Real bad malware

[chrispeters]

need help with this 1 guys...
new strain of malware..cant get rid of it
ive tried everything....combofix...hijackthis....absolutley everything !

Its a google redirector...overclick.cn
its a bastard...wont go away...

any tips ??

 

[ManofScience]

malbytes antimalware?

how do u know it's new? have u got the name of it?

what did the unhijack this report show?

 

[Rat]

get a copy of this m8 'Malwarebytes' Anti-Malware
good programme

 

[hoppy]

As everyone has said, use Malwarebytes and once installed and updated, run a scan in "safe mode".
If you want the full version give me a pm mate.
Good luck.

Here is a link for the free version.
http://www.malwarebytes.org/

 

[dogtoffee]

i use Malwarebytes too its the best there is m8

 

[chrispeters]

Malwarebytes' Anti-Malware 1.39
Database version: 2498
Windows 6.0.6001 Service Pack 1

25/07/2009 10:30:39
mbam-log-2009-07-25 (10-30-39).txt

Scan type: Quick Scan
Objects scanned: 22137
Time elapsed: 1 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\System32\geyekrtxuqnebp.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\System32\geyekrtxuqnebp.dll (Trojan.TDSS) -> Quarantined and deleted successfully.


problem is...these 2 trojans come back EVERY time i reboot !!!

 

[neathdrew]

Malwarebytes' Anti-Malware 1.39
Database version: 2498
Windows 6.0.6001 Service Pack 1

25/07/2009 10:30:39
mbam-log-2009-07-25 (10-30-39).txt

Scan type: Quick Scan
Objects scanned: 22137
Time elapsed: 1 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\System32\geyekrtxuqnebp.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\System32\geyekrtxuqnebp.dll (Trojan.TDSS) -> Quarantined and deleted successfully.


problem is...these 2 trojans come back EVERY time i reboot !!!

all restore points deleted?.....

i've used a combination of malware bytes, hijack this and combofix.....careful if u have to use combofix but it sorted mine out

heres a thread i followed, its a word doc so change extension back to .doc

View attachment 47435

cheers

 

[chrispeters]

hi mate..ive tried all them u used..no luck..
and yeah...all my restore points are getting deleted straight away !!
pissin me off this one...i can normally get rid of them using various proggys !

 

[chrispeters]

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 6.0.6001 Service Pack 1

25/07/2009 10:59:02
mbam-log-2009-07-25 (10-59-02).txt

Scan type: Quick Scan
Objects scanned: 80892
Time elapsed: 5 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


looking good...this is after upgrading to FULL version rather than free version !! i will test it out !

 

[hoppy]

Did you scan in safe mode mate?

 

[chrispeters]

Hi Hoppy..
Yeah did in safe mode....

Problem still there....overclick.cn redirector..
malwarebytes not worked (...this is doin my head in....4 days now !!

 

[chrispeters]

dam..i am now getting popup....windows defender

Trojan:Win32/Winwebsec Severe


Not good this...
How can thesed things get past...nod32...malwarebytes..and win defender !! jesus waste of time

This is the site i get redirected to ALL the time...will post hijack this log...

h**p://overclick.cn/TAx1CTeP6b3mnic7YmlkPTZFQTA4NjQ0NEE3ODE3OTI3MjE2QjE2RDQ3RkI3Q0I2JmFpZD0xMDA5OSZzaWQ9MCZ1PWFIUjBjRG92THpZMkxqSXpNQzR4T0RndU5qY3ZZMnhwWTJzdWNHaHdQMk05WlU1dlpHczRkWFZ6YTI5UlVtZ3RTVkpNYjJKaFRHOUlaWGxCU1dsRlozSkdOa1pzWTNOS01YbDNXVlZTVVZWS1JETmZUVzU0Y0ZVMmEzVXRWV0V4Vmt3MVMwdDVRMHRvZUZFeldEUjVSbk5tYUdGM1FXeERiRjk0V1VKRGQwdEJRV2hWY0VGRlRrWlJWWE5TU3pWbFF5MDNaRTB5ZGxac1JucFhNbmhYTjI1WFRHdHRaMlpaT0hnek5YSmlYekl6ZGxNek5uSlFVR1pvWlZRdFRFdHhTemgzVEVsSFIxZHNjV2RLV25KcFVrMWplRlZCVG1FeGQxUjBVRGhRTUVGeWJVZGFTMWhzUTFsVmVWTnNaMFZ2VVZOdGNGWldXRzFHVlRSdlYybENaVFJzVDNoSFZERXhNMUpLTFRGS05HSTRMVnA2TjJaTWNXWTNVMmcxUkRJeVNUQnVaSGhJVG5Kd1drWldObWRRU2xGUWVsRjNSV2wxYW1wbExXUXhhMnhmVFRaemRGWnRTWFZUWm0wNGJUQTJlRGxQZHpkdlUwZExPVnBzZWt3eU5Fa3piREp2VFdsVmFtSTRUR1l0U0c5dVpUaEROekp6YWpkMVIyUlBXV0p6TTNneU16WmtXakZaZEZaWVltaDFjemhqVUY5VmRHUlRWRGRsYUhwaGEzQTFjV296Wm1GVU1VNVpkVFZIVUhkWlNrZGZaVEU0V25RMk5VaGFWSGR3WldZMk5HbGhSek5ITUc1dFVsRmxZV1kyYzFNMmFteEtOVTV3VkVwbUxUQmtUMEk0TWxab1RteEZWVk5FVDNoZmJtSlRiRGRzV0Vjd1JYaEdWMmd5V0VWdlJXUjRiUzFvUlVnNE1XRkpVbDgwVnpKdE1scGtaVlZ6UzBObWVHRnhUR3BLVFhoVk1HaHVkVVF3WDFGWFRVdG9kRzV0U25aUVdteEpSR1JxV1dseWVrZDZYMU0yZVdOUFVVZDVObXcyUlZOdmVqbEJiRVZhTVVsbVlYSnpRbUptWWtGeFUwOTRaRXRwV1ROVGFtMDBTR3RWWWpoRFoxVlNkbkZKU1dNNVkwSTRXbEUwWkRBd1ZUZFJkbU55WW5aRVJreGlNakpuUkRrM01tVjBSMWxpY25CdFkwbGlVMTl2YmtwcWMySmZORE5CVDBkc05XNUlkR1ZZU2xOT2QyWmtUbmRRT1RCdGNsY3piVU5aTW1WMlkxQjJWMDh0V1dOS09YbzJSSGhYUldKV1h6WldZbko0WkY5T2JXWjRkbFptUlZjMWJFTTBOVzVIZERCUVdXdExWVEJrVUdaNE5sRjFRaTFGVWpOeU0zZzVOa2xhZWt4Q1NFOVJTRGcyU0RSUE1teHJlRmMwVUY5d2RFa3lNSGxrTjNaa1IzbHFWSHBMV0RsaFoyeHlibFExVjIxdmN6Rk1jbkJVYTBsNFJGaFVOV3g2WTFSNVVVTTFOekozYjFrd1pESTBXVk5tZFRSWWNEQTRZelF0WnpObWJrRlFiV1pRT1hKaFprTm9YMkl5U1VseFRVdzFTMjFMV0d3NVpFaFBaV05MVG1VemVHOVFhbXRNWW10dVZISTFjRTU2VVRCTlZuUm1kMUpZYm1aRWFHOUNjbFp5UVUwdE5rZFRhV2h4WWtKQldVczNkRlpJWldobE5UTkpkMU40WlZad05UZEJaVVJZVjJKQlZVWlZha1pLYW1nNWVHZEVNRWw2YlZSb04wWnlUVzlFWkVwTFdFMW1WbWhuVkhKdU5GaEJSbGxTWjJoV1kwbHhaM1JaUTBac1FsTnNZVmxtYkZBNGRsSmxNRUpHV2pCNVlscG1UR0V6TW14UlZFdFlOR0pCVmkxU1gzTXdhRXd3WWxoNlQxZGhX[/url]

 

[ManofScience]

is system restore turned off? it must be off during all these cleans, not just deleting the restore points.

also, if it's a stand alone trojan, the McAfee Stinger : McAfee Threat Center

if System Restore is off, Malwarebytes and the stinger found nothing - post the hijack this log , see if anyone can spot anything bad in it to manually remove.

 

[chrispeters]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:42, on 25/07/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18248)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ESET\nod32kui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 128.252.19.20:3127
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\TuxBox LogoViewer\MSDXM.OCX
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c9a6173c8a1d39) (gupdate1c9a6173c8a1d39) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 6363 bytes

 

[bodser]

These redirectors are very hard to get rid of.

There will be a file somewhere that is dropping it back on your system when you reconnect to the internet. Often it hides in your temp files.
Have you ran CrapCleaner to remove temp files? If there is more than one profile on the pc you need to run crapcleaner in each profile as it only deletes the temp files from the profile you are logged in as.

You seem to be using all the best programs to try and get rid of it.
Keep doing it all in safemode (even take your network cable out whilst doing all this).
Just keep running scan after scan, clean after clean... you may get there in the end.

If you get really annoyed, then just backup your important files and put a fresh install of your OS on....... everyones pc can do with a spring clean every so often

 

[hoppy]

Ok lets try this.
Start your computer up in safe mode with networking switched on.
Then go to this link and run a scan.
Free Online Virus Scan - BitDefender Online Scanner

I have googled it and its a right pain in the arse.
Anyway a few people who posted said this done the trick.
Let us know how you get on.

 

[hoppy]

These redirectors are very hard to get rid of.

There will be a file somewhere that is dropping it back on your system when you reconnect to the internet. Often it hides in your temp files.
Have you ran CrapCleaner to remove temp files? If there is more than one profile on the pc you need to run crapcleaner in each profile as it only deletes the temp files from the profile you are logged in as.

You seem to be using all the best programs to try and get rid of it.
Keep doing it all in safemode (even take your network cable out whilst doing all this).
Just keep running scan after scan, clean after clean... you may get there in the end.

If you get really annoyed, then just backup your important files and put a fresh install of your OS on....... everyones pc can do with a spring clean every so often

Most people got it with cleaning their temp internet files and combo fix from what i have read so far.
One guy said he was at it for 6hours though..
I wouldn't want that in my system tbh..

 

[Rat]

try housecall Trend Micro HouseCall - Free Online Virus and Spyware Scan - Trend Micro UK


SUPERAntiSpyware Professional SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!


Spybot - Search & Destroy The home of Spybot-S&D!

 

[chrispeters]

hoppy...took over a hour to do the online scan...cleaned 1 file..
still got the overclick.cn redirector....
starting to really piss me off this now ...
hi rat...tried spybot.
i will try the others...

 

[chrispeters]

none of the above got rid of it !!!