Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot access search engines


  • Please log in to reply
9 replies to this topic

#1 annebk

annebk

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 23 August 2009 - 10:54 PM

Hello - hope you can help - I'm on hour eleven of trying to fix this...
Running Windows XP - IE 6 - McAfee (was running spybot and spysweeper - more on that later)
Was surfing and got a mcafee box saying it has detected and deleted a trojan - cool - answered okay.
Clicking on a google seach result redirected me to a porn site 'online-v-kontakle.com' Closed IE
and tried again - same result.
opened spysweeper - found log of it blocking propellero.com
opened mcafee - found log of it blocking fake-alert-ck and exploit-pdf.b.gen - was also told
csrss.exe was trying to access the internet - chose to block it - lost all internet connection.
Allowed it - got the internet back. Deleted all cookies and files - no help
Ran spysweeper scan - found and deleted trojan-pws-bandok
Ran mcafee - found and deleted acr2dde.tmp and exploit-pdf.b.gen (again?) also saw that
Adware-UCMore had been removed on 6/5
Ran spybot - found and removed a microsoft.windows.security.internetexplore thing (sorry, didn't
take good notes on that)
Called AT&T support - they supply my mcafee - transfered to mcafee support - guy says that it's
a conflict between their product and spysweeper and spybot - didn't agree but since I could not get
more support, booted into safe mode and unistalled both. Rebooted - no change.
Called mcafee support again - we restored the firewall defaults and voila - got the internet back.
He told me to start quickclean before hanging up. Had to reboot when done then no internet again.
Called mcafee AGAIN - this guy said I should bump up to the virus removal department for $89.
I don't think so, Tim.
Ran another mcafee scan - found and removed adware-UCMore which I thought had been removed
back in June.
Downloaded malwarebytes - ran it and removed 6 items - see log 1 - still no internet access. Restored
all 6 so I could access the internet to try and search on malwarebytes forums - didn't find much I
could try so I reran it and removed 7 items - see log 2 - still no internet access. Third scan comes up
clean (did realize my database was from 8/3 so updated, ran again, still clean)
In clicking around internet options, found under 'connections', 'lan settings' that 'use proxy server' was
checked (to use 127.0.0.1) - thought that was weird so I unchecked and voila, got internet access EXCEPT
I cannot access google or bing sites (can access yahoo and seach but cannot access search results)
I'd google 127.0.0.1 to see who that is but, alas, cannot access google....
Have not downloaded hijack this yet - my eyes are blurry....
Help, help, help!

Log 1:
Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/23/2009 8:06:13 PM
mbam-log-2009-08-23 (20-06-13).txt

Scan type: Quick Scan
Objects scanned: 95490
Time elapsed: 7 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a3ed5288-f558-4f6e-8d5c-740cb6f89029} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Csrss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\csrss8.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Log 2:
Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/23/2009 9:01:33 PM
mbam-log-2009-08-23 (21-01-33).txt

Scan type: Quick Scan
Objects scanned: 95411
Time elapsed: 8 minute(s), 27 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
C:\Documents and Settings\All Users\Application Data\csrss.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a3ed5288-f558-4f6e-8d5c-740cb6f89029} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Csrss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\csrss8.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\csrss.exe (Trojan.Agent) -> Delete on reboot.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,644 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:00 PM

Posted 24 August 2009 - 12:22 AM

Hello you're still a few updates back.. Current is around 2686.
See if this fixes your Net issues .

Go to Start ... Run and type in cmd
A dos Window will appear.
Type in the dos window: netsh winsock reset
Click on the enter key.

Reboot your system to complete the process.


If you cannot use the Internet,you will need access to another computer that has a connection.
From there save mbam-setup.exe to a flash,usb,jump drive or CD. Now transfer it to the infected machine, then install and run the program.
If you cannot transfer to or install on the infected machine, try running the setup (installation) file directly from the flash drive or CD by double-clicking on mbam-setup.exe so it will install on the hard drive.
***
Manually Downloading Updates:
Manually download them from HERE and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#3 annebk

annebk
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 24 August 2009 - 07:06 AM

Updated mbam to version 2687
Did 'netsh winsock reset' and rebooted
Reran mbam scan - came out clean

I DO have access to the internet - can reach every site I've tried EXCEPT any search engines (google,
bing, ask.com)

What should I try now?

Malwarebytes' Anti-Malware 1.40
Database version: 2687
Windows 5.1.2600 Service Pack 3

8/24/2009 7:01:34 AM
mbam-log-2009-08-24 (07-01-34).txt

Scan type: Quick Scan
Objects scanned: 97206
Time elapsed: 8 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,644 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:00 PM

Posted 24 August 2009 - 10:53 AM

OK, your Hosts File may be corrupted or blocking them.
Restore your default hosts file

Download the HostsXpert,

Unzip HostsXpert to your desktop

Open up the HostsXpert program.

* Make sure that the "make hosts writable?" button in the upper left corner is enabled.
* Click back up Host files
* then click "Restore MS Hosts File"
* close program



Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.

Edited by boopme, 24 August 2009 - 11:08 AM.

How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#5 annebk

annebk
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 24 August 2009 - 05:51 PM

I was thinking about the hosts file on my way to work - came home, checked and it was full of 127.0.0.1 redirects.
Deleted every entry in the file and made it read only. Now I can access google, bing, etc. I tried clicking on
links for two different searches and am not getting redirected to porn sites.
Then - bad me - I checked to see if you had updated on my topic. Do you think I still need to do the other things
you suggested? It looks like mbam deleted all the files and changing the proxy server and empying the host file
took care of my internet problems...

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,644 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:00 PM

Posted 24 August 2009 - 08:17 PM

I would definately run the next 2 tools. No one tool can be guaranteed to get it all. Plus these will do some things different than MBAM.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#7 annebk

annebk
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 24 August 2009 - 10:27 PM

Ran both ATF-Cleaner (is this like ccleaner? I already had this installed - ran yesterday at some point)
and superantispyware in safe mode. Log is below and looks good.

I see the creepy superantispyware bug living in my systray - can mcafee & superantispyware coexist
peacefully without canceling each other out and slowing down my computer?
I've been reading on your site about only having one antivirus program running at a time. Should I leave
mcafee? Can I leave superantispyware on my computer without it running in the background?

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/24/2009 at 09:58 PM

Application Version : 4.27.1002

Core Rules Database Version : 4070
Trace Rules Database Version: 2010

Scan type : Complete Scan
Total Scan Time : 01:21:41

Memory items scanned : 253
Memory threats detected : 0
Registry items scanned : 6095
Registry threats detected : 0
File items scanned : 20460
File threats detected : 1

Adware.CouponBar
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP1357\A0096201.DLL

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,644 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:00 PM

Posted 24 August 2009 - 10:40 PM

Hi, this looks great..
Yes they should be fine together. One AV is the rule.. MBAM and SAS are not AV's so they can run. You can keep them as backup on demand scanners. Remember to update first.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#9 annebk

annebk
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 24 August 2009 - 10:55 PM

I will do these two last steps.
I can't thank you enough for your help and all I've learned from reading thru various posts.
I will be sure to visit back often (hopefully only for research and not for aid) and spread the word
on how great my experience was and recommend you to all who will listen!

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,644 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:00 PM

Posted 24 August 2009 - 10:59 PM

You're most welcome, please take a moment to read quietman7's excellent prevention tips in post 17 here
Click>>Tips to protect yourself against malware and reduce the potential for re-infection:

Thanks for stopping by :thumbsup:
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users