Win32:Malware-gen, Google search results redirect

[blakewest]

Hi,

I have an infection that results in my google search results redirecting to a spam/exploit page.  Avast boot scan finds Win32:Malware-gen in C:\windows\assembly\GAC_32\Desktop.ini but cannot remove the infection. 

I followed the instructions here http://forum.avast.com/index.php?topic=53253.0 and the various logs are attached. Oddly, it seems like these other tools do not find the same infection as the boot scan, but do find other infections.

Any help appreciated.

Thanks,
Blake

[Left123]

Yes you are infected,according to aswMBR log :
C:\WINDOWS\system32\drivers\ipsec.sys  **INFECTED** Win32:Sirefef-F [Drp]
C:\Documents and Settings\Dell\Local Settings\Application Data\b860844b\U\800000cb.@  **INFECTED** Win32:Sirefef-AO [Rtk]
Google redirects are caused by this Rootkit/Bootkit.If my memory serves me correctly,Siseref is also known as Whistler-Black internet.
Essexbot will help you.
Have a nice day.

[essexboy]

OK lets get to work... I will remove what I can safely delete then get a dedicated tool for the rest

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  O20 - HKU\S-1-5-21-3477547963-1579938710-1893990287-1003 Winlogon: Shell - (C:\Documents and Settings\Dell\Local Settings\Application Data\b860844b\X) -C:\Documents and Settings\Dell\Local Settings\Application Data\b860844b\X ()
  [2011/11/29 18:35:49 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Dell\Local Settings\Application Data\b860844b
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

.
THEN

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks, also allow the installation of the recovery console

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running nowDownload and Install Combofix
 

[blakewest]

Thank you! I will post back with the results and logfiles.

[blakewest]

So between the time I generated the log files posted earlier and the time I went to follow your instructions, I shut down the machine. When I booted back up to follow the new steps, I was not able to get an IP address, and in fact the ipconfig command gave me an error message. I downloaded combofix on another machine and burned a disc to install it on the infected machine.

I ran OTL and Combofix and saved the respective logfiles. However, I don't have a good way to get those logfiles onto the forum. I do not feel safe copying the files to a CD or flash drive and posting them using another computer. Maybe it's not a big deal, but I do not want to spread the infection to another machine.

The combofix did detect a rootkit in the TCP/IP stack. I do not have recovery console installed on that machine, and because I do not have an internet connection, or a Windows XP installation disc, I cannot install it. Maybe that's why the TCP/IP is still not working.

Please tell me there is something else I can do besides wiping and starting over.

[essexboy]

Copying to a USB should be OK - If you vaccinate the USB first (using the Host - working computer) http://www.pandasecurity.com/homeusers/downloads/usbvaccine/

But a trick that may work to repair the internet is to download SP3 to a CD/USB and then re-install that on the sick computer 

[DonZ63]

Does the OP have SP3 currently installed? As far as I am aware of, you can't install SPx over SPx where x is the same version.

You have to uninstall SP3 if it is installed and the then reinstall SP3 and reapply all WIN updates: http://www.ehow.com/how_5172014_reinstall-sp.html.

Whole process is not without peril however; especially with XP SP3 which many people had problems installing.

[oldman]

SP3 can be overinstalled. The trick to installing SP3 at anytime is to install it in Safe Mode so Security programs don't interfere. Avs btw are the biggest cause of SP3 install failures.

[DonZ63]

Each to their own. However, I would never install a Microsoft OS update in safe mode.

Avs btw are the biggest cause of SP3 install failures.

I would say OEM hardware; especially HP!

[blakewest]

Attempted to reinstall SP3 in regular boot mode. Did not re-enable tcp/ip. Tried again in safe mode. Did not re-enable tcp/ip. So I downloaded the USB vaccine and copied the log files over that way.

The attached log files are from the OTL fix and the Combfix.

I have no tcp/ip available on the machine. Also, windows firewall is turned off and will not re-enable. Also, Avast Webshield will not turn on. All other shields will. I have the wireless antenna turned off and no hard wire ethernet connected to prevent funny business.

Please let me know what I can do next. It seems like I need to be able to download and install recovery console so that combofix can remove the rootkit.

[oldman]

@DonZ63

It's not that well documented but right from the horses mouth.

One of the most common causes of installation failure is when a third-party program, such as an antivirus program, holds a file open or locks a file that the service-pack installer needs.

http://support.microsoft.com/kb/950717
http://support.microsoft.com/kb/949377

[essexboy]

OK lets get busy - I will run all my search and test scans in one go...

Open Services...
Start > Run > Type: services.msc > Click OK   
Scroll down to and double click DNS Client
Set to Automatic under Startup type 
Click the Apply button
Click the Start button
When it starts click OK

Repeat for DHCP Client.
And repeat for Remote Procedure Call (RPC).

When done, close Services.

Try the connection again

FAILURE

OK run OTL and run the following script as I need to check the dependency files

• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
afd.*
tcpip.*
netbt.*
netbios.*
/md5stop
C:\Windows\assembly\tmp\U /s
CREATERESTOREPOINT

FURTHER DATA

Please copy all in the below quote box:

@echo off
echo Please post back the %SystemDrive%\MyNICDetails.txt on your next reply
echo.
echo CheckMyNIC by AdvancedSetup >%SystemDrive%\MyNICDetails.txt
echo ... >>%SystemDrive%\MyNICDetails.txt
cmd /c sc qc dhcp >>%SystemDrive%\MyNICDetails.txt
cmd /c sc queryex dhcp >>%SystemDrive%\MyNICDetails.txt
cmd /c sc qc TCPIP >>%SystemDrive%\MyNICDetails.txt
cmd /c sc queryex TCPIP >>%SystemDrive%\MyNICDetails.txt
cmd /c sc qc Afd >>%SystemDrive%\MyNICDetails.txt
cmd /c sc queryex Afd >>%SystemDrive%\MyNICDetails.txt
cmd /c sc qc NetBT >>%SystemDrive%\MyNICDetails.txt
cmd /c sc queryex NetBT >>%SystemDrive%\MyNICDetails.txt
cmd /c sc qc NetBIOS >>%SystemDrive%\MyNICDetails.txt
cmd /c sc queryex NetBIOS >>%SystemDrive%\MyNICDetails.txt
cmd /c sc qc Lmhosts >>%SystemDrive%\MyNICDetails.txt
cmd /c sc queryex Lmhosts >>%SystemDrive%\MyNICDetails.txt
cmd /c sc qc Dnscache >>%SystemDrive%\MyNICDetails.txt
cmd /c sc queryex Dnscache >>%SystemDrive%\MyNICDetails.txt
cmd /c sc qc PolicyAgent >>%SystemDrive%\MyNICDetails.txt
cmd /c sc queryex PolicyAgent >>%SystemDrive%\MyNICDetails.txt
cmd /c sc qc Nla >>%SystemDrive%\MyNICDetails.txt
cmd /c sc queryex Nla >>%SystemDrive%\MyNICDetails.txt
cmd /c sc qc lanmanserver >>%SystemDrive%\MyNICDetails.txt
cmd /c sc queryex lanmanserver >>%SystemDrive%\MyNICDetails.txt
cmd /c sc qc IPSEC >>%SystemDrive%\MyNICDetails.txt
cmd /c sc queryex IPSEC >>%SystemDrive%\MyNICDetails.txt
cmd /c sc qc RPCSS >>%SystemDrive%\MyNICDetails.txt
cmd /c sc queryex RPCSS >>%SystemDrive%\MyNICDetails.txt
pause

Save in Notepad as "MyNICDetails.bat" with the quote marks.
Save as type All Files to Desktop.
Once saved transfer to the infected computer's Desktop.
Click the file and post back the text file it produces please.

The text file will be located here: C:\MyNICDetails.txt

[DonZ63]

One of the most common causes of installation failure is when a third-party program, such as an antivirus program, holds a file open or locks a file that the service-pack installer needs.
http://support.microsoft.com/kb/950717
http://support.microsoft.com/kb/949377

I agree with this. But I go one step further and uninstall any AV with extensive registry and file protections such as Norton NIS/AV. Since Avast's injects .dlls into OS services appears it falls in this category. Never had a problem with a XP SP3 upgrade with AV uninstalled.

Win 7 on the other hand appears to be more forgiving but I still unistall any primary AV to play it safe.

[blakewest]

Thank you for sticking with this Essexboy. I really appreciate the help.

OK, starting DHCP did not work due to unstarted dependencies. So I followed the instructions to run OTL again and ran the bat file. Please see attachments.

Thank you.

[essexboy]

Well the files are in the right place, lets now check the registry

• Run OTL.
• Select All Users
  
• Under the Custom Scan box paste this in

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\afd /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tcpip /s
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open a notepad window.
  • Post the log