1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Trojan Rootkit BSOD Google Redirection spyware...

Discussion in 'Virus & Other Malware Removal' started by koolkarts, Apr 16, 2009.

Thread Status:
Not open for further replies.
Advertisement
  1. koolkarts

    koolkarts Thread Starter

    Joined:
    Apr 16, 2009
    Messages:
    9
    Hi there guys, I'd really appreciate it if you could help me out here.

    My laptop's been badly infected, and I can only boot in safe mode with networking. If i start up normally as soon as I log in, the desktop and icons appear and I get the BSOD with a stop error.

    Basically, I can't log into Vista (32bit) in normal mode without getting a BSOD

    with error message:

    *** STOP: 0X0000008E (0XC0000005, 0X8BDA092D, 0X9AEC2000, 0X00000000)

    I ran Memtest86 on booting, and after 8 passes it came up with no errors, so I'm pretty sure I've got no RAM problem.

    My firefox and IE browser keep on redirecting to random websites off Google search, and my problem is identical to that of this guy:

    http://forums.techguy.org/malware-removal-hijackthis-logs/807207-trojan-rootkit-agent-dh.html


    I was seeking advice on another forum, but I havent been able to get far, and I really need my laptop back and working asap. I cant back up everything cos I dont have an external hard drive, and I need my files for exam revision :( .

    All my other info was posted in this forum here:

    http://help.lockergnome.com/general/BSOD-Vista-related-spyware-virus--ftopict57628.html

    and that's where my HJT log and Combofix log is.
    If you scroll down right to the bottom of that thread, you'll see that combofix identified the files associated with rookit activity on my laptop, but somehow i can't manage to find them myself.


    ....system32\drivers\ovfsthtfgkfvcnclgcieugcxojfqddrujvnucv.sys

    .....system32\ovfsthgrkjtwcitydgkxveulvrbpbicvxeoxcx.dll

    .....system32\ovfsthipttgjoejxtdqjnutsmincvobgvulgyg.dll

    .....system32\ovfsthilbqrsjabinyjeikjejopxemgsmhippq.dll

    .....system32\ovfsthnpnphnillkygpsllotxgvydeknvwoqwm.dat

    Combofix says that because there is rootkit activity on my pc, it needs to reboot. Once i reboot my comp, i have to run combofix again, and the same message displays. I think it's occurring because I'm in safe mode.

    Also i have a feeling that the first file in that list (the .sys one) is probably the reason behind my blue screen at startup. Do you know how I could locate the files and delete them?


    Any help at all would be greatly appreciated. Many thanks in advance!
     
  2. koolkarts

    koolkarts Thread Starter

    Joined:
    Apr 16, 2009
    Messages:
    9
    any help guys?
     
  3. koolkarts

    koolkarts Thread Starter

    Joined:
    Apr 16, 2009
    Messages:
    9
    please guys, im getting desperate now. i can access my comp in normal mode :(
     
  4. koolkarts

    koolkarts Thread Starter

    Joined:
    Apr 16, 2009
    Messages:
    9
    I ran a panda online active scan and got these results:


    (see attachment)
     

    Attached Files:

  5. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Welcome to TSG :)

    Sorry for the delay


    Those files are rootkits. Are you still getting the BSOD booting into Normal Mode?
     
  6. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Also, do you have your VISTA dvd disc?
     
  7. koolkarts

    koolkarts Thread Starter

    Joined:
    Apr 16, 2009
    Messages:
    9
    Hey, no problem, yeah I'm still getting the bsod on startup in normal mode.

    And I've also got my vista dvd with me, but it's the one i was given with the laptop by dell (vista 32 was preinstalled).
     
  8. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    nope that is correct when combofix finds a nasty rootkit. It disabled it, reboots and then it should remove it. ComboFix will run fine in Safe Mode. Delete your current copy from your Desktop, i would like you to get a fresh copy.

    We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    Please include the C:\ComboFix.txt in your next reply for further review.
     
  9. koolkarts

    koolkarts Thread Starter

    Joined:
    Apr 16, 2009
    Messages:
    9
    I'm having the same problem as before even after downloading a new combofix.exe of mybleepingcomputer . Combofix has detected the rootkit, says it needs to reboot, but once I reboot into safe mode and restart combofix i get the same problem as before. I restart combofix by clicking on it, it agains tell me to reboot again, and the circle continues...
     
  10. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Well you need to let it reboot into normal and not stop it from finishing. It needs to run into completion, otherwise the infection will not be removed.
     
  11. koolkarts

    koolkarts Thread Starter

    Joined:
    Apr 16, 2009
    Messages:
    9
    I can't boot up in normal mode though.... After I've run Combofix.exe in safe mode, I let my computer restart up into Normal mode, but then I get a black screen just before the login screen. My mouse appears and then suddenly the whole screen goes black. I left it for about 30 mins and then decided to restart cos nothing was happening. Safe mode still works fine though. I'm really dumbfounded and have got no idea what to do! Any ideas?

    Many thanks for your help so far.
     
  12. koolkarts

    koolkarts Thread Starter

    Joined:
    Apr 16, 2009
    Messages:
    9
    Oh god, I think this problem is getting bigger everyday....
    I uninstalled combofix and downloaded a new fresh copy and now whenever I run it, I get the error:

    "!! ALERT it is not safe to continue!

    The contents of this combofix package have been compromised
    Please download a fresh copy from:

    http://www.mybleepingcomputer.com/combofix/how-to-use-combofix"

    I've downlaoded many new copies and nothing is working!!
    Any ideas?
     
  13. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    I did some further research and talked to a few security experts. Looks like you are infected with a nasty file infection called Virut. Unfortunately their is no way to fix this without trashing your system. I recommend a re-installing Vista. Sorry i couldn't have any better news.
     
  14. koolkarts

    koolkarts Thread Starter

    Joined:
    Apr 16, 2009
    Messages:
    9
    Damn that sucks. Ok i'll do a reinstall of Vista, my only problem though is that I'm not sure hwo to go about it. There's some data i want to back up, but I dont want to copy it to my USB Hard Drive if my laptop ends up infecting the hard drive. How should I make sure that my hard drive does not get infected. Also, I have a recovery partition currently on my hard drive, apparently, that can reinfect the main C drive if I reinstall Vista. Should I just restore to factory settings with the Dell option on my laptop, so it ends up just being as good as new, or should I reinstall vista myself?
     
  15. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    We can do a boot scan with kaspersky.

    We can try and clean it up with Kaspersky Rescue Disk, but access to another computer is required.

    On a clean computer, download Kaspersky Rescue Disk

    Burn the Kaspersky Rescue Disk ISO image to a CD using CD/DVD burning software and ensure its a CD image. The following ISO Recorder can do this too.

    Here is a great tutorial on burning an ISO image here.

    Setting your BIOS to boot from a CD may be required, go here for instructions.

    Once Kaspersky Rescue Disk is burned successfully, reboot your computer, press any key to boot from cd and the following will appear.

    [​IMG]

    Hit Enter to start booting from Kaspersky Rescue Disk.

    Please pick your appropriate language and hit Enter

    Kaspersky AntiVirus 2009 will appear, do not start a scan yet!!!!


    [​IMG]

    • Click the Update tab, then on the Update now button.
    • When the update is complete, click on the Settings button.
    • Under Scan, set Security level to High and On Detection to Disinfection.
    • Under Threats and exclusions, click the Setttings, tab, and ensure everything is checked.
    • Click Apply then OK to return to the program.
    • Click the Scan tab.
    • The scan can take a long time, so please be patient and allow it to run to completion.
    • When the scan has completed, click the Reports button.
    • Save the report to your C: drive as KAV2008.txt.
    • Now reboot your computer and remove the CD and log into Windows.
    • Navigate to your C:\ drive, and post the KAV2009.txt as an attachment in your next reply.
    • Any questions please post and i will reply as soon as possible. Thanks
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/819154

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice