1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

browser redirects after being infected by Total PC Defender 2010

Discussion in 'Virus & Other Malware Removal' started by p_s_92, May 6, 2010.

Thread Status:
Not open for further replies.
  1. p_s_92

    p_s_92 Thread Starter

    Joined:
    May 6, 2010
    Messages:
    1
    Yesterday, I was getting popups from Total PC Defender 2010. I updated Malwarebytes(http://www.malwarebytes.org/), ran it which caught and deleted the malware. It asked for reboot which I did. Ran a full scan after that which detected nothing else so i assumed my machine was clean.

    But, my browser(Firefox 3.6.3) is getting redirected. It is opening sites like surfing2cash and Stopzilla spyware remover.

    Ran Spybot search and Destroy(http://www.safer-networking.org/en/) which detected Fraudreg and removed it.

    Looked at the thread http://forums.techguy.org/virus-other-malware-removal/865402-rootkit-tdss-removal-help-needed.html as I suspect I am infected with a rootkit TDSS. Ran TDSkiller(http://support.kaspersky.com/downloads/utils/tdsskiller.zip) which claims my atapi.sys is infected with TDSS. Says, it will be removed on reboot, but the redirects still persist after rebooting.

    My malwarebytes log when i was infected yesterday is below:

    ////////////////////////////////////////////////////////////////////

    Database version: 4070

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    5/5/2010 6:28:20 PM
    mbam-log-2010-05-05 (18-28-20).txt

    Scan type: Quick scan
    Objects scanned: 141618
    Time elapsed: 9 minute(s), 41 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 3
    Files Infected: 5

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Total PC Defender 2010 (Rogue.TotalPCDefender2010) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Admin\Start Menu\Total PC Defender 2010 (Rogue.TotalPCDefender2010) -> Quarantined and deleted successfully.
    C:\Program Files\SystemDefender2010 (Rogue.TotalPCDefender2010) -> Quarantined and deleted successfully.

    Files Infected:
    C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Admin\Start Menu\Total PC Defender 2010\Total PC Defender 2010.lnk (Rogue.TotalPCDefender2010) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Admin\Desktop\Total PC Defender 2010.lnk (Rogue.TotalPCDefender2010) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Total PC Defender 2010.lnk (Rogue.TotalPCDefender2010) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\config\systemprofile\Desktop\Windows Police Pro.lnk (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.


    ////////////////////////////////////////////////////////////////////


    Malware log which reported a clean machine is below

    ////////////////////////////////////////////////////////////////////////////////////

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4073

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    5/6/2010 3:52:10 PM
    mbam-log-2010-05-06 (15-52-10).txt

    Scan type: Quick scan
    Objects scanned: 141140
    Time elapsed: 10 minute(s), 45 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    ////////////////////////////////////////////////////////////////////////////////////
    Ran Hijackthis 2.0.2 and did not find anything unusual whose log is below:

    /////////////////////////////////////////////////////////////////////////////////////

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:16:18 PM, on 5/6/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ASTSRV.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis.exe
    C:\Documents and Settings\Admin\Application Data\Simply Super Software\Trojan Remover\mox5B.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
    O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{073811F5-8595-4AEE-9BAF-861FA628DBD2}: NameServer = 168.223.2.3,168.223.3.20
    O17 - HKLM\System\CS1\Services\Tcpip\..\{073811F5-8595-4AEE-9BAF-861FA628DBD2}: NameServer = 168.223.2.3,168.223.3.20
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\system32\ASTSRV.EXE
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: Macromedia JRun Admin Server - Macromedia Inc. - C:\JRun4\bin\jrunsvc.exe
    O23 - Service: Macromedia JRun CFusion Server - Macromedia Inc. - C:\JRun4\bin\jrunsvc.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    O23 - Service: PEVSystemStart - Unknown owner - C:\ComboFix\PEV.cfxxe

    --
    End of file - 7767 bytes

    /////////////////////////////////////////////////////////////////////////////////////

    As per the thread http://forums.techguy.org/virus-other-malware-removal/865402-rootkit-tdss-removal-help-needed.html ran Dirquery(http://ad13.geekstogo.com/DirQuery.exe) typed the following bolded text into that window:
    \Device\Ide\IdePort3

    Then, hit Enter. The program generated a file on your desktop called DirQuery.txt. Its contents are
    Running from: C:\Documents and Settings\Admin\Desktop\DirQuery.exe

    Log file at : C:\Documents and Settings\Admin\Desktop\DirQuery.txt

    The driver that owns the link:

    \Device\Ide\IdePort3

    is located at:

    atapi.sys

    and the device link is:

    \Driver\atapi

    The path to the driver from the registry is:

    system32\drivers\tskA.tmp.


    Tried to use Systemlook(http://jpshortstuff.247fixes.com/SystemLook.exe) as per the post, but it did not work(when i entered ":filefind
    atapi.sys" it froze). I guess it is trying to find other uninfected copies of atapi.sys. There was a copy of it at

    C:\WINDOWS\ServicePackFiles\i386\atapi.sys
    C:\WINdows\$NTServicePackUninstall$
    C:\windows\system32\drivers

    I tried to use the Avenger(http://swandog46.geekstogo.com/avenger2/download.php) tool to restore the copy by moving the C:\WINDOWS\ServicePackFiles\i386\atapi.sys to C:\win\system32\drivers, and it said in log, that no rootkits were found and file was moved successfully. But, TDSkiller claims TDSS rootkit is there and hooked to atapi.sys

    Ran combofix(http://www.combofix.org/download.php) also directly, not using CFScript.txt which rebooted the machine, but the redirection persists.

    I looked at the Windows hosts file and it looked fine "127.0.0.1 localhost" Everything else was commented and standard things in a hosts file.

    Ran F-Secure's Blacklight rootkit eliminator(http://www.f-secure.com/en_EMEA/products/technologies/blacklight/) which could not find anything. Ran the rkill(http://www.technibble.com/rkill-repair-tool-of-the-week/) tool also, but that did not fix the issue.

    Ran TrojanRemover(http://www.simplysup.com/tremover/download.html) which also said machine was clean.

    Do I have TDSS as TDSkiller claims or no as Malwarebytes did not find anything. Then, what could be causing my browser redirects?

    Any advice would be welcome.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - browser redirects being
  1. bj nick
    Replies:
    0
    Views:
    772
  2. Brigham
    Replies:
    1
    Views:
    633
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/921499

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice