
Then rename it to daniweb.exe. Then try to run it and see if it works.
Judy

•

Join Date: Sep 2008

Posts: 37

Reputation: skiesaregrey is an unknown quantity at this point

Solved Threads: 0

skiesaregrey skiesaregrey is offline

Offline

Light Poster

Re: go.google nightmare pls help. Thanks

#16

Sep 29th, 2008

Running combofix didnt work. Same message about it detecting rootkit activity and needs to shut my laptop down.
This also happened when I renamed combofix to daniweb.exe.

Dan

Last edited by skiesaregrey; Sep 29th, 2008 at 12:38 pm.

•

Join Date: Jul 2008

Posts: 3,082

Reputation: jholland1964 is a name known to all

Solved Threads: 175

jholland1964 jholland1964 is offline

Offline

Posting Sensei

Re: go.google nightmare pls help. Thanks

#17

Sep 29th, 2008

Try RootkitRevealer

•

Join Date: Sep 2008

Posts: 37

Reputation: skiesaregrey is an unknown quantity at this point

Solved Threads: 0

skiesaregrey skiesaregrey is offline

Offline

Light Poster

Re: go.google nightmare pls help. Thanks

#18

Sep 29th, 2008

Ok thanks. Now this software worked.
19 discrepancies were found... although there was no option to fix these problems. Unsure if it was done by the program or what..

HKU\.DEFAULT\Control Panel\International 28/09/2008 12:48 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 28/09/2008 12:48 0 bytes Security mismatch.
HKU\S-1-5-21-4111454303-2817279294-1250794735-1006\Control Panel\International 28/09/2008 12:48 0 bytes Security mismatch.
HKU\S-1-5-21-4111454303-2817279294-1250794735-1006\Control Panel\International\Geo 28/09/2008 12:48 0 bytes Security mismatch.
HKU\S-1-5-21-4111454303-2817279294-1250794735-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{21FDCA1A-0219-94C5-9C37-490FAC3155B7}* 15/02/2007 00:40 0 bytes Key name contains embedded nulls (*)
HKU\S-1-5-18\Control Panel\International 28/09/2008 12:48 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 28/09/2008 12:48 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 11/08/2004 02:23 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 11/08/2004 02:23 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\webcal\URL Protocol 15/09/2005 09:13 13 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData 29/09/2008 11:11 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\TDSS 29/09/2008 18:27 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\TDSSserv.sys 27/09/2008 18:54 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\TDSSserv.sys 27/09/2008 18:54 0 bytes
HKLM\SYSTEM\ControlSet001\Services\TDSSserv 29/09/2008 18:33 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\TDSSserv.sys 27/09/2008 18:54 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Network\TDSSserv.sys 27/09/2008 18:54 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\TDSSserv 29/09/2008 18:27 0 bytes Hidden from Windows API.
C: 01/01/1601 01:00 0 bytes Error mounting volume

(Thanks again for your support Judy!)
Dan

•

Join Date: Jul 2008

Posts: 3,082

Reputation: jholland1964 is a name known to all

Solved Threads: 175

jholland1964 jholland1964 is offline

Offline

Posting Sensei

Re: go.google nightmare pls help. Thanks

#19

Sep 29th, 2008

Well, I am researching all I can here. Have gone back through your logs posted to see if there were things that I missed, of course since I was so concerned that you had not run the requested online scan but a different one I had not actually "combed" through that log close enough, one thing I noticed in that CNET SCAN LOG were these entries;

•

C:\Documents and Settings\Peresh Gela\Desktop\ComboFix\ComboFix.exe » UPX v12_m2 - is OK
C:\Documents and Settings\Peresh Gela\Desktop\ComboFix\ComboFix.exe » RAR » ComboFixT\ntp.exe » AUTOIT » file.bin - archive damaged

This was BEFORE I asked you to download Combofix. In your original post you said you had run the following programs

•

I have used ccleaner, superantispyware, vundofix, hostxpert and I also used Malwarebytes' Anti-Malware. I saved the log but have used ccleaner again since and loaded up the net to post this message.

Nowhere does it mention Combofix. When did you run combofix before? Was it because of this problem or something else? This isn't a tool which should be used unless specifically directed to do so by a helper. It should never be consider for private use like spybot, malwarebytes', ccleaner, superantispyware. Using this tool incorrectly could adversely impact your system. Plus there was a bug in combofix in one of the earlier versions so I wonder what version that was.
You need to remove combofix from the computer please follow these instructions.
* Click START then RUN
* Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
When shown the disclaimer, Select "2"

You said you used hostxpert, who told you to use this? It too is a good program but you need to know exactly what you are doing. Which version did you use?

Last edited by jholland1964; Sep 29th, 2008 at 3:57 pm.

•

Join Date: Sep 2008

Posts: 37

Reputation: skiesaregrey is an unknown quantity at this point

Solved Threads: 0

skiesaregrey skiesaregrey is offline

Offline

Light Poster

Re: go.google nightmare pls help. Thanks

#20

Sep 29th, 2008

Combofix and hostxpert (2007) were both used from before this post was created.
I know I should have made a post but i was anxious to sort this mess out. Apologies.

I have clicked Start then Run and typed in Combofix /u and pressed ok...
"Combofix has detected the presence of rootkit activity and needs to reboot the machine".

Dan