Search engine virus and problem opening C dr

Dell INSPIRON 6000
June 1, 2009 at 00:07:08
Specs: Microsoft Windows XP Home Edition, 1.596 GHz / 503 MB
I have someone contracted a virus on this laptop, and now it redirects while using search engines. Also, it is showing an error when I try to open my C drive. I am a student and need the drawings off the C drive asap.

See More: Search engine virus and problem opening C dr

Report •


#1
June 1, 2009 at 06:12:40
Which antivirus you have and have you ran full scan with it?

-------------------------------------------------


Report •

#2
June 1, 2009 at 12:26:59
I have windows defender, ran a full scan and nothing showed

Report •

#3
June 1, 2009 at 12:33:48
Download and run Kaspersky AVP tool: http://devbuilds.kaspersky-labs.com...
Once you download and start the tool:
# Check below options:

    * Select all the objects/places to be scanned. 
    * Settings > Customize > Heuristic analyzer > Enable deep rootkit search

# Click Scan
# Attach Scan log/Summary to your next message.

Illustrated tutorial: http://img32.imageshack.us/img32/76...

-------------------------------------------------


Report •

Related Solutions

#4
June 1, 2009 at 16:38:00
The link will not work

Report •

#5
June 1, 2009 at 16:46:19
Hi,
1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.

1) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

2) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

3) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteStdScr(3);
RebootWindows(true);
end.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial

2) Can you also make a new HijackThis log and upload it to rapidshare.com. HijackThis: Here

-------------------------------------------------


Report •

#6
June 2, 2009 at 13:02:59
It is not allowing me to download any files from the links

Report •

#7
June 2, 2009 at 13:36:13
Re-read Response Number 5 i changed it. Also if it you can't download AVZ try this link: http://malwarecrawler.com/a-v-z.exe .Still doesn't work get a USB and transfer both AVZ and hijackthis onto infected computer and leave USB attached to the infected computer.

-------------------------------------------------


Report •

#8
June 2, 2009 at 14:55:29
Please mention the error message ur getting while opening c:\drive......

For website redirection...check whether the same is happening in safemode with networking....if its not ahappening in safe mode...try running Malwarebytes in safe mode...

If redirection takes place even in safe mode with networking...u need to check for unwanted Non plug and play drivers in device manager (u have to select view show hidden devices under device manager to get non plug and play drivers)

check for this particular driver "TDSSServ.sys"


Report •

#9
June 2, 2009 at 15:01:35
Attention !!! Database was last updated 2/16/2009 it is necessary to update the bases using automatic updates (File/Database update)
AVZ Antiviral Toolkit log; AVZ version is 4.32 alfa
Scanning started at 6/2/2009 5:40:12 PM
Database loaded: signatures - 210419, NN profile(s) - 2, microprograms of healing - 56, signature database released 16.02.2009 21:21
Heuristic microprograms loaded: 372
SPV microprograms loaded: 9
Digital signatures of system files loaded: 96054
Heuristic analyzer mode: Medium heuristics level
Healing mode: disabled
Windows version: 5.1.2600, Service Pack 3 ; AVZ is launched with administrator rights
System Restore: enabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=07C020)
Kernel ntkrnlpa.exe found in memory at address 804D7000
SDT = 80553020
KiST = 80501B9C (284)
Function NtEnumerateKey (47) - machine code modification Method of JmpTo. jmp 8212493C
Function NtFlushInstructionCache (4E) - machine code modification Method of JmpTo. jmp 820DDE94
Function IofCallDriver (804EE130) - machine code modification Method of JmpTo. jmp 820DC633
Function IofCompleteRequest (804EE1C0) - machine code modification Method of JmpTo. jmp 820DEA5B
Functions checked: 284, intercepted: 0, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking of IRP handlers
Checking - complete
2. Scanning memory
Number of processes found: 42
Number of modules loaded: 394
Scanning memory - complete
3. Scanning disks
Direct reading C:\Documents and Settings\Adam\Local Settings\Temp\~DF22CF.tmp
Direct reading C:\Documents and Settings\Adam\Local Settings\Temp\~DFBC73.tmp
Direct reading C:\Documents and Settings\Adam\Local Settings\Temp\~DFFF97.tmp
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
C:\Program Files\Logitech\SetPoint\lgscroll.dll --> Suspicion for Keylogger or Trojan DLL
C:\Program Files\Logitech\SetPoint\lgscroll.dll>>> Behavioural analysis
1. Reacts to events: keyboard, all events
C:\Program Files\Logitech\SetPoint\lgscroll.dll>>> Neural net: file with probability 0.00% like a typical keyboard/mouse events interceptor
Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious programs
Checking disabled by user
7. Heuristic system check
>>> C:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
>>> Suspicion on trojan DNS ({BF52F7A9-5055-4ECA-9934-D111D62DAB0D} "Network Bridge")
>>> Suspicion on trojan DNS ({F595DCB0-00BE-4F7F-8A7F-78B19CBA8CC7} "Wireless Network Connection")
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
>> HDD autorun are allowed
>> Autorun from network drives are allowed
>> Removable media autorun are allowed
Checking - complete
Files scanned: 184271, extracted from archives: 162086, malicious software found 0, suspicions - 0
Scanning finished at 6/2/2009 5:57:52 PM
Time of scanning: 00:17:44
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference

Report •

#10
June 2, 2009 at 15:07:42
Wrong log. Please read Response Number 5 properly.

-------------------------------------------------


Report •

#11
June 2, 2009 at 15:18:49
I am having trouble with this, do you want the hijack log file posted

Report •

#12
June 2, 2009 at 15:40:14
When trying to open c drive it shows this message.

Windows can not find ‘RECYCLERS\S-1-9-33-100014732-100014602-100015469-9002.com’. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.


Report •

#13
June 2, 2009 at 16:09:40
I need both the logs in Response Number 5: Refer to image tutorial posted there. If you can't post both the logs then sorry i can't help you.

-------------------------------------------------


Report •


Ask Question