Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

links from google not working or sending me to wrong site


  • This topic is locked This topic is locked
12 replies to this topic

#1 Shels

Shels

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 28 September 2009 - 11:04 PM

Hi,

The past couple of days I have been having a problem with google links going to the wrong sites and links not working.

Once in a while a security alert pops up and says my computer is infected and that I have tons of infections in my documents, etc. The windows security box says that I need to delete a bunch of things such as trojan-defender, email-worm.win32.NET and many more becuase they could be stealing important info off my computer.
The run box says it is run by securitycodes.

I tried running malwarebytes, trend micro security, Ad aware, and am currently running Kaspersky.

I have tried searching for removal tools, but don't really know what I am looking for.

Sorry if this is vague. I don't know how to explain it.

Thanks for any help you can offer.

shel

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 59,966 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:28 PM

Posted 29 September 2009 - 12:55 PM

Hello,when done post the Kaspersky log .

Also post the Malwarebytes log.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#3 Shels

Shels
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 29 September 2009 - 09:44 PM

Kaspersky log


Tuesday, September 29, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, September 30, 2009 01:29:50
Records in database: 2935080


Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes

Scan area Critical areas
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Michelle\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics
Objects scanned 56723
Threats found 1
Infected objects found 2
Suspicious objects found 0
Scan duration 01:38:22

File name Threat Threats count
C:\Program Files\Trend Micro\Internet Security\Quarantine\__c006B900.exe Infected: Trojan.Win32.Agent.bwkt 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\__c00A37E4.exe Infected: Trojan.Win32.Agent.bwkt 1

Selected area has been scanned.


Malwarebytes
Current scans don't show anything. I had some problems last spring with backdoor.bot. ,adware.popcap, trojan.vundo, and trojan.agent. Maywarebytes said it successfully quarantined and deleted them last march.

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

9/29/2009 7:17:23 PM
mbam-log-2009-09-29 (19-17-23).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 48738
Time elapsed: 15 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Thank you!

#4 Shels

Shels
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 30 September 2009 - 07:08 AM

Hello,

A litte more info and a question....

I deleted two trojans that were in my trend micro quarantine. I also have the two following things quarantined. I tried cleaning them, but it didn't work. Are these something I can delete?

_c00A37E4.exe in C:\WINDOWS\system32\

_c006B900.exe in C:WINDOWS\system32\

Thanks!!

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 59,966 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:28 PM

Posted 30 September 2009 - 11:45 AM

They definately look like malware files. InQuarantine they can no longer harm your PC. They can stay there.
How is it running now?

If you still have some thing going on or to be sure run these next.
Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#6 Shels

Shels
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 01 October 2009 - 11:08 AM

Hi boopme,

I was still having problems so I did all the things you listed in your last post.

The SAS complete scan did not come up with anything. I have not had any problems since running SAS and ATF cleaner.

Hopefully it is taken care of.

Thanks for all of your help! It is greatly appreciated.

Shel

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 59,966 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:28 PM

Posted 02 October 2009 - 11:30 AM

Hello, sometimes this happens and it comes back after a shut down and reboot. Also it sometimes shows up in the Admin or other user account.

If there are no more signs of infection....
Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

You're very welcome!!
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#8 Shels

Shels
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 04 October 2009 - 02:21 PM

Hello again,

So..just as you said it could, it came back. Everything worked fine for a while. I had my computer off all weekend and just started it up again and links are not working properly.

Malwarebytes and Trendmicro scans come back clean.

Should I run ATF cleaner and Super antispyware in safemode again, and then create a new restore point?

Thanks!

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 59,966 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:28 PM

Posted 05 October 2009 - 07:53 PM

Hello run them again. Post the log.
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#10 Shels

Shels
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 06 October 2009 - 04:58 PM

Hi,

I ran ATF and Superantispyware which came back clean.

Here is my root repeal log


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/06 15:10
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF519B000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8B9A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB8CE5000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\gasfkyikvbyfge.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkyouxthale.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkysfnqvwfc.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkytdeucvam.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkyxyrnoaci.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkyeixnmdeqey.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkyecxfntxyne.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkybstbqpqggt.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkycvksllsidl.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\gasfkybavmluoy.sys
Status: Invisible to the Windows API!

Path: C:\Program Files\Trend Micro\Internet Security\Temp\unif0000
Status: Could not get file information (Error 0xc0000008)

Stealth Objects
-------------------
Object: Hidden Module [Name: gasfkyikvbyfge.dll]
Process: svchost.exe (PID: 1572) Address: 0x10000000 Size: 53248

Object: Hidden Module [Name: gasfkyeixnmdeqey.tmpll]
Process: Explorer.EXE (PID: 428) Address: 0x10000000 Size: 32768

Hidden Services
-------------------
Service Name: gasfkyeaqhrouo
Image Path: C:\WINDOWS\system32\drivers\gasfkybavmluoy.sys

Shadow SSDT
-------------------
#: 548 Function Name: NtUserSetWindowsHookAW
Status: Hooked by "<unknown>" at address 0x820aa260

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x820aa080

==EOF==

Thanks!

Shel

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 59,966 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:28 PM

Posted 06 October 2009 - 07:26 PM

Hello the rootkit does exist here. C:\WINDOWS\system32\drivers\gasfkybavmluoy.sys

The rootkit itself is a protection module used to terminate a variety of security tools by changing the permissions on targeted programs so that they cannot run or complete scans. There are some new variants of rootkits in the wild right now that will require custom scripts to remove the infection, the process must be completed by HJT team members or above.

Failure to follow the proper removal process can and will cause serious damage to a machine. Recovery of the machine may be difficult, if not impossible.

You will need to run HJT/DDS.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#12 Shels

Shels
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 06 October 2009 - 08:35 PM

I think I got everything squared away for the new thread.

Thanks again for all of your wonderful help boopme!

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 59,966 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:28 PM

Posted 07 October 2009 - 09:21 AM

Yes that looks good there. Thank you and you're welcome.

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users