[Joyatop]

Hello, first of all I'd like to thank you in advance for any help offered.

I've been getting google redirects on one of the family's computers, and a quick google search (on another computer) found that its more than likely a rootkit. The problem is, any antivirus program, or some of the solutions online (eg TDSS) have also failed. Any time I try to run a program it comes across a process with a long string of numbers in its name and crashes, gets labeled with a small icon, and is unable to run in subsequent attempts. Since I'm running out of ideas here, aside from formatting the drive, I'd like to ask for some help.

I ran regedit and found that the process can't be killed, since it seems to randomly respawn in different places in the registry, as does the process itself. I've been able to keep it away from the task manager by suppressing it, but it doesn't make a difference when I try to use an internet browser.

Device manager revealed nothing obviously suspicious, and the Avant rootkit tool seem to reveal that there's a problem with smd.sys before I get BSOD, and when I tried the same thing in safe mode, the program again crashes, and I can't rerun the same copy of the program.

So, any help would be appreciated very much!

[Advertisements]

Hello Joyatop and welcome to G2G!

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:

• Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
• Absence of symptoms does not always mean the computer is clean
• Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
• Please DO NOT run any scans or fix on your own without my direction.
• Please read all of my response through at least once before attempting to follow the procedures described.
• If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
• You must reply within 3 days or your topic will be closed

Step 1

• Download AntiZeroAccess to Desktop
• Double click on it to run it (If running Vista or Windows 7, right click on it and select "Run as an Administrator")
• Type y and press enter to run the scan
• Please post AntiZeroAccess_Log.txt contents in your next post. This file is saved in the same location as AntiZeroAccess program.

Step 2

If you fail to run Combofix try to rename it to explorer.exe or svchost.exe then try to run it again.

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
• Accept the disclaimer and allow to update if it asks
  
  
  
  
• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Step 3

Please read carefully and follow these steps.

Download TDSSKiller.zip from Kaspersky and save it to your Desktop.

• Extract the zip file to its own folder.
• Double click TDSSKiller.exe to run the program (Run as Administrator for Vista/Windows 7).
• Click Start scan to start scanning.
• If infection is detected, the default setting for "action" should be Cure
  
  • (If suspicious file is detected please click on it and change it to Skip).
• Click Continue button
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

Step 4

Please don't forget to include these items in your reply:

• AntiZeroAccess log
• Combofix log
• TDSSKiller log

It would be helpful if you could post each log in separate post

[maliprog]

Hello Joyatop and welcome to G2G!

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:

• Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
• Absence of symptoms does not always mean the computer is clean
• Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
• Please DO NOT run any scans or fix on your own without my direction.
• Please read all of my response through at least once before attempting to follow the procedures described.
• If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
• You must reply within 3 days or your topic will be closed

Step 1

• Download AntiZeroAccess to Desktop
• Double click on it to run it (If running Vista or Windows 7, right click on it and select "Run as an Administrator")
• Type y and press enter to run the scan
• Please post AntiZeroAccess_Log.txt contents in your next post. This file is saved in the same location as AntiZeroAccess program.

Step 2

If you fail to run Combofix try to rename it to explorer.exe or svchost.exe then try to run it again.

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
• Accept the disclaimer and allow to update if it asks
  
  
  
  
• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Step 3

Please read carefully and follow these steps.

Download TDSSKiller.zip from Kaspersky and save it to your Desktop.

• Extract the zip file to its own folder.
• Double click TDSSKiller.exe to run the program (Run as Administrator for Vista/Windows 7).
• Click Start scan to start scanning.
• If infection is detected, the default setting for "action" should be Cure
  
  • (If suspicious file is detected please click on it and change it to Skip).
• Click Continue button
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

Step 4

Please don't forget to include these items in your reply:

• AntiZeroAccess log
• Combofix log
• TDSSKiller log

It would be helpful if you could post each log in separate post

[maliprog]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.