BleepingComputer.com: Odd browser behaviour

I was requested to download an update for adobe flash player which is something tha happens every now and then.
I didnt really think anthing of it but it seemed a bit odd the way that it happened and it was so that i could watch a youtube video.
It seemed a bit strange as I had been watching youtibe videos quite a lot recently and after I had installed the update it wouldnt show the video anyway,
Since I installed the update I havent been able to access facebook at all, I can get to all other sites ok but facebook will not laod.
It just keeps saying that the server is temproraily down and trryu again later.
I have done a scan with avira and removed what that came up with and also done a scan with superantispyware, I have also tried to do a system resotre although when it reboots it says that it couldnt be compketed and I should de-activate my anti-virus software before it can be completed although it wont even let me do that.
I hope someone can help me with this problem as i really havent got enough media to do a full backup and cant afford to lose everything that i currently have stored on my computer.
If a HJT log would be of any help then I will send you one asap.


I look forward to hearing from someone asap

I am using win 7 ultimate on a HP a6455 3GB Quad Core 64-bit PHenom

Please help as this is driving me mad.

I also keep getting redirected to gameo.com whenever i click on any link from google which is also very annoying.

I really do hope someone can help me soon.

Many Thanks in advance


Steevo AKA Madforit

This post has been edited by Orange Blossom: 19 August 2011 - 07:42 PM
Reason for edit: Moved to AII from Windows 7. ~ OB

Hi, please do these 3 also and see how it is.Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.5.9.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

• Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
  Vista/Windows 7 users right-click and select Run As Administrator.
  
• If TDSSKiller does not run, try renaming it.
  
• To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  
• Click the Start Scan button.
  
• Do not use the computer during the scan
  
• If the scan completes with nothing found, click Close to exit.
  
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  
• Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  
• A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  
• Copy and paste the contents of that file in your next reply.

Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.

Download Link 1
Download Link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
  
• Double-click on mbam-setup.exe to install the application.
  For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware
  
  
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware

I have followed these steps and cleaned everything that was there.

You seem to have forgotten step 3,but both scanner say the computer is clean, the internet seems ok but for some reason it still wont go to www.facebook.com.
Any help would be great as this is most annoying.

this was my first mbam logfile

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7513

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

20/08/2011 09:05:50
mbam-log-2011-08-20 (09-05-50).txt

Scan type: Full scan (C:\|K:\|)
Objects scanned: 396156
Time elapsed: 52 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 9
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 32

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{0BDA0769-FD72-49F4-9266-E1FB004F4D8F} (PUP.Dealio.TB) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0BDA0769-FD72-49F4-9266-E1FB004F4D8F} (PUP.Dealio.TB) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0BDA0769-FD72-49F4-9266-E1FB004F4D8F} (PUP.Dealio.TB) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0BDA0769-FD72-49F4-9266-E1FB004F4D8F} (PUP.Dealio.TB) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\sysdriver32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\systeminfog (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\SERVICES32.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wxpdrivers (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\wxpdrivers (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srvbtcclient (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srvsysdriver32 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2716335.exe (Trojan.Agent) -> Value: 2716335.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5779199.exe (Trojan.Agent) -> Value: 5779199.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8468651-loader2.exe (Trojan.Agent) -> Value: 8468651-loader2.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\87562.exe (Trojan.Agent) -> Value: 87562.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{0BDA0769-FD72-49F4-9266-E1FB004F4D8F} (PUP.Dealio.TB) -> Value: {0BDA0769-FD72-49F4-9266-E1FB004F4D8F} -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{0BDA0769-FD72-49F4-9266-E1FB004F4D8F} (PUP.Dealio.TB) -> Value: {0BDA0769-FD72-49F4-9266-E1FB004F4D8F} -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\PROGRAM FILES (X86)\COMMON FILES\SPIGOT\WTXPCOM\COMPONENTS\WIDGITOOLBARFF.DLL (Adware.WidgiToolbar) -> Value: WIDGITOOLBARFF.DLL -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\106130.exe (Trojan.Downloader.Gen) -> Value: 106130.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Services32.exe\close (Trojan.Agent) -> Value: close -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\Windows\rpcminer (Trojan.BCMiner) -> Quarantined and deleted successfully.

Files Infected:
c:\Windows\Temp\2716335.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Steve\AppData\Local\Temp\5779199.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\8468651-loader2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\87562.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files (x86)\iobit toolbar\IE\4.5\iobittoolbarie.dll (PUP.Dealio.TB) -> Quarantined and deleted successfully.
c:\program files (x86)\common files\Spigot\wtxpcom\components\widgitoolbarff.dll (Adware.WidgiToolbar) -> Quarantined and deleted successfully.
c:\Users\Steve\Desktop\installers\removewat.exe (HackTool.Wpakill) -> Quarantined and deleted successfully.
c:\Users\Steve\Desktop\vso convertxtodvd 4.1.19.364 final incl serial + keygen\Keygen\Keygen.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
c:\Windows\Temp\17789_myunrar2.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Windows\Temp\78267052.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Temp\811249.exe (Trojan.Agent.H) -> Quarantined and deleted successfully.
c:\Windows\Temp\8544666.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\93097_myunrar2.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Windows\update.1\svchost.exe (Trojan.Dropper) -> Quarantined and deleted successful

and since cleaning it the new one is completely empty.

I have just realised that a lot of sites i try to go to I get redirected to gomeo and also notice it loading something from 7daysoftheweek.com

I hope that might help you work this out for me.

This post has been edited by Madforit: 20 August 2011 - 03:29 AM

Hello, Yes Idi skip this.
Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Are you on a router? Are other machines on it,if so are they redirecting?

Do you use Firefox?

Did Tdss come back clean?



I'd like us to scan your machine with ESET OnlineScan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
  
• Click the button.
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
    
  • Double click on the icon on your desktop.
  
  
• Check
  
• Click the button.
  
• Accept any security warnings from your browser.
  
• Under scan settings, check and check Remove found threats
  
• Click Advanced settings and select the following:
  • Scan potentially unwanted applications
    
  • Scan for potentially unsafe applications
    
  • Enable Anti-Stealth technology
  
  
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  
• When the scan completes, push
  
• Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  
• Push the button.
  
• Push

NOTE: In some instances if no malware is found there will be no log produced.

Here is the log from the ESET program

Results of screen317's Security Check version 0.99.7
Windows 7 (UAC is disabled!)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Avira AntiVir Personal - Free Antivirus
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java™ 6 Update 26
Out of date Java installed!
Adobe Flash Player 10.3.183.5
````````````````````````````````
Process Check:
objlist.exe by Laurent
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
IObit IObit Malware Fighter IMFsrv.exe
``````````End of Log````````````

I have also used ESET smart security and also ESET NOD32 which found some infections but the problem still remains slightly.

If I google something and click on a lick it still redirects me to gomeo.com or just any ran dom site and for some reason even though most sites seem to work properly when I try to go to facebook it says that the server cannot be reached. This is getting really annoying as I use FB quite often to ontact friends in other countries.

I'm sure you will find a solution soon, and I must say many thanks for the help !!!!

I could only find the eset security check program and not the one that you mentioned,but I have tried three diffeent browsers and the same thing happens with all of them.
I have checked with my other pc and the problem only exists on this one and that is why it is baffling me.

This post has been edited by Madforit: 20 August 2011 - 03:42 PM

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
  
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  
• When prompted to run the scan, click Yes.
  
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Did Tdss come back clean?


If still redirecting>>>
Change your DNS Servers:

• Go to > Run... and in the open box, type: cmd
  
• Press OK or Hit Enter.
  
• At the command prompt, type or copy/paste: ipconfig /flushdns
  
• Hit Enter.
  
• You will get a confirmation that the flush was successful.
  
• Close the command box.

Here is the log you requested

GooredFix by jpshortstuff (03.07.10.1)
Log created at 22:39 on 20/08/2011 (Steve)
Firefox version 6.0 (en-GB)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files (x86)\Mozilla Firefox\extensions\
{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [21:58 10/07/2011]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [13:45 09/04/2011]
{AB2CE124-6272-4b12-94A9-7303C7397BD1} [22:10 12/04/2011]
{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [14:14 09/04/2011]
{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} [15:09 09/04/2011]
{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} [16:56 15/06/2011]

C:\Users\Steve\Application Data\Mozilla\Firefox\Profiles\vef2ix32.default\extensions\
{635abd67-4fe9-1b23-4f01-e679fa7484c1} [16:50 22/06/2011]
{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} [11:01 17/08/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
(Key not found)

-=E.O.F=-

I have also noticed that it seems to have done somehting to my hosts file as well,,,I tried to replace it but it didnt help.

The other program did come back clean as well.

I am rapidly thinkjing abaout re-installing now,,but this really is th elast thing that i want to do/
i really do need to communicate with certain people on a regular basis and I unbderstand that you are busy.
I hope there is some other solution to this problem rather than reinstalling win 7 again,unless it woud be possible to do a reinstall (non destructive) so i dont lose everything i have but i keep thinking that doing it that way would still leave the problemn on the OS as well.
#

Hello
Reset the HOSTS file
As this infection also changes your Windows HOSTS file, we want to replace this file with the default version for your operating system.
Some types of malware will alter the HOSTS file as part of its infection. Please follow the instructions provided in How do I reset the hosts file back to the default?

To reset the hosts file automatically,go HERE click the button. Then just follow the prompts in the Fix it wizard.


OR
Click Run in the File Download dialog box or save MicrosoftFixit50267.msi to your Desktop and double-click on it to run. Then just follow the promots in the Fix it wizard.

If you still have issues before reformatting post a DDS log and have it analyzed

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.

Thanks for all of your help...

After resetting the hosts file everything seems back to normal.

Ok great ..Update to Java 7 to close an exploitable security hole.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to > Programs > Accessories > System Tools and click "System Restore".
  
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

• Then use Disk Cleanup to remove all but the most recently created Restore Point.
  
• Go to > Run... and type: Cleanmgr
  
• Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  
• Click the "More Options" tab, then click the "Clean up" button under System Restore.
  
• Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  
• Click Yes, then click Ok.
  
• Click Yes again when prompted with "Are you sure you want to perform these actions?"
  
• Disk Cleanup will remove the files and close automatically.

Vista and Windows 7 users can refer to these links:

• Create a New Restore Point in Vista or Windows 7
  
• Disk Cleanup in Vista
  
• Disk Cleanup in Windows 7