Help! Virus redirects google and disabled MBAM

James A · November 17, 2010

Hi there, am hoping someone can help me resolve this ongoing issue.

Running Windows Vista. For a while now when I google or bing search in Chrome and Firefox, clicking a searched link will often redirect to a random ad or search site. Often when this happens, the next time i reboot my computer I'll notice fake Antivirus and Security programs popping up doing fake scans. Have used MBAM countless times to remove, but it seems that whenever I get redirected from search that it's downloading more malware.

Latest issue is that I can't access MBAM. When I reinstall it will start scanning, suddenly close, and then I will get an error message when I try to access it.

Just ran ESET, it removed some malware but couldn't remove:

C:\Windows\explorer.exe Win32/Bamital.EQ trojan unable to clean

C:\Windows\System32\wininit.exe Win32/Bamital.EQ trojan unable to clean

Any help would be greatly appreciated!

-James

Elise · November 18, 2010

Hello ,

And My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

Please download OTL from one of the following mirrors:
- This is THE Mirror
[*]Save it to your desktop.
[*]Double click on the icon on your desktop.
[*]Click the "Scan All Users" checkbox.
[*]Push the Quick Scan button.
[*]Two reports will open, copy and paste them in a reply here:
- OTListIt.txt <-- Will be opened
- Extra.txt <-- Will be minimized

Please Download Rootkit Unhooker Save it to your desktop.

extract RKUnhooker to your desktop
- Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file -
  you can get a free one from here -
http://www.7-zip.org/

Now double-click on RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan.
Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
Wait till the scanner has finished and then click File, Save Report.
Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

A detailed description of your problems
A new OTL log (don't forget extra.txt)
RKU log

Thanks and again sorry for the delay.

James A · November 18, 2010

Hi there, thanks for helping me!

Downloaded OTL, opened it, ran the scan, then the program shut down just like MBAM has been doing. When I try to reopen it gives an error message that "Windows cannot access...You don't have permission" or something to that effect.

And it gets worse, I did the rootkit scan, and after the scan completed I got a blue screen with white text saying something about File dumping at the bottom, then my computer restarted.

Am paranoid to try either scan again... ; \ Now I rebooted in safe mode and still cannot access OTL.

James A · November 18, 2010

Hi there, thanks for helping me!

Downloaded OTL, opened it, ran the scan, then the program shut down just like MBAM has been doing. When I try to reopen it gives an error message that "Windows cannot access...You don't have permission" or something to that effect.

And it gets worse, I did the rootkit scan, and after the scan completed I got a blue screen with white text saying something about File dumping at the bottom, then my computer restarted.

Am paranoid to try either scan again... ; \ Now I rebooted in safe mode and still cannot access OTL.

Elise · November 18, 2010

No problem, RKU can easily cause a BSOD, that is nothing to worry about.

Please see if you can run the following. Its quite possible that TDSSkiller will not be able to do the trick. This is no problem, don't force a delete of the files, but see if you can get the log.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.
If TDSSKiller does not run, try renaming it.
To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
Click the Start Scan button.
Do not use the computer during the scan
If the scan completes with nothing found, click Close to exit.
If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
Copy and paste the contents of that file in your next reply.

James A · November 18, 2010

Ran TDSSKiller scan. Came up with suspicious object

Service name: vbma92a1

Service type: Kernel Driver (0x1)

Service start: Demand (0x3)

File: C:\Windows\system32\drivers\vbma92a1.sys

I copied it to quarantine, is that okay? Other than that came up no infections found.

Elise · November 18, 2010

Perfect, we now know what we are dealing with.

Can you please runt he scan again and let me know if it is gone now or if it still comes back? If its not come back, we can start working restoring the permissions so we can get some tools running.

James A · November 18, 2010

Rescanned, and after moving to quarantine it is still coming up.

Elise · November 18, 2010

Yes, I was afraid of this, so we'll have to do it manually.

Do you have a Vista DVD at hand or is the Repair Windows option available when tapping F8 on startup?

James A · November 18, 2010

Good news Elise.

Selected the delete option instead, and TDSSkiller said it would delete on reboot.

Rebooted, and now scan is coming up clean =)

Elise · November 18, 2010

Awesome. Time to have a look at what permissions need to be fixed.

We need to scan the system with this special tool:

* Please download and save:

Junction.zip

* Unzip it and place Junction.exe in the Windows directory (C:\Windows).

* Go to Start => Run... => Copy and paste the following command in the Run box and click OK:

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system. Wait until a log file opens. Copy and paste the log in your next reply.

James A · November 18, 2010

Junction v1.06 - Windows junction creator and reparse point viewer

Sysinternals - www.sysinternals.com

\\?\c:\\Documents and Settings: JUNCTION

Print Name : C:\Users

Substitute Name: C:\Users

Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.

Failed to open \\?\c:\\System Volume Information: Access is denied.

Failed to open \\?\c:\\censored YOU VIRUS\mbam.exe: Access is denied.

...

..

Failed to open \\?\c:\\Malwarebytes\mbam.exe: Access is denied.

.

...

...\\?\c:\\ProgramData\Application Data: JUNCTION

Print Name : C:\ProgramData

Substitute Name: C:\ProgramData

\\?\c:\\ProgramData\Desktop: JUNCTION

Print Name : C:\Users\Public\Desktop

Substitute Name: C:\Users\Public\Desktop

\\?\c:\\ProgramData\Documents: JUNCTION

Print Name : C:\Users\Public\Documents

Substitute Name: C:\Users\Public\Documents

...

\\?\c:\\ProgramData\Favorites: JUNCTION

Print Name : C:\Users\Public\Favorites

Substitute Name: C:\Users\Public\Favorites

\\?\c:\\ProgramData\Start Menu: JUNCTION

Print Name : C:\ProgramData\Microsoft\Windows\Start Menu

Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu

\\?\c:\\ProgramData\Templates: JUNCTION

Print Name : C:\ProgramData\Microsoft\Windows\Templates

Substitute Name: C:\ProgramData\Microsoft\Windows\Templates

...

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f121961696a3a24dc4d31720aa547d42_0ff0d1fd-2b43-494f-92d9-2be5632f0118: Access is denied.

...

\\?\c:\\Users\All Users: SYMBOLIC LINK

Print Name : C:\ProgramData

Substitute Name: \??\C:\ProgramData

\\?\c:\\Users\Default User: JUNCTION

Print Name : C:\Users\Default

Substitute Name: C:\Users\Default

\\?\c:\\Users\All Users\Application Data: JUNCTION

Print Name : C:\ProgramData

Substitute Name: C:\ProgramData

\\?\c:\\Users\All Users\Desktop: JUNCTION

Print Name : C:\Users\Public\Desktop

Substitute Name: C:\Users\Public\Desktop

\\?\c:\\Users\All Users\Documents: JUNCTION

Print Name : C:\Users\Public\Documents

Substitute Name: C:\Users\Public\Documents

...

.\\?\c:\\Users\All Users\Favorites: JUNCTION

Print Name : C:\Users\Public\Favorites

Substitute Name: C:\Users\Public\Favorites

\\?\c:\\Users\All Users\Start Menu: JUNCTION

Print Name : C:\ProgramData\Microsoft\Windows\Start Menu

Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu

\\?\c:\\Users\All Users\Templates: JUNCTION

Print Name : C:\ProgramData\Microsoft\Windows\Templates

Substitute Name: C:\ProgramData\Microsoft\Windows\Templates

..

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\f121961696a3a24dc4d31720aa547d42_0ff0d1fd-2b43-494f-92d9-2be5632f0118: Access is denied.

...

.\\?\c:\\Users\Default\Application Data: JUNCTION

Print Name : C:\Users\Default\AppData\Roaming

Substitute Name: C:\Users\Default\AppData\Roaming

\\?\c:\\Users\Default\Cookies: JUNCTION

Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies

Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies

\\?\c:\\Users\Default\Local Settings: JUNCTION

Print Name : C:\Users\Default\AppData\Local

Substitute Name: C:\Users\Default\AppData\Local

\\?\c:\\Users\Default\My Documents: JUNCTION

Print Name : C:\Users\Default\Documents

Substitute Name: C:\Users\Default\Documents

\\?\c:\\Users\Default\NetHood: JUNCTION

Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts

Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\Default\PrintHood: JUNCTION

Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\Default\Recent: JUNCTION

Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent

Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\Default\SendTo: JUNCTION

Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo

Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\Default\Start Menu: JUNCTION

Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu

Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\Default\Templates: JUNCTION

Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates

Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\Default\AppData\Local\Application Data: JUNCTION

Print Name : C:\Users\Default\AppData\Local

Substitute Name: C:\Users\Default\AppData\Local

\\?\c:\\Users\Default\AppData\Local\History: JUNCTION

Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\History

Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\Default\AppData\Local\Temporary Internet Files: JUNCTION

Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files

Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files

.\\?\c:\\Users\Default\Documents\My Music: JUNCTION

Print Name : C:\Users\Default\Music

Substitute Name: C:\Users\Default\Music

\\?\c:\\Users\Default\Documents\My Pictures: JUNCTION

Print Name : C:\Users\Default\Pictures

Substitute Name: C:\Users\Default\Pictures

\\?\c:\\Users\Default\Documents\My Videos: JUNCTION

Print Name : C:\Users\Default\Videos

Substitute Name: C:\Users\Default\Videos

\\?\c:\\Users\IUSR_NMPR\Application Data: JUNCTION

Print Name : C:\Users\IUSR_NMPR\AppData\Roaming

Substitute Name: C:\Users\IUSR_NMPR\AppData\Roaming

\\?\c:\\Users\IUSR_NMPR\Cookies: JUNCTION

Print Name : C:\Users\IUSR_NMPR\AppData\Roaming\Microsoft\Windows\Cookies

Substitute Name: C:\Users\IUSR_NMPR\AppData\Roaming\Microsoft\Windows\Cookies

\\?\c:\\Users\IUSR_NMPR\Local Settings: JUNCTION

Print Name : C:\Users\IUSR_NMPR\AppData\Local

Substitute Name: C:\Users\IUSR_NMPR\AppData\Local

\\?\c:\\Users\IUSR_NMPR\My Documents: JUNCTION

Print Name : C:\Users\IUSR_NMPR\Documents

Substitute Name: C:\Users\IUSR_NMPR\Documents

\\?\c:\\Users\IUSR_NMPR\NetHood: JUNCTION

Print Name : C:\Users\IUSR_NMPR\AppData\Roaming\Microsoft\Windows\Network Shortcuts

Substitute Name: C:\Users\IUSR_NMPR\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\IUSR_NMPR\PrintHood: JUNCTION

Print Name : C:\Users\IUSR_NMPR\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

Substitute Name: C:\Users\IUSR_NMPR\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\IUSR_NMPR\Recent: JUNCTION

Print Name : C:\Users\IUSR_NMPR\AppData\Roaming\Microsoft\Windows\Recent

Substitute Name: C:\Users\IUSR_NMPR\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\IUSR_NMPR\SendTo: JUNCTION

Print Name : C:\Users\IUSR_NMPR\AppData\Roaming\Microsoft\Windows\SendTo

Substitute Name: C:\Users\IUSR_NMPR\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\IUSR_NMPR\Start Menu: JUNCTION

Print Name : C:\Users\IUSR_NMPR\AppData\Roaming\Microsoft\Windows\Start Menu

Substitute Name: C:\Users\IUSR_NMPR\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\IUSR_NMPR\Templates: JUNCTION

Print Name : C:\Users\IUSR_NMPR\AppData\Roaming\Microsoft\Windows\Templates

Substitute Name: C:\Users\IUSR_NMPR\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\IUSR_NMPR\AppData\Local\Application Data: JUNCTION

Print Name : C:\Users\IUSR_NMPR\AppData\Local

Substitute Name: C:\Users\IUSR_NMPR\AppData\Local

\\?\c:\\Users\IUSR_NMPR\AppData\Local\History: JUNCTION

Print Name : C:\Users\IUSR_NMPR\AppData\Local\Microsoft\Windows\History

Substitute Name: C:\Users\IUSR_NMPR\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\IUSR_NMPR\AppData\Local\Temporary Internet Files: JUNCTION

Print Name : C:\Users\IUSR_NMPR\AppData\Local\Microsoft\Windows\Temporary Internet Files

Substitute Name: C:\Users\IUSR_NMPR\AppData\Local\Microsoft\Windows\Temporary Internet Files

\\?\c:\\Users\IUSR_NMPR\Documents\My Music: JUNCTION

Print Name : C:\Users\IUSR_NMPR\Music

Substitute Name: C:\Users\IUSR_NMPR\Music

\\?\c:\\Users\IUSR_NMPR\Documents\My Pictures: JUNCTION

Print Name : C:\Users\IUSR_NMPR\Pictures

Substitute Name: C:\Users\IUSR_NMPR\Pictures

\\?\c:\\Users\IUSR_NMPR\Documents\My Videos: JUNCTION

Print Name : C:\Users\IUSR_NMPR\Videos

Substitute Name: C:\Users\IUSR_NMPR\Videos

\\?\c:\\Users\James\Application Data: JUNCTION

Print Name : C:\Users\James\AppData\Roaming

Substitute Name: C:\Users\James\AppData\Roaming

\\?\c:\\Users\James\Cookies: JUNCTION

Print Name : C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies

Substitute Name: C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies

\\?\c:\\Users\James\Local Settings: JUNCTION

Print Name : C:\Users\James\AppData\Local

Substitute Name: C:\Users\James\AppData\Local

\\?\c:\\Users\James\My Documents: JUNCTION

Print Name : C:\Users\James\Documents

Substitute Name: C:\Users\James\Documents

\\?\c:\\Users\James\NetHood: JUNCTION

Print Name : C:\Users\James\AppData\Roaming\Microsoft\Windows\Network Shortcuts

Substitute Name: C:\Users\James\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\James\PrintHood: JUNCTION

Print Name : C:\Users\James\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

Substitute Name: C:\Users\James\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\James\Recent: JUNCTION

Print Name : C:\Users\James\AppData\Roaming\Microsoft\Windows\Recent

Substitute Name: C:\Users\James\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\James\SendTo: JUNCTION

Print Name : C:\Users\James\AppData\Roaming\Microsoft\Windows\SendTo

Substitute Name: C:\Users\James\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\James\Start Menu: JUNCTION

Print Name : C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu

Substitute Name: C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\James\Templates: JUNCTION

Print Name : C:\Users\James\AppData\Roaming\Microsoft\Windows\Templates

Substitute Name: C:\Users\James\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\James\AppData\Local\Application Data: JUNCTION

Print Name : C:\Users\James\AppData\Local

Substitute Name: C:\Users\James\AppData\Local

\\?\c:\\Users\James\AppData\Local\History: JUNCTION

Print Name : C:\Users\James\AppData\Local\Microsoft\Windows\History

Substitute Name: C:\Users\James\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\James\AppData\Local\Temporary Internet Files: JUNCTION

Print Name : C:\Users\James\AppData\Local\Microsoft\Windows\Temporary Internet Files

Substitute Name: C:\Users\James\AppData\Local\Microsoft\Windows\Temporary Internet Files

.

...

Failed to open \\?\c:\\Users\James\Desktop\OTL.exe: Access is denied.

..\\?\c:\\Users\James\Documents\My Music: JUNCTION

Print Name : C:\Users\James\Music

Substitute Name: C:\Users\James\Music

\\?\c:\\Users\James\Documents\My Pictures: JUNCTION

Print Name : C:\Users\James\Pictures

Substitute Name: C:\Users\James\Pictures

\\?\c:\\Users\James\Documents\My Videos: JUNCTION

Print Name : C:\Users\James\Videos

Substitute Name: C:\Users\James\Videos

.

...

...\\?\c:\\Users\Public\Documents\My Music: JUNCTION

Print Name : C:\Users\Public\Music

Substitute Name: C:\Users\Public\Music

\\?\c:\\Users\Public\Documents\My Pictures: JUNCTION

Print Name : C:\Users\Public\Pictures

Substitute Name: C:\Users\Public\Pictures

\\?\c:\\Users\Public\Documents\My Videos: JUNCTION

Print Name : C:\Users\Public\Videos

Substitute Name: C:\Users\Public\Videos

Failed to open \\?\c:\\Windows\assembly\GAC_MSIL\Desktop.ini: Access is denied.

...

..

Failed to open \\?\c:\\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\csp8E71.tmp: Access is denied.

Failed to open \\?\c:\\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\cspA88D.tmp: Access is denied.

Failed to open \\?\c:\\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\cspFF8A.tmp: Access is denied.

.

...

..

Failed to open \\?\c:\\Windows\System32\LogFiles\WMI\RtBackup: Access is denied.

.

...

Elise · November 18, 2010

Hi again,

We need to reset the permissions altered by the malware on a file.

Download this tool and save it to the desktop: http://download.bleepingcomputer.com/sUBs/...xes/Inherit.exe
Go to Start => Run => Copy and paste the first line of the following lines in the run box and click OK:
"%userprofile%\desktop\inherit" "c:\censored YOU VIRUS\mbam.exe"

"%userprofile%\desktop\inherit" "c:\Malwarebytes\mbam.exe"

"%userprofile%\desktop\inherit" "c:\Users\James\Desktop\OTL.exe"
If you get a security warning select Run.
You will get a "Finish" popup. Click OK.

If successful, you should now be able to run OTL and install MBAM.

James A · November 18, 2010

MBAM still closes after scanning for 4 seconds, and then gives error message ; \

Same with OTL ; \

James A · November 18, 2010

Hi again,
We need to reset the permissions altered by the malware on a file.
Download this tool and save it to the desktop: http://download.bleepingcomputer.com/sUBs/...xes/Inherit.exe
Go to Start => Run => Copy and paste the first line of the following lines in the run box and click OK:
"%userprofile%\desktop\inherit" "c:\censored YOU VIRUS\mbam.exe"

"%userprofile%\desktop\inherit" "c:\Malwarebytes\mbam.exe"

"%userprofile%\desktop\inherit" "c:\Users\James\Desktop\OTL.exe"

If you get a security warning select Run.
You will get a "Finish" popup. Click OK.
If successful, you should now be able to run OTL and install MBAM.

When you said copy and paste the first line of the following lines, you meant the whole "%userprofile%\desktop\inherit" "c:\censored YOU VIRUS\mbam.exe" part, right? I did that and got the Finish popup immediately, clicked okay. Still can't open tools though

Elise · November 18, 2010

Please try this:

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
Double click on Combofix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

James A · November 18, 2010

when i open combofix it brings up a status bar which loads all the way, then the program closes. ; \

There's an application under task manager called "shell.exe," I've tried to close in the past but it reopened itself, could this be part of the problem?

James A · November 18, 2010

Or could it be because I'm in safe mode?

Elise · November 18, 2010

Can you please rerun Junction.exe, so I can see whether or not the file permissions get removed.

James A · November 18, 2010

Junction v1.06 - Windows junction creator and reparse point viewer

Sysinternals - www.sysinternals.com

\\?\c:\\Documents and Settings: JUNCTION

Print Name : C:\Users

Substitute Name: C:\Users

Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.

Failed to open \\?\c:\\System Volume Information: Access is denied.

.

Failed to open \\?\c:\\censored YOU VIRUS\mbam.exe: Access is denied.

..

...

\\?\c:\\ProgramData\Application Data: JUNCTION

Print Name : C:\ProgramData

Substitute Name: C:\ProgramData

\\?\c:\\ProgramData\Desktop: JUNCTION

Print Name : C:\Users\Public\Desktop

Substitute Name: C:\Users\Public\Desktop

\\?\c:\\ProgramData\Documents: JUNCTION

Print Name : C:\Users\Public\Documents

Substitute Name: C:\Users\Public\Documents

...

\\?\c:\\ProgramData\Favorites: JUNCTION

Print Name : C:\Users\Public\Favorites

Substitute Name: C:\Users\Public\Favorites

\\?\c:\\ProgramData\Start Menu: JUNCTION

Print Name : C:\ProgramData\Microsoft\Windows\Start Menu

Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu

\\?\c:\\ProgramData\Templates: JUNCTION

Print Name : C:\ProgramData\Microsoft\Windows\Templates

Substitute Name: C:\ProgramData\Microsoft\Windows\Templates

...

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f121961696a3a24dc4d31720aa547d42_0ff0d1fd-2b43-494f-92d9-2be5632f0118: Access is denied.

...

.\\?\c:\\Users\All Users: SYMBOLIC LINK

Print Name : C:\ProgramData

Substitute Name: \??\C:\ProgramData

\\?\c:\\Users\Default User: JUNCTION

Print Name : C:\Users\Default

Substitute Name: C:\Users\Default

\\?\c:\\Users\All Users\Application Data: JUNCTION

Print Name : C:\ProgramData

Substitute Name: C:\ProgramData

\\?\c:\\Users\All Users\Desktop: JUNCTION

Print Name : C:\Users\Public\Desktop

Substitute Name: C:\Users\Public\Desktop

\\?\c:\\Users\All Users\Documents: JUNCTION

Print Name : C:\Users\Public\Documents

Substitute Name: C:\Users\Public\Documents

..

.\\?\c:\\Users\All Users\Favorites: JUNCTION

Print Name : C:\Users\Public\Favorites

Substitute Name: C:\Users\Public\Favorites

\\?\c:\\Users\All Users\Start Menu: JUNCTION

Print Name : C:\ProgramData\Microsoft\Windows\Start Menu

Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu

\\?\c:\\Users\All Users\Templates: JUNCTION

Print Name : C:\ProgramData\Microsoft\Windows\Templates

Substitute Name: C:\ProgramData\Microsoft\Windows\Templates

..

.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\f121961696a3a24dc4d31720aa547d42_0ff0d1fd-2b43-494f-92d9-2be5632f0118: Access is denied.

..

...

..\\?\c:\\Users\Default\Application Data: JUNCTION

Print Name : C:\Users\Default\AppData\Roaming

Substitute Name: C:\Users\Default\AppData\Roaming

\\?\c:\\Users\Default\Cookies: JUNCTION

Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies

Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies

\\?\c:\\Users\Default\Local Settings: JUNCTION

Print Name : C:\Users\Default\AppData\Local

Substitute Name: C:\Users\Default\AppData\Local

\\?\c:\\Users\Default\My Documents: JUNCTION

Print Name : C:\Users\Default\Documents

Substitute Name: C:\Users\Default\Documents

\\?\c:\\Users\Default\NetHood: JUNCTION

Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts

Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\Default\PrintHood: JUNCTION

Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\Default\Recent: JUNCTION

Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent

Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\Default\SendTo: JUNCTION

Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo

Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\Default\Start Menu: JUNCTION

Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu

Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\Default\Templates: JUNCTION

Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates

Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\Default\AppData\Local\Application Data: JUNCTION

Print Name : C:\Users\Default\AppData\Local

Substitute Name: C:\Users\Default\AppData\Local

\\?\c:\\Users\Default\AppData\Local\History: JUNCTION

Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\History

Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\Default\AppData\Local\Temporary Internet Files: JUNCTION

Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files

Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files

\\?\c:\\Users\Default\Documents\My Music: JUNCTION

Print Name : C:\Users\Default\Music

Substitute Name: C:\Users\Default\Music

\\?\c:\\Users\Default\Documents\My Pictures: JUNCTION

Print Name : C:\Users\Default\Pictures

Substitute Name: C:\Users\Default\Pictures

\\?\c:\\Users\Default\Documents\My Videos: JUNCTION

Print Name : C:\Users\Default\Videos

Substitute Name: C:\Users\Default\Videos

\\?\c:\\Users\IUSR_NMPR\Application Data: JUNCTION

Print Name : C:\Users\IUSR_NMPR\AppData\Roaming

Substitute Name: C:\Users\IUSR_NMPR\AppData\Roaming

\\?\c:\\Users\IUSR_NMPR\Cookies: JUNCTION

Print Name : C:\Users\IUSR_NMPR\AppData\Roaming\Microsoft\Windows\Cookies

Substitute Name: C:\Users\IUSR_NMPR\AppData\Roaming\Microsoft\Windows\Cookies

\\?\c:\\Users\IUSR_NMPR\Local Settings: JUNCTION

Print Name : C:\Users\IUSR_NMPR\AppData\Local

Substitute Name: C:\Users\IUSR_NMPR\AppData\Local

\\?\c:\\Users\IUSR_NMPR\My Documents: JUNCTION

Print Name : C:\Users\IUSR_NMPR\Documents

Substitute Name: C:\Users\IUSR_NMPR\Documents

\\?\c:\\Users\IUSR_NMPR\NetHood: JUNCTION

Print Name : C:\Users\IUSR_NMPR\AppData\Roaming\Microsoft\Windows\Network Shortcuts

Substitute Name: C:\Users\IUSR_NMPR\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\IUSR_NMPR\PrintHood: JUNCTION

Print Name : C:\Users\IUSR_NMPR\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

Substitute Name: C:\Users\IUSR_NMPR\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\IUSR_NMPR\Recent: JUNCTION

Print Name : C:\Users\IUSR_NMPR\AppData\Roaming\Microsoft\Windows\Recent

Substitute Name: C:\Users\IUSR_NMPR\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\IUSR_NMPR\SendTo: JUNCTION

Print Name : C:\Users\IUSR_NMPR\AppData\Roaming\Microsoft\Windows\SendTo

Substitute Name: C:\Users\IUSR_NMPR\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\IUSR_NMPR\Start Menu: JUNCTION

Print Name : C:\Users\IUSR_NMPR\AppData\Roaming\Microsoft\Windows\Start Menu

Substitute Name: C:\Users\IUSR_NMPR\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\IUSR_NMPR\Templates: JUNCTION

Print Name : C:\Users\IUSR_NMPR\AppData\Roaming\Microsoft\Windows\Templates

Substitute Name: C:\Users\IUSR_NMPR\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\IUSR_NMPR\AppData\Local\Application Data: JUNCTION

Print Name : C:\Users\IUSR_NMPR\AppData\Local

Substitute Name: C:\Users\IUSR_NMPR\AppData\Local

\\?\c:\\Users\IUSR_NMPR\AppData\Local\History: JUNCTION

Print Name : C:\Users\IUSR_NMPR\AppData\Local\Microsoft\Windows\History

Substitute Name: C:\Users\IUSR_NMPR\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\IUSR_NMPR\AppData\Local\Temporary Internet Files: JUNCTION

Print Name : C:\Users\IUSR_NMPR\AppData\Local\Microsoft\Windows\Temporary Internet Files

Substitute Name: C:\Users\IUSR_NMPR\AppData\Local\Microsoft\Windows\Temporary Internet Files

\\?\c:\\Users\IUSR_NMPR\Documents\My Music: JUNCTION

Print Name : C:\Users\IUSR_NMPR\Music

Substitute Name: C:\Users\IUSR_NMPR\Music

\\?\c:\\Users\IUSR_NMPR\Documents\My Pictures: JUNCTION

Print Name : C:\Users\IUSR_NMPR\Pictures

Substitute Name: C:\Users\IUSR_NMPR\Pictures

\\?\c:\\Users\IUSR_NMPR\Documents\My Videos: JUNCTION

Print Name : C:\Users\IUSR_NMPR\Videos

Substitute Name: C:\Users\IUSR_NMPR\Videos

\\?\c:\\Users\James\Application Data: JUNCTION

Print Name : C:\Users\James\AppData\Roaming

Substitute Name: C:\Users\James\AppData\Roaming

\\?\c:\\Users\James\Cookies: JUNCTION

Print Name : C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies

Substitute Name: C:\Users\James\AppData\Roaming\Microsoft\Windows\Cookies

\\?\c:\\Users\James\Local Settings: JUNCTION

Print Name : C:\Users\James\AppData\Local

Substitute Name: C:\Users\James\AppData\Local

\\?\c:\\Users\James\My Documents: JUNCTION

Print Name : C:\Users\James\Documents

Substitute Name: C:\Users\James\Documents

\\?\c:\\Users\James\NetHood: JUNCTION

Print Name : C:\Users\James\AppData\Roaming\Microsoft\Windows\Network Shortcuts

Substitute Name: C:\Users\James\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\James\PrintHood: JUNCTION

Print Name : C:\Users\James\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

Substitute Name: C:\Users\James\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\James\Recent: JUNCTION

Print Name : C:\Users\James\AppData\Roaming\Microsoft\Windows\Recent

Substitute Name: C:\Users\James\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\James\SendTo: JUNCTION

Print Name : C:\Users\James\AppData\Roaming\Microsoft\Windows\SendTo

Substitute Name: C:\Users\James\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\James\Start Menu: JUNCTION

Print Name : C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu

Substitute Name: C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\James\Templates: JUNCTION

Print Name : C:\Users\James\AppData\Roaming\Microsoft\Windows\Templates

Substitute Name: C:\Users\James\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\James\AppData\Local\Application Data: JUNCTION

Print Name : C:\Users\James\AppData\Local

Substitute Name: C:\Users\James\AppData\Local

\\?\c:\\Users\James\AppData\Local\History: JUNCTION

Print Name : C:\Users\James\AppData\Local\Microsoft\Windows\History

Substitute Name: C:\Users\James\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\James\AppData\Local\Temporary Internet Files: JUNCTION

Print Name : C:\Users\James\AppData\Local\Microsoft\Windows\Temporary Internet Files

Substitute Name: C:\Users\James\AppData\Local\Microsoft\Windows\Temporary Internet Files

.

...

.

Failed to open \\?\c:\\Users\James\Desktop\OTL.exe: Access is denied.

Failed to open \\?\c:\\Users\James\Desktop\Malwarebyte\mbam.exe: Access is denied.

..\\?\c:\\Users\James\Documents\My Music: JUNCTION

Print Name : C:\Users\James\Music

Substitute Name: C:\Users\James\Music

\\?\c:\\Users\James\Documents\My Pictures: JUNCTION

Print Name : C:\Users\James\Pictures

Substitute Name: C:\Users\James\Pictures

\\?\c:\\Users\James\Documents\My Videos: JUNCTION

Print Name : C:\Users\James\Videos

Substitute Name: C:\Users\James\Videos

...

\\?\c:\\Users\Public\Documents\My Music: JUNCTION

Print Name : C:\Users\Public\Music

Substitute Name: C:\Users\Public\Music

\\?\c:\\Users\Public\Documents\My Pictures: JUNCTION

Print Name : C:\Users\Public\Pictures

Substitute Name: C:\Users\Public\Pictures

\\?\c:\\Users\Public\Documents\My Videos: JUNCTION

Print Name : C:\Users\Public\Videos

Substitute Name: C:\Users\Public\Videos

.

Failed to open \\?\c:\\Windows\assembly\GAC_MSIL\Desktop.ini: Access is denied.

..

...

Failed to open \\?\c:\\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\csp8E71.tmp: Access is denied.

Failed to open \\?\c:\\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\cspA88D.tmp: Access is denied.

Failed to open \\?\c:\\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\cspFF8A.tmp: Access is denied.

...

Failed to open \\?\c:\\Windows\System32\LogFiles\WMI\RtBackup: Access is denied.

...

.

Elise · November 18, 2010

Okay, it looks like the infection is just fooling us with no longer showing up in TDSSkiller.

GMER

-------

Please download GMER from one of the following locations and save it to your desktop:

Main Mirror
This version will download a randomly named file (Recommended)
Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

James A · November 18, 2010

Ugh. Virus did same thing to GMER as it did to MBAM. Now I can't even access it

Elise · November 18, 2010

Hi, please go back to my combofix instructions, but now, right click on the download link and select "safe link as". Name the file fun.com instead of combofix.exe and save it to your desktop.

Now see if you can run it.

James A · November 18, 2010

combofix still closing down after initial load bar finishes like before. however, it hasn't denied me access to fun.com file

Elise · November 18, 2010

Try to run fun.com both from normal/safe mode.

Try to run it like this: click Start > Run, browse to the fun.com file and after that type <space>/killall

(it should look like: c:\.....\fun.com /killall).

Help! Virus redirects google and disabled MBAM

Recommended Posts

Link to post

Share on other sites

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information