Solved Search engine virus

November 3, 2011 at 20:12:53
Specs: Windows XP
Hello, I was wondering if anyone could help me with the virus on my laptop. I started off with a trojan virus and think I managed to clear it using malware bytes. But I still get pop ups and redirected to other search engines when I click links on Google. When i try to download programs to try and wipe the problem off, it begins to run the scan but then shuts the program down and won't let me open it again. Can someone please help?

See More: Search engine virus

Report •


#1
November 4, 2011 at 06:01:48
✔ Best Answer
Kevin007,

In order to help identify the malware issue with your system, please do the following:

Download DDS from one of these locations:
http://download.bleepingcomputer.co...
http://download.bleepingcomputer.co...

Save it to your Desktop

Make sure you temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications. They may interfere with the programs we are about to run.

If you wish to look at information on how to disable these programs, please refer to the information available through this link:
http://www.bleepingcomputer.com/for...

XP: Double-click the DDS file to run the program

When done, DDS opens two logs:
-DDS.txt (Opens on the Desktop)
-Attach.txt (Is minimized - shows on the TaskBar)

Save both reports to your Desktop, and post them in your reply.

However, since these reports can be large, please upload them to Megaupload:
http://www.megaupload.com/

It is very easy to use:
Click: Browse
Select a file to upload
Upload the file
To the right of 'Send', enter a file description:
Click 'Send'
Copy the link provided, and post it in your reply.


Also download aswMBR:
http://public.avast.com/~gmerek/asw...

Save it to the Desktop.

XP: Double-click the file to run the program

Click: 'Scan

Upon completion of the scan, click ‘Save log’ and save it to the Desktop.
Note - Please do NOT attempt any fix anything!!

Also post the log produced by 'aswMBR' in your reply.
This is a shorter report, and you do not need to upload it.


You will notice that another file is created on the Desktop.
It is named MBR.dat

Please keep the file on the Desktop, and do not do anything with it.
This is important, just in case we need to have access to the Master Boot Record (MBR) information.

Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#2
November 4, 2011 at 07:30:08
Ok thanks. I ran the scans and uploaded the logs to Megaupload, so here are the links:

DDS Log: http://www.megaupload.com/?d=VSZ57ARQ
Attach Log: http://www.megaupload.com/?d=Z1PHGBHO


Report •

#3
November 4, 2011 at 09:06:01
Kevin007,

The information provided shows the characteristics of the ZeroAccess Rootkit.

First, let's take care of this file:
C:\WINDOWS\3175483024:1878636866.exe

It throws a wrench in the works, and programs will not run successfully...

Please download DummyCreator.zip
http://download.bleepingcomputer.co...

Unzip the folder:
Right-click and select: Extract all…
Follow the prompts to extract

Open the new folder that appears on the Desktop:
XP: Double-click DummyCreator (aka: DummyMaker) to run the tool.

Now, copy/paste the following into the blank area:

C:\WINDOWS\3175483024

Press the Create button.

Save the content of the Result.txt to your Desktop, and post it in your reply.

Next, restart the computer!

Note: If the results from DummyCreator look like this...

DummyCreator by Farbar
Ran by Owner (administrator) on 11-10-2011 at 16:30:09
************************************************** ************

C:\WINDOWS\3175483024 [04-11-2011 16:30:10]

== End of log ==

...then, do the following:


Please remove any previous download of TDSSKiller (if used) and download the latest version:
http://support.kaspersky.com/downlo...

Windows XP: Double-click the file

Press the button: Start Scan

The tool scans and detects two object types:
'Malicious' (where the malware has been identified)
'Suspicious' (where the malware cannot be identified)

When the scan is over, the tool outputs a list of detected objects (Malicious or Suspicious) with their description.

It automatically selects an action ('Cure' or 'Delete') for 'Malicious' objects. Leave the setting as it is.

It also prompts the User to select an action to apply to 'Suspicious' objects ('Skip', by default). Leave the setting as it is.

After clicking 'Next/Continue', the tool applies the selected actions.


A Reboot Required prompt may appear after a disinfection. Please reboot.


By default, the tool outputs its log to the system disk root folder (the disk with the Windows operating system, normally C:\.

Logs have a name like:
C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt

Please post the TDSSKiller log in your reply, by uploading it also.


Uploading website:
http://uploading.com/files/upload/

In: Select files to upload, click 'Browse', and 'Look in' the Desktop.
Select the report you wish to upload, and click on 'Open'
You will see the following:
“Your file has been uploaded successfully: (Name and size of the file)”

Please copy the 'Download link', and provide it in your reply.


~~~~
If you have ComboFix (CF) already on your Desktop, please remove it. We'll download an updated version:

http://download.bleepingcomputer.co...

Save ComboFix.exe to your Desktop!! <<--

Make sure you temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications. They may interfere with the running of CF.
Information on disabling these programs is available here:
http://www.bleepingcomputer.com/for...

XP: Right-click on 'ComboFix.exe' to run the program.

When given the option, DO install the Recovery Console .
This program can come in very handy if there is trouble.

Click on 'Yes', to continue scanning for malware.

When finished, CF produces a report.

Please provide a copy of the C:\ComboFix.txt in your reply by uploading it to Megauploads, as you did previously.


Notes:

1. Do not mouse-click the ComboFix window while it is running.
This action may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.

3. CF disconnects your machine from the internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


Need to see the following in your reply:

**The 'TDSSKiller' log - upload
**Whether TDSSKiller needed a reboot <<<<---!!
**The 'ComboFix log' - upload

Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

Related Solutions

#4
November 5, 2011 at 08:12:08
Ok thank you. The dummycreator did display what you stated so i ran the TDSSkiller and i have included the results of the other scans below:

TDSSKiller: http://www.megaupload.com/?d=QYOKYU78
It also needed to be rebooted
ComboFix log: http://www.megaupload.com/?d=Q38JCVYJ


Report •

#5
November 5, 2011 at 08:30:00
Kevin007,

Looks like the megaupload website is not working today.

Please upload the reports to the following, instead:

http://uploading.com/files/upload/

In: Select files to upload, click 'Browse', and 'Look in' the Desktop.
Select the DDS.txt report, and click on 'Open'
You will see the following:
“Your file has been uploaded successfully: (Name and size of the file)”

Please copy the 'Download link for each report', and provide in your reply.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#6
November 5, 2011 at 09:14:12
Ok it works for me though. But here you go:

Combofixlog: http://uploading.com/files/eb98a793...

TDSSKiller: http://uploading.com/files/33e4e5f1...

And it did need rebooting.


Report •

#7
November 5, 2011 at 15:28:49
Uploading.com worked just fine. Megauploads would not let me in to get the reports.

Let's search for any remnants by doing the scan that follows.

You will need to use Internet Explorer for this scan, since the scanner is implemented as an ActiveX control.

However, compatibility with other browsers (Firefox, Opera, Netscape, etc.) was added if you agree to the installation of the ESET Smart Installer, an application which will install and launch ESET Online Scanner in a new browser window.

Please download the ESET Online Scanner:
http://www.eset.com/us/online-scanner

Press the 'ESET Online Scanner' download button
-In the prompt that appears, check 'Yes' to Accept Terms of Use, and click the 'Start' button
-Allow the ActiveX to download, and click: Install
http://www.eset.com/us/online-scann...

Click: Start
-Make sure that the option 'Remove found threats' is unticked/unchecked.
-Click: 'Scan', and wait for the scan to finish
-If any threats are found, click the 'List of found threats', then click 'Export to text file...'
-Save the file to your Desktop as: 'ESET Scan'.

Please provide the contents of 'ESET Scan' in your reply.

Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#8
November 5, 2011 at 18:31:51
It found 4 threats. Here is the link for the log: http://uploading.com/files/ead75573...

Report •

#9
November 5, 2011 at 18:41:41
Kevion007,

The ESET scan is showing some Restore Points containing malware. We will take care of those shortly.


In your original post you mentioned the following:

1. Had a trojan virus
2. Getting pop-ups
3. Getting redirected
4. Scans to remove malware shut down

Are you still experiencing any of those problems?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#10
November 5, 2011 at 19:29:11
No i am experiencing none of these problems now.

How shall i get rid of the malware? Run Malwarebytes again?


Report •


Ask Question