Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware keeps returning, and anti-virus programs are not detecting it


  • Please log in to reply
16 replies to this topic

#1 mariko

mariko

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 22 February 2009 - 07:00 PM

I apologize if this is the same issue everyone else is having, but at this point I am completely confused and discouraged. I am running Windows XP Home Edition, and I usually have both Firefox and IE open (I have to use IE for work). On Friday, one of those crazy windows popped up that said I was infected by a virus and should run a scan. At the same time, McAfee warned me that it had detected something fishy and had taken care of the problem. Unfortunately, these crazy windows continued to appear. I then downloaded and ran Spybot Search & Destroy. It found some trojans (Virtumonde), supposedly fixed them, but then when I was using Firefox, I kept getting directed to incorrect pages when I would run google searches. SO, I probably ran Mcafee and Spybot again (it's all a blur at this point), fixed whatever needed fixing, but the problem persisted. I then downloaded and ran Malwarebytes' Anti-Malware, which found a number of infected items (memory modules, registry keys, registry values, registry data items). It fixed them, but guess what? Problem still persisted. So, I downloaded and ran superantispyware, which found Rogue.Component/Trace and Trojan.Fake-Alert/Trace. It fixed those, but the PROBLEM STILL PERSISTS. I then created a new restore point, but this didn't solve the problem. I then spoke with my brother, a geek, who suggested I uninstall Firefox (the problem only seems to appear in Firefox) and then go into the registry and get rid of anything related to Firefox and/or Mozilla. I did this. I still have the problem.

At this point I don't know what I should do. According to some posts here on bleepingcomputer, I guess the next step is to run SDFix, but I am not sure if this is what I need to do. I am not very technologically savvy, so it freaks me out to do all this stuff to my computer that I do not understand (particularly because I work from home and really rely on my computer). I know it might come to wiping out my entire hard drive, but if I can avoid that, I would like to. Any help would be GREATLY appreciated.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:55 PM

Posted 22 February 2009 - 07:16 PM

Hello and welcome ,let's do this .

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


Now Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 mariko

mariko
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 23 February 2009 - 03:55 PM

Thank you so much! Okay, following is the report from SmitFraudFix. After running that I did run MBAM, and it did not find anything, so I did not reboot. I have no clue what anything on this report means. I cannot tell you how grateful I am for your help!

-------------------------------
SmitFraudFix v2.398

Scan done at 12:35:14.32, Mon 02/23/2009
Run from C:\Documents and Settings\Mariko\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\windows\system32\nvsvc32.exe
C:\windows\Explorer.EXE
C:\windows\system32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\windows\system32\RUNDLL32.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system32\ctfmon.exe
C:\Documents and Settings\Mariko\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Documents and Settings\Mariko\Application Data\Cortex AutoLogon for Microsoft Outlook\AutoLogon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\PayPal\PayPal Plug-In\RBroker.exe
C:\Documents and Settings\Mariko\Desktop\SmitfraudFix\Policies.exe
C:\windows\system32\cmd.exe

hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info
127.0.0.1 spywareinfo.com
127.0.0.1 www.spywareinfo.com

C:\


C:\windows


C:\windows\system


C:\windows\Web


C:\windows\system32


C:\Documents and Settings\Mariko


C:\DOCUME~1\Mariko\LOCALS~1\Temp


C:\Documents and Settings\Mariko\Application Data


Start Menu


C:\DOCUME~1\Mariko\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" pjymwp.dll c:\\windows\\system32\\wapujesi.dll"
"LoadAppInit_DLLs"=dword:00000001


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


RK



DNS

Description: Attansic L1 Gigabit Ethernet 10/100/1000Base-T Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{8F1A1C2E-EEF9-459A-90EE-87246CC4D2A7}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8F1A1C2E-EEF9-459A-90EE-87246CC4D2A7}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{8F1A1C2E-EEF9-459A-90EE-87246CC4D2A7}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


Scanning for wininet.dll infection


End

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:55 PM

Posted 23 February 2009 - 04:40 PM

Hello, first you are very welcome. Next we will run the cleaner Part 2 and an SAS scan.
You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt


Now from your regular user account,SAS
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 mariko

mariko
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 23 February 2009 - 08:58 PM

Thanks again! I really appreciate the detailed, step-by-step instructions. Below please find the SmitfraudFix report, followed by the SuperAntiSpyware log. I eagerly await further instructions, but I also hope this has fixed everything, and I won't have to do anything else!

---------------------------------------
SmitFraudFix v2.398

Scan done at 15:13:22.92, Mon 02/23/2009
Run from C:\Documents and Settings\Mariko\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
...

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


RK


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{8F1A1C2E-EEF9-459A-90EE-87246CC4D2A7}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8F1A1C2E-EEF9-459A-90EE-87246CC4D2A7}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{8F1A1C2E-EEF9-459A-90EE-87246CC4D2A7}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

----------------------------------------------------------------------
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/23/2009 at 05:38 PM

Application Version : 4.25.1012

Core Rules Database Version : 3769
Trace Rules Database Version: 1729

Scan type : Complete Scan
Total Scan Time : 02:11:01

Memory items scanned : 255
Memory threats detected : 0
Registry items scanned : 6585
Registry threats detected : 0
File items scanned : 115502
File threats detected : 58

Adware.Tracking Cookie
C:\Documents and Settings\Mariko\Cookies\mariko@ad.yieldmanager[2].txt
C:\Documents and Settings\Mariko\Cookies\mariko@revsci[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@interclick[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@adopt.specificclick[2].txt
C:\Documents and Settings\Mariko\Cookies\mariko@ge.112.2o7[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@advertising[2].txt
C:\Documents and Settings\Mariko\Cookies\mariko@paypal.112.2o7[2].txt
C:\Documents and Settings\Mariko\Cookies\mariko@trafficmp[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@ads.cnn[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@ads.pointroll[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@adserver.mapmyfitness[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@mixedmediapdx[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@mediapst.adbureau[2].txt
C:\Documents and Settings\Mariko\Cookies\mariko@2o7[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@precisionclick[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@imrworldwide[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@apmebf[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@ads.monster[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@service.backcountry[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@specificmedia[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@stats.paypal[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@s.clickability[2].txt
C:\Documents and Settings\Mariko\Cookies\mariko@thunderbolt.adjuggler[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@statcounter[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@kontera[2].txt
C:\Documents and Settings\Mariko\Cookies\mariko@microsoftoffice.112.2o7[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@ad.zanox[2].txt
C:\Documents and Settings\Mariko\Cookies\mariko@tacoda[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@iacas.adbureau[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@zedo[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@sales.liveperson[2].txt
C:\Documents and Settings\Mariko\Cookies\mariko@adopt.euroclick[2].txt
C:\Documents and Settings\Mariko\Cookies\mariko@ads.active[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@atdmt[2].txt
C:\Documents and Settings\Mariko\Cookies\mariko@advertisenetworktour[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@dr.findlinks[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@e-2dj6wglicldpeep.stats.esomniture[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@fastclick[2].txt
C:\Documents and Settings\Mariko\Cookies\mariko@tribalfusion[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@onetoone.112.2o7[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@questionmarket[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@redirect.clickshield[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@specificclick[2].txt
C:\Documents and Settings\Mariko\Cookies\mariko@va3wn8qp2m.search.serialssolutions[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@ads.m4internet[2].txt
C:\Documents and Settings\Mariko\Cookies\mariko@adlegend[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@perf.overture[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@doubleclick[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@anad.tacoda[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@intermediasupport.webex[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@cooking.adbureau[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@wmvmedialease[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@test.coremetrics[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@sales.liveperson[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@insightexpressai[2].txt
C:\Documents and Settings\Mariko\Cookies\mariko@rotator.dex.adjuggler[2].txt
C:\Documents and Settings\Mariko\Cookies\mariko@collective-media[1].txt
C:\Documents and Settings\Mariko\Cookies\mariko@ads.bridgetrack[2].txt

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:55 PM

Posted 23 February 2009 - 10:49 PM

Hi this looks good now. The Popup windows are gone now. Just some cookies were left and cleared. How's it running now,any more symptoms?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 mariko

mariko
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 23 February 2009 - 11:25 PM

Hi, unfortunately, the problem still exists. I am still being redirected to the wrong sites from a google search in Firefox. I also got a popup saying I needed to run a virus scan (I clicked no, obviously). I ran MBAM again, but it didn't find anything. What next? I was really hoping the problem had been solved, but I guess I can't give up quite yet! Thanks again.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:55 PM

Posted 23 February 2009 - 11:46 PM

Are you nticing Google searches being redirected through google.goored (or also zfsearch) in the address bar?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 mariko

mariko
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 24 February 2009 - 11:01 AM

Hi again. I just tried a google search, and I noticed in the address bar at the bottom it said "clickfraudmanager.com" and then took me to a Dex page instead of the page I wanted to go to.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:55 PM

Posted 24 February 2009 - 12:59 PM

Ok it looks like this now.

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 mariko

mariko
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 24 February 2009 - 01:40 PM

Okie dokie. Following is the GooredLog:

GooredFix v1.91 by jpshortstuff
Log created at 10:39 on 24/02/2009 running Option #1 (Mariko)
Firefox version 3.0.6 (en-US)

=====Suspect Goored Entries=====

C:\Program Files\Mozilla Firefox\extensions\{442D9D0B-CC44-41C3-8D59-BCED6C5E2BA7}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"paypalfirefoxplugin@orbiscom"="C:\Program Files\PayPal\PayPal Plug-In"

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:55 PM

Posted 24 February 2009 - 02:04 PM

Good now do the other part.

Please double-click Goored.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 mariko

mariko
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 24 February 2009 - 04:08 PM

All righty! Here's the log:

GooredFix v1.91 by jpshortstuff
Log created at 13:07 on 24/02/2009 running Option #2 (Mariko)
Firefox version 3.0.6 (en-US)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{442D9D0B-CC44-41C3-8D59-BCED6C5E2BA7}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"paypalfirefoxplugin@orbiscom"="C:\Program Files\PayPal\PayPal Plug-In"

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:55 PM

Posted 24 February 2009 - 04:40 PM

OK good have we achieved Nirvana?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 mariko

mariko
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 24 February 2009 - 05:09 PM

Hallelujah! Things seem to be working normally now. I am still pretty scared, though! So, I have McAfee Security Center running. Should I keep any of these other programs running all the time, or should I just use those on a weekly basis to make sure everything is cleaned? I can't tell you how much I appreciate all your help on this. I have been online for I don't know how many years, and this is the first time I have ever been infected by malware. I was very close to tearing out all my hair.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users