Rootkit, Google redirects & 'Malicious URL Blocked' popups

Viruses and worms
1

Hello, my friend brought over her laptop the other day and said she had gotten a popup that told her the laptop was infected and that if she wanted her files back to pay up. All her files had disappeared and the start menu was cleared too. I see I should have come to the forum first but I had never encountered something that avast, spybot, and malwarebytes couldn’t clean easily. But here is what I did:

  1. She had an old version of AVG so I updated it and ran it. It removed a few things and I regret not documenting them. Still still couldn’t see her files so I removed AVG and downloaded Avast and ran a boot-time scan which found a rootkit. I also ran Spybot after booting with their LiveCD which found a few tracking things. Still no files so I did some searching around and found them hidden so I just gave her user account the right to view hidden files. Thought everything was good but she would still get redirects mainly from using google search and the Malicious URL Blocked popups from avast.

  2. At this point I checked out the forums here and saw everything I should have done. So I have included the logs that I could. I didn’t run RogueKiller yet since her files were found and I have unfortunately already run CCleaner. Would it be a good idea to run it anyway?

  3. aswMBR.exe would not completely run, after clicking it and clicking ‘Yes’ to allow it to make changes to the computer nothing happens. The same thing also happens when I try to run TDSSKiller.

  4. When attaching the OTL logs I noticed that I ran it from the downloads folder instead of the desktop. Should I move it to the desktop and rerun it?

And if you read all that and still can help…Thank you!

2
  1. Yes, please.

OTL should produce a log called otl.txt, which is different from extras.txt

3

Hi, Donovan. Here is the OTL log after rerunning it from the desktop.

4

[*] Download RogueKiller and save it on your desktop.
[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRScan.png

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRDelete.png

[*]The report has been created on the desktop.

[*]Next click on the ShortcutsFix

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRShortcutsFix.png

[*]The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

THEN

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL O3 - HKU\S-1-5-21-709645991-3529713624-2870677509-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found. O3 - HKU\S-1-5-21-709645991-3529713624-2870677509-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. O3 - HKU\S-1-5-21-709645991-3529713624-2870677509-1000\..\Toolbar\WebBrowser: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - No CLSID value found. [2012/06/30 09:48:03 | 000,000,000 | ---D | C] -- C:\Users\KAYLEE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data Recovery

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

5

Here are the 3 RK logs. I closed everything except Chrome (unintentionally) when I ran it so I hope that didn’t cause any issues. I reran RK just in case and it didn’t find anything. The 4th log is from that run.

And I’ll post the OTL fix logs after I run it.

6

Here is the OTL log from the quickscan.

7

As it is midnight where Essexboy lives, you will have to wait a while before he is back on.

Sleeping is a good idea. :wink:

8

Ok, thanks for the heads up !Donovan! :slight_smile:

And thanks to you too Essexboy! If you read this tomorrow, the steps so far have restored the desktop and other stuff. The redirects are there still and the ‘Malicious…’ popups. Something that I didn’t mention originally is that the audio plays 5-10 sec of audio (sounds like from the internet) from time to time, but I don’t notice a browser or audio program running when it happens.

9

OK I have located the problem it is an additional partition on your drive that it is running from

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 137577 Mo 3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 312579760 | Size: 0 Mo

So we will now work outside of windows to kill that

I need you to download:
gparted-live-0.10.0-3.iso (115.1 MB)

Create a bootable CD, for Gparted from the ISO image.

You can use ImgBurn do this.

Now boot off of the newly created Gparted CD.

You should be here… Press ENTER

https://dl.dropbox.com/u/73555776/Gpart-Start.GIF

By default, “do not touch keymap” is highlighted.

https://dl.dropbox.com/u/73555776/Gpart-keyselect.GIF

Leave this setting alone and just press ENTER.

https://dl.dropbox.com/u/73555776/Gpart-continue.GIF

Choose your language and press ENTER. English is default [33]

At the mode prompt enter 0, press ENTER

You will now be taken to the main GUI screen below

https://dl.dropbox.com/u/73555776/Gpart-partitions.GIF

According to your logs, the partition that you want to delete is <1Mb

Right click this partition and select delete .

https://dl.dropbox.com/u/73555776/GPart-delete.GIF

The Partition has gone

Now select Apply

Now you should be here:

https://dl.dropbox.com/u/73555776/Areyousure.GIF

Select Apply after double checking that the right partition was deleted

Is “boot” next to your OS drive?
If “boot” is not next to your OS drive under “Flags”, right-mouse click the OS drive while in Gparted and select Manage Flags

https://dl.dropbox.com/u/73555776/GPart-flags.GIF

In the menu that pops up, place a checkmark in boot like the picture below, then close :

https://dl.dropbox.com/u/73555776/GPart-bootflag.GIF

Under File select Quit

https://dl.dropbox.com/u/73555776/Gpart-quit.GIF

You will see this small Popup

https://dl.dropbox.com/u/73555776/Gpart-reboot.GIF

Choose reboot and then press OK.

10

Awesome thanks for finding the problem and the fix! I ran everything and the boot flag indeed wasn’t next to the OS partition so I had to reflag it. The CD automatically ejected so I removed it from the drive and on the reboot got this message:

BOOTMGR is missing
Press Ctrl+Alt+Del to restart

Should I reboot with the gparted CD?

11

Yes use Gparted and ensure that the flag is next to the OS

If you still get the boot error then select safe mode
Select Command prompt
Type in the following command

bootrec /fixboot

12

I confirmed that the boot flag is there for the OS. I can’t get to a menu that lets me pick safe mode, should I boot with a win7 CD?

13

Yes use the windows 7 CD

When you reboot you will see this although yours will say windows 7. Click repair my computer

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg

Select your operating system

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg

Select Command prompt

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg

At the command prompt type the following commands pressing enter after each

Bootrec.exe /FixMbr
Bootrec.exe /Fixboot

[*]Once finished type Exit

14

The repair option doesn’t show up, it just wanted to load windows 7. I went back to gparted to check the OS partition and it says it is a 134.35 GB partition with 78.07 GB being used so the windows 7 still seems to be on there.

15

And that partition is set to boot

And there is no repair option showing when you boot from the windows 7 cd …

Could you try to access Safe mode as this does not really make sense … Is the windows CD a retail version or is it a Computer manufacturers disc ?

16

I have a windows 7 home premium OEM version bought off Ebay, but it turns out I just wasn’t clicking ‘Next’ to get to the Repair option >:( Sorry about that essex!

I was able to get to a command prompt and run the two bootrec commands and each said it was successful. However, I still get the ‘BootMGR is missing’ message as soon as it attempts to boot from the harddrive.

17

OK next from the CD could you run the startup repair

18

YEAH BABY!!! It boots up fine now! Should I check to see if the google redirects are gone now or is there anything else I should do first?

19

Could you run aswMBR first and let me know if it runs… That is the acid test

Then let me know if there are any problems remaining

20

aswMBR seemed to run just fine. Here is the log file from that (do you also want the DAT file from it?)…also, no sign of redirects or blocked URL popups from avast!