Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Looks like I'm infected! - browser Hi-jack, security software blocked


  • Please log in to reply
24 replies to this topic

#1 BikerDon

BikerDon

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 AM

Posted 07 February 2009 - 06:21 PM

Hope I get everything down before I get another BSoD...

Google search results sometimes take me to advertising sites not the site I want to go to.
That happens in FireFox & IE not seen it yet in Opera.
Soon after firing up IE, not straight away, I get the BSoD and Windows restarts.
Not noticed this after firing up FF or Opera so far.

The icons in the Opera tabs are wrong.
The address bar when writing this post says it's the Google search result and does not change when I go to other pages.

Google search for or attempting to go such sites as Ad-Aware, AVG & Spybot returns an error such as Remote Server
Unavailable or not found.
Going direct to those sites in the browswer does the same.
Attempting to do updates to AVG AV software, Ad-aware, Spybot S&D fails.

Spybot S&D console refused to run when I tried to start it.

Looking at the response to http://www.bleepingcomputer.com/forums/t/200899/getting-redirected-and-denied-access-to-most-antivirus-sites-among-other-glitches/

I downloaded MBAM and ran it as instructed.
It found 7 malicious items, I tried to remove them.
It removed 6 and said 1 required a restart to remove it.
Log posted below.

All was OK for a time then I started getting the above symptoms again.
I just ran MBAM again and it found NOTHING this time.

My AV software AVG has just now opened a Resident Shield Alert saying it has identified the Win32/Cryptor virus
in C:\Windows\system32\gaopdxufxibfcd.dll



MBAM log
======

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 6.0.6001 Service Pack 1

06/02/2009 23:20:53
mbam-log-2009-02-06 (23-20-53).txt

Scan type: Quick Scan
Objects scanned: 59388
Time elapsed: 6 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 12
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2ea8be65-b444-4a21-85de-e7cde080ff55}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a27a266e-7741-4837-b876-7785bfbe9da0}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a27a266e-7741-4837-b876-7785bfbe9da0}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{2ea8be65-b444-4a21-85de-e7cde080ff55}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{a27a266e-7741-4837-b876-7785bfbe9da0}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{a27a266e-7741-4837-b876-7785bfbe9da0}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{2ea8be65-b444-4a21-85de-e7cde080ff55}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{a27a266e-7741-4837-b876-7785bfbe9da0}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{a27a266e-7741-4837-b876-7785bfbe9da0}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.
C:\Users\BikerDon\AppData\Local\Temp\matrix30660.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Edited by BikerDon, 07 February 2009 - 06:27 PM.


BC AdBot (Login to Remove)

 


#2 BikerDon

BikerDon
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 AM

Posted 07 February 2009 - 06:30 PM

many thanks for the speedy reply, the answer to both is your questions is "NO"

I will do both and post any progress or lack thereof

forgot to mention that I'm running Vista Home remium

Edited by BikerDon, 07 February 2009 - 06:35 PM.


#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:02 PM

Posted 07 February 2009 - 07:04 PM

Hello Bikerdon,

Please DO NOT turn off system restore. If something goes haywire, it is better to have an infected restore point to go back to than no restore point at all. When disinfection is complete, then we flush the restore points so the computer cannot be reinfected.

Also, please note that MBAM is designed to work best in Normal Mode not Safe Mode.

My question for you is, did you allow your system to reboot or did you reboot after running MBAM? From the log, I see that some of what it found cannot be removed without rebooting.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 BikerDon

BikerDon
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 AM

Posted 07 February 2009 - 07:09 PM

when I select 'System Restore' to disable it I get a pop-up which says the Wizard is already running and this program will exit

I have just run malwarebytes in Safe mode and it still finds nothing

#5 BikerDon

BikerDon
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 AM

Posted 07 February 2009 - 07:12 PM

Hello Bikerdon,

Please DO NOT turn off system restore. If something goes haywire, it is better to have an infected restore point to go back to than no restore point at all. When disinfection is complete, then we flush the restore points so the computer cannot be reinfected.

Also, please note that MBAM is designed to work best in Normal Mode not Safe Mode.

My question for you is, did you allow your system to reboot or did you reboot after running MBAM? From the log, I see that some of what it found cannot be removed without rebooting.

Orange Blossom :thumbsup:


as mentioned it looks as if I can't switch off System restore anyway

as far as I remember, MBAM said it was going to restart for me so I let it

#6 BikerDon

BikerDon
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 AM

Posted 07 February 2009 - 07:15 PM

MBAM now finds nothing



Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 6.0.6001 Service Pack 1

07/02/2009 23:53:03
mbam-log-2009-02-07 (23-53-03).txt

Scan type: Quick Scan
Objects scanned: 56462
Time elapsed: 4 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:10:02 PM

Posted 07 February 2009 - 09:30 PM

Please update mbam and select FULL Scan
Run the scan, Remove selected and reboot
Post the log for review
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#8 BikerDon

BikerDon
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 AM

Posted 08 February 2009 - 05:15 AM

looks like whatever is stopping me updating all my other security software is doing the same to mbam

"Update failed. make sure you are connected to the Internet......."

now performing a full scan anyway to see what happens...

Edited by BikerDon, 08 February 2009 - 05:16 AM.


#9 BikerDon

BikerDon
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 AM

Posted 08 February 2009 - 07:39 AM

after scan completed
=============

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 6.0.6001 Service Pack 1

08/02/2009 12:35:49
mbam-log-2009-02-08 (12-35-44).txt

Scan type: Full Scan (C:\|D:\|I:\|)
Objects scanned: 252889
Time elapsed: 2 hour(s), 12 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\BikerDon\AppData\Roaming\Desktopicon\eBayShortcuts.exe (Trojan.Agent) -> No action taken.


after deletion
=========

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 6.0.6001 Service Pack 1

08/02/2009 12:36:53
mbam-log-2009-02-08 (12-36-53).txt

Scan type: Full Scan (C:\|D:\|I:\|)
Objects scanned: 252889
Time elapsed: 2 hour(s), 12 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\BikerDon\AppData\Roaming\Desktopicon\eBayShortcuts.exe (Trojan.Agent) -> Quarantined and deleted successfully.



Now going to try to update MBAM as per forum and then scan again...
Restarted Windows, still cannot update MBAM. :thumbsup:

Edited by BikerDon, 08 February 2009 - 07:47 AM.


#10 BikerDon

BikerDon
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 AM

Posted 08 February 2009 - 08:03 AM

OK so I thought I saw a post the other day on what to do if you cannot update mbam :trumpet:

can't find the pesky thing now :flowers:

anyone know where it is ? :thumbsup:

#11 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:10:02 PM

Posted 08 February 2009 - 09:34 AM

ATF
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

------------------------------------

Now SAS,may need an hour
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#12 BikerDon

BikerDon
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 AM

Posted 08 February 2009 - 11:09 AM

thanks for all your help Mark - really appreciate this
Don

#13 BikerDon

BikerDon
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 AM

Posted 08 February 2009 - 03:31 PM

OK I couldn't get into safe Mode with F8 - when I did the F8 thing on my PC it just asked me which device to boot from so I went for msconfig - worked OK.

Tried to update the definitions from the SAS Console - it wouldn't let me so I went for the download method - worked a treat.

Followed the scan instructions above to the letter - nothing found :thumbsup:

Log
===

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/08/2009 at 08:05 PM

Application Version : 4.25.1012

Core Rules Database Version : 3743
Trace Rules Database Version: 1711

Scan type : Complete Scan
Total Scan Time : 01:39:52

Memory items scanned : 283
Memory threats detected : 0
Registry items scanned : 8679
Registry threats detected : 0
File items scanned : 194754
File threats detected : 0



I can update CCleaner OK
I can't update Ad-Aware
I can't update AVG
I can't even run Spybot S&D to get updates - I get an error to say it an't run

Edited by BikerDon, 08 February 2009 - 03:42 PM.


#14 BikerDon

BikerDon
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 AM

Posted 09 February 2009 - 03:13 AM

Well I ran MBAM again on quick scan mode before going to bed.
It was still running this morning after eight hours and scanning >900,000 files.
Not correct I suspect.

I also had another alert pop-up from my AV software:

Threat detected!
C:\Windows\system32\gaopdxufxibfcd.dll
Win32/Cryptor

Process Name: C:\Windows|System32\svchost.exe

#15 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:02 PM

Posted 09 February 2009 - 05:34 AM

You are pressing F8 too early during the bios post screen, F8 has to be tapped a little later when the hard drive starts to boot, get this skill down, never use msconfig, never

http://www.malwarebytes.org/mbam/database/mbam-rules.exe

Use this link to try and update MBAM, it has 1736 I believe

Quick scan

Database version: 1654


yours is way out of date


An updated AVG from safe mode(F8only) might be worth a try here

Edited by DaChew, 09 February 2009 - 05:42 AM.

Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users