system
January 22, 2010, 4:05am
1
Hello all,
Earlier today, avast, in addition to malewarebytes, picked up a few viruses on my machine and removed them.
Now, I’ve started to notice firefox, in addition to opera, are redirecting me to random sites when I try searching for things on google. If I click on search results, I am redirected to sites like “http://freecaselaw.com/search.php ” or “http://guitarclassifieds.com/search.php ” or “http://palmgamepad.com/search.php ”, all usually ending with search.php.
I looked at my startup entries via msconfig and found multiple entries of “sysdiagol.exe” located C:/windows/sysdiagol.exe in addition to registry entries. However, I checked in my windows folder and was not able to find it. I did a scan of my Windows folder with Avast(up to date definitions), and it found nothing.
This must be brand new as well, because a google search of “sysdiagol” brings up only 2 results. I discovered the program Prevx, which finds the file, but won’t remove it unless I pay. It also tells me it’s located in C:/windows/sysdiagol.exe.
They have information on their webpage regarding this virus, which can be found here: http://www.prevx.com/filenames/463796697114165589-X1/SYSDIAGOL.EXE.html
I’ve just scanned with Spybot, and it doesn’t find anything besides a windows firewall override, which I’m assuming sysdiagol did.
Does anyone have any ideas or suggestions in regards to removing this?
Are you able to disable sysdiagol.exe via msconfig?
Please post a HijackThis! log
These two free scanners are also worth a try:
SUPERAntiSpyware Free a-Squared Free
system
January 23, 2010, 2:33am
3
I have it unchecked as a startup program, but that isnt doing anything because it continuous to function. I’ve scanned with SUPERantispyware which only found some tracking cookies. I also tried scanning with spybot as well as malwarebytes, and neither found anything. This “sysdiagol.exe” is so well hidden, nothing is picking it up. It’s considered “cloaked malware” by that prevx site, so I’m assuming it’s some type of rootkit.
I scanned with hijackthis, here is the log:
Logfile of Trend Micro HijackThis v2.0.2
Running processes:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 http://go.microsoft.com/fwlink/?LinkId=54896 http://go.microsoft.com/fwlink/?LinkId=54896 http://go.microsoft.com/fwlink/?LinkId=69157 Gecko/20090824_Firefox/3.5.3 (.NET_CLR_3.5.30729)” -“http://www.regentsprep.org/Regents/physics/phys01/friction/default.htm ”@xpsp3res.dll ,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exehttp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199398582203 http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab http://www.creative.com/softwareupdate/su2/ocx/15106/CTPID.cab
–
Anything stick out in the log?
The only solution I can think of right now is reformatting, which I really don’t have time to do. Do you think I have any alternatives?
This seems to be a backdoor (identification again by PrevX):
O23 - Service: UG - Unknown owner - T:\User\TMP\UG.exe (file missing)
I agree it’s probably a rootkit: the best way to deal with hidden malware is from outside the operating system.
You could boot from a Linux Live CD, eg Ubuntu, and search for and delete the files from Linux- they will not be active and cannot hide themselves.
https://help.ubuntu.com/community/LiveCD
Alternatively, run a rescue CD (many of these are also Linux plus a virus scanner).
avast! doesn’t do one, but there are several to choose from.
Rescue CD’s. Download and burn the ISO disk image on an uninfected computer. Boot the infected computer from the disk and run a virus scan (after updating virus definitions if this option is present).
Programs like Nero and Roxio can burn ISO images- you may have one of these on your computer. If not, there are free programs that will do it:
http://pcsupport.about.com/od/toolsofthetrade/ht/burnisofile.htm
Dr.Web LiveCD Kaspersky Rescue Disk AntiVir Rescue CD Bitdefender Rescue CD F-Secure Rescue CD
system
January 23, 2010, 8:22am
5
Thanks a lot for the resources. I’m trying my luck with the bitdefender rescue disk. I was able to locate the “sysdiagol.exe” file in my windows folder, however when I scan it with bitdefender it tells me it doesn’t detect anything. Should I manually delete the file? I believe it has created multiples of itself in different locations and if the scanner is not picking them up there is no way for me to tell if I’ve found everything.
It’s certainly not a system file and the evidence seems overwhelming that it’s malware. If you want to play it extra safe, you could rename it.
I don’t know if BitDefender has a search facility.
Have a look round and rename any examples you find.
Do the same for T:\User\TMP\UG.exe
Reboot and see if you still get the redirects.
Also, when you reboot, could you submit the renamed sysdiagol.exe to VirusTotal ?
That way, all AV’s will be able to add detection.
system
January 25, 2010, 6:27am
7
Well, I removed the files but the problem persists, however, I was able to locate a few additional trojans on my drive using avast today. I then tried a malwarebytes scan and avast picked something up through that scan, it found a download ft trojan. I tried quarantining it but avast was unable because it was being used by another process. What is interesting is the file path is “C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\M3WD4490\go[1].php”. When I get redirected in my browser, the sites are xxxxxx.php. I went to look for the file in the Local Settings folder, but there was no Temporary Internet Files folder, not even a hidden one. So I used knoppix and went in and deleted the entire Content.IE5 folder hoping to completely remove the file, however the problem still persists!!!
My thoughts are whatever is in my system has dug itself deep into my registry and nothing is finding it. I’m not really sure what other options I have besides reformatting.
Were you able to send a sample to VirusTotal?
There is obviously something we’re missing.
You could try a scan with Clam in Knoppix:
http://syntheticlibrarian.com/2005/09/22/using-knoppix-and-clam-anti-virus-to-scan-infected-pcs
I suspect it’s possible to install avast! in Knoppix too, but I can’t find my copy of Knoppix to check that.
Update MalwareBytes, avast!, SusperAntiSpyware and scan again- also try a-Squared mentioned below because it has a very good detection rate.
If non of that works, post an OTL log:
http://forum.avast.com/index.php?topic=53253.0
system
January 28, 2010, 5:14pm
9
good day everyone.I have a friend who proposed me to download AVG Free 9.0.all over.i said i hope because im not the best man existing about pcs.so if anyone try my advise ,i am looking forward in helping me fyrther!
good day everyone.I have a friend who proposed me to download AVG Free 9.0.all over.i said i hope because im not the best man existing about pcs.so if anyone try my advise ,i am looking forward in helping me fyrther!
Please start your own topic, where I’m sure someone will help (even though this is the avast! forum, not AVG’s.
system
February 15, 2010, 7:25pm
11
I was able to get rid of the virus in case some one want to know…
It took some time to figure it out.
Regards!
)