Win32:Malware-gen, Google search results redirect

Viruses and worms
1

Hi,

I have an infection that results in my google search results redirecting to a spam/exploit page. >:( Avast boot scan finds Win32:Malware-gen in C:\windows\assembly\GAC_32\Desktop.ini but cannot remove the infection. >:( >:(

I followed the instructions here http://forum.avast.com/index.php?topic=53253.0 and the various logs are attached. Oddly, it seems like these other tools do not find the same infection as the boot scan, but do find other infections.

Any help appreciated.

Thanks,
Blake

2

Yes you are infected,according to aswMBR log :
C:\WINDOWS\system32\drivers\ipsec.sys INFECTED Win32:Sirefef-F [Drp]
C:\Documents and Settings\Dell\Local Settings\Application Data\b860844b\U\800000cb.@ INFECTED Win32:Sirefef-AO [Rtk]
Google redirects are caused by this Rootkit/Bootkit.If my memory serves me correctly,Siseref is also known as Whistler-Black internet.
Essexbot will help you.
Have a nice day.

3

OK lets get to work… I will remove what I can safely delete then get a dedicated tool for the rest

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O20 - HKU\S-1-5-21-3477547963-1579938710-1893990287-1003 Winlogon: Shell - (C:\Documents and Settings\Dell\Local Settings\Application Data\b860844b\X) -C:\Documents and Settings\Dell\Local Settings\Application Data\b860844b\X () [2011/11/29 18:35:49 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Dell\Local Settings\Application Data\b860844b

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

.
THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks, also allow the installation of the recovery console

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running nowDownload and Install Combofix

4

Thank you! I will post back with the results and logfiles.

5

So between the time I generated the log files posted earlier and the time I went to follow your instructions, I shut down the machine. When I booted back up to follow the new steps, I was not able to get an IP address, and in fact the ipconfig command gave me an error message. I downloaded combofix on another machine and burned a disc to install it on the infected machine.

I ran OTL and Combofix and saved the respective logfiles. However, I don’t have a good way to get those logfiles onto the forum. I do not feel safe copying the files to a CD or flash drive and posting them using another computer. Maybe it’s not a big deal, but I do not want to spread the infection to another machine.

The combofix did detect a rootkit in the TCP/IP stack. I do not have recovery console installed on that machine, and because I do not have an internet connection, or a Windows XP installation disc, I cannot install it. Maybe that’s why the TCP/IP is still not working.

Please tell me there is something else I can do besides wiping and starting over.

6

Copying to a USB should be OK - If you vaccinate the USB first (using the Host - working computer) http://www.pandasecurity.com/homeusers/downloads/usbvaccine/

But a trick that may work to repair the internet is to download SP3 to a CD/USB and then re-install that on the sick computer

7

Does the OP have SP3 currently installed? As far as I am aware of, you can’t install SPx over SPx where x is the same version.

You have to uninstall SP3 if it is installed and the then reinstall SP3 and reapply all WIN updates: http://www.ehow.com/how_5172014_reinstall-sp.html.

Whole process is not without peril however; especially with XP SP3 which many people had problems installing.

8

SP3 can be overinstalled. The trick to installing SP3 at anytime is to install it in Safe Mode so Security programs don’t interfere. Avs btw are the biggest cause of SP3 install failures.

9

Each to their own. However, I would never install a Microsoft OS update in safe mode.

Avs btw are the biggest cause of SP3 install failures.
I would say OEM hardware; especially HP! ::)
10

Attempted to reinstall SP3 in regular boot mode. Did not re-enable tcp/ip. Tried again in safe mode. Did not re-enable tcp/ip. So I downloaded the USB vaccine and copied the log files over that way.

The attached log files are from the OTL fix and the Combfix.

I have no tcp/ip available on the machine. Also, windows firewall is turned off and will not re-enable. Also, Avast Webshield will not turn on. All other shields will. I have the wireless antenna turned off and no hard wire ethernet connected to prevent funny business.

Please let me know what I can do next. It seems like I need to be able to download and install recovery console so that combofix can remove the rootkit.

11

@DonZ63

It’s not that well documented but right from the horses mouth.

One of the most common causes of installation failure is when a third-party program, such as an antivirus program, holds a file open or locks a file that the service-pack installer needs.
http://support.microsoft.com/kb/950717 http://support.microsoft.com/kb/949377
12

OK lets get busy - I will run all my search and test scans in one go…

Open Services…
Start > Run > Type: services.msc > Click OK
Scroll down to and double click DNS Client
Set to Automatic under Startup type
Click the Apply button
Click the Start button
When it starts click OK

Repeat for DHCP Client.
And repeat for Remote Procedure Call (RPC).

When done, close Services.

Try the connection again

FAILURE

OK run OTL and run the following script as I need to check the dependency files

[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
afd.*
tcpip.*
netbt.*
netbios.*
/md5stop
C:\Windows\assembly\tmp\U /s
CREATERESTOREPOINT

FURTHER DATA

Please copy all in the below quote box:

@echo off echo Please post back the %SystemDrive%\MyNICDetails.txt on your next reply echo. echo CheckMyNIC by AdvancedSetup >%SystemDrive%\MyNICDetails.txt echo ... >>%SystemDrive%\MyNICDetails.txt cmd /c sc qc dhcp >>%SystemDrive%\MyNICDetails.txt cmd /c sc queryex dhcp >>%SystemDrive%\MyNICDetails.txt cmd /c sc qc TCPIP >>%SystemDrive%\MyNICDetails.txt cmd /c sc queryex TCPIP >>%SystemDrive%\MyNICDetails.txt cmd /c sc qc Afd >>%SystemDrive%\MyNICDetails.txt cmd /c sc queryex Afd >>%SystemDrive%\MyNICDetails.txt cmd /c sc qc NetBT >>%SystemDrive%\MyNICDetails.txt cmd /c sc queryex NetBT >>%SystemDrive%\MyNICDetails.txt cmd /c sc qc NetBIOS >>%SystemDrive%\MyNICDetails.txt cmd /c sc queryex NetBIOS >>%SystemDrive%\MyNICDetails.txt cmd /c sc qc Lmhosts >>%SystemDrive%\MyNICDetails.txt cmd /c sc queryex Lmhosts >>%SystemDrive%\MyNICDetails.txt cmd /c sc qc Dnscache >>%SystemDrive%\MyNICDetails.txt cmd /c sc queryex Dnscache >>%SystemDrive%\MyNICDetails.txt cmd /c sc qc PolicyAgent >>%SystemDrive%\MyNICDetails.txt cmd /c sc queryex PolicyAgent >>%SystemDrive%\MyNICDetails.txt cmd /c sc qc Nla >>%SystemDrive%\MyNICDetails.txt cmd /c sc queryex Nla >>%SystemDrive%\MyNICDetails.txt cmd /c sc qc lanmanserver >>%SystemDrive%\MyNICDetails.txt cmd /c sc queryex lanmanserver >>%SystemDrive%\MyNICDetails.txt cmd /c sc qc IPSEC >>%SystemDrive%\MyNICDetails.txt cmd /c sc queryex IPSEC >>%SystemDrive%\MyNICDetails.txt cmd /c sc qc RPCSS >>%SystemDrive%\MyNICDetails.txt cmd /c sc queryex RPCSS >>%SystemDrive%\MyNICDetails.txt pause
Save in Notepad as "MyNICDetails.bat" with the quote marks. Save as type All Files to Desktop. Once saved transfer to the infected computer's Desktop. Click the file and post back the text file it produces please.

The text file will be located here: C:\MyNICDetails.txt

13
One of the most common causes of installation failure is when a third-party program, such as an antivirus program, holds a file open or locks a file that the service-pack installer needs. http://support.microsoft.com/kb/950717 http://support.microsoft.com/kb/949377

I agree with this. But I go one step further and uninstall any AV with extensive registry and file protections such as Norton NIS/AV. Since Avast’s injects .dlls into OS services appears it falls in this category. Never had a problem with a XP SP3 upgrade with AV uninstalled.

Win 7 on the other hand appears to be more forgiving but I still unistall any primary AV to play it safe.

14

Thank you for sticking with this Essexboy. I really appreciate the help.

OK, starting DHCP did not work due to unstarted dependencies. So I followed the instructions to run OTL again and ran the bat file. Please see attachments.

Thank you.

15

Well the files are in the right place, lets now check the registry

[*]Run OTL.
[*]Select All Users
[*]Under the Custom Scan box paste this in

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\afd /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tcpip /s
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[]When the scan completes, it will open a notepad window.
[]Post the log

16

Please see attachment

17

Could you download and run the MSFixit from here please http://support.microsoft.com/kb/299357

This will reset the TCPIP parameters, as all the reg entries are good and the files are present

18

Can I just run the command from the KB article?

netsh int ip reset c:\resetlog.txt

Also, do you need to see the logfile afterwards?

19

Yes you can do that

20

TCP/IP still not working. See resetlog.txt.

Here is the exact error I get.

Windows IP Configuration
An Internal error occured: The request is not supported.
Please contact Microsoft Product Support Services for further help.

However, I did manage to get recovery console installed without TCP/IP working by following some instructions on the Combofix user guide page. Combofix ran afterwards and I have attached the log from that.