Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FireFox Google Result Link geting Redircted- VUNDO??


  • Please log in to reply
15 replies to this topic

#1 nhanster

nhanster

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 20 April 2009 - 04:39 PM

Hii,

I encountered this problem this morning and have been browsing the web on how to remove it but have been quite unsuccessful.
This morning I have downloaded program which I thought was some video. The program name was UNICODEC.

After installing that, I found out that my Google result link on Firefox was redirecting me to some advertising website, not the website the actually website that it was supposed to go to.
I also found out that My Super Anit-Spyware Professional can not load start up anymore! Everytime I try to start it, this message comes up.
SUPERAntiSpyware has encountered a problem and needs to close. We are sorry for the inconvenience.

I downloaded Malwarebytes Anit-Malware, but I couldn't get it to load. Everytime I double click on the program, nothing happen. =(
I also tried to use Spybot S&D, same thing happen, program doesn't load.

I have deleted the UNICODEC files, but the problem still occur.

When I tried Googling on IE, everything work fine.
When I google on Firefox, its all messed up.

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:41 PM

Posted 20 April 2009 - 05:43 PM

Try this to install MBAM

Try renaming the setup file to install.com

try installing in safe mode

here's a random renamer for the program if you can get it installed

http://kixhelp.com/wr/files/mb/randmbam.exe

http://www.gt500.org/malwarebytes/database.jsp
Chewy

No. Try not. Do... or do not. There is no try.

#3 nhanster

nhanster
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 20 April 2009 - 06:33 PM

Hey,

Thanks, I reinstalled MBAM, and then launched http://kixhelp.com/wr/files/mb/randmbam.exe.
The MBAM program worked, did a full scan of my computer, found a couple of malware, quarantine those malwares, but the problem with the google link redirecting still occur.
And my Super Anti-Spyware still isn't working.

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:41 PM

Posted 20 April 2009 - 06:48 PM

I need to see that MBAM log

run another scan with this database please

http://www.gt500.org/malwarebytes/database.jsp


Please download Malwarebytes Anti-Malware (v1.36) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Chewy

No. Try not. Do... or do not. There is no try.

#5 nhanster

nhanster
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 21 April 2009 - 12:04 AM

Am I supposed to uninstalled MBAM and then Run http://www.gt500.org/malwarebytes/database.jsp?

I tried to install http://www.gt500.org/malwarebytes/database.jsp with MBAM already installed and w/o MBAM installed, and the same thing happen...
All it does it take me through the setup process really quick and at the end it said, "Setup has finished instalilng Malwarebyte's Anti-Malware on your computer," and then then I click FINISH and the setup window close. BUT I didn't see any program installed and no program was launched after the setup was finished.

Here is the log when I use the http://kixhelp.com/wr/files/mb/randmbam.exe with full scan.
When I installed http://kixhelp.com/wr/files/mb/randmbam.exe, a separate icon appear on my desktop. It has the same logo as MBAM, but underneath it, it said "859215044859"

FYI- I used http://kixhelp.com/wr/files/mb/randmbam.exe when MBAM was already installed on my computer.





Malwarebytes' Anti-Malware 1.36
Database version: 2016
Windows 5.1.2600 Service Pack 2, v.2096

4/20/2009 4:27:51 PM
mbam-log-2009-04-20 (16-27-51).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 92024
Time elapsed: 8 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\UNICCodecSoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coolplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3414c69d-fe5b-4c31-a476-8bf802320a2f}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.122,85.255.112.154 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3414c69d-fe5b-4c31-a476-8bf802320a2f}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.122,85.255.112.154 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3414c69d-fe5b-4c31-a476-8bf802320a2f}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.122,85.255.112.154 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{3414c69d-fe5b-4c31-a476-8bf802320a2f}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.122,85.255.112.154 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-4-8-29-100008715-100002431-100006652-6627.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-1136859.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:41 PM

Posted 21 April 2009 - 05:03 AM

Malwarebytes' Anti-Malware 1.36
version number

Database version: 2019

Windows 5.1.2600 Service Pack 3

The manual database update link is for those who cannot update MBAM thru the program, people who are being blocked

Where's that new scan, this is rarely a one shot deal, we have to repeat with updates and other tools?

Just update online and then run a quick scan
Chewy

No. Try not. Do... or do not. There is no try.

#7 nhanster

nhanster
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 21 April 2009 - 12:15 PM

Here is the log w/ database verson 2019 w/ quick scan




Malwarebytes' Anti-Malware 1.36
Database version: 2019
Windows 5.1.2600 Service Pack 2, v.2096

4/21/2009 10:14:12 AM
mbam-log-2009-04-21 (10-14-12).txt

Scan type: Quick Scan
Objects scanned: 72738
Time elapsed: 1 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gxvxccounter (Trojan.DNSchanger) -> Quarantined and deleted successfully.

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:41 PM

Posted 21 April 2009 - 04:02 PM

This is a very nasty infection

http://rootrepeal.googlepages.com/

http://rootrepeal.googlepages.com/RootRepeal.zip

Just use the file tab at the bottom, scan and paste the report into a reply here please
Chewy

No. Try not. Do... or do not. There is no try.

#9 nhanster

nhanster
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 21 April 2009 - 10:32 PM

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/04/21 20:31
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\gxvxccounter
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gxvxcpwrvkiexdkpyyldamwrfhxbfpmgcmtmp.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\gxvxcnkejwbsivbrfootqalksrgbvbwucfqxt.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Nhan\Local Settings\Temp\etilqs_DJ6INKPsgRV8oECgH36h
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\Nhan\Application Data\Mozilla\Firefox\Profiles\mhl579r9.default\sessionstore.js
Status: Could not get file information (Error 0xc0000008)

#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:41 PM

Posted 22 April 2009 - 01:54 AM

Path: C:\WINDOWS\system32\drivers\gxvxcnkejwbsivbrfootqalksrgbvbwucfqxt.sys
Status: Invisible to the Windows API!

Run the file scan again and highlight this line, right click and choose wipe

Immediately reboot and run MBAM again please
Chewy

No. Try not. Do... or do not. There is no try.

#11 nhanster

nhanster
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 23 April 2009 - 01:43 AM

omg! I think its gone now!! Google is working and my Super Anti-Spyware is working too! :thumbsup: Thank you!

BUT...the infection still showed up w/ the MBAM quick scan.... =/
I quarantined and deleted the two files after the scan..would that help??


Malwarebytes' Anti-Malware 1.36
Database version: 2029
Windows 5.1.2600 Service Pack 2, v.2096

4/22/2009 11:42:23 PM
mbam-log-2009-04-22 (23-42-23).txt

Scan type: Quick Scan
Objects scanned: 73077
Time elapsed: 2 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gxvxcpwrvkiexdkpyyldamwrfhxbfpmgcmtmp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gxvxcnkejwbsivbrfootqalksrgbvbwucfqxt.sys (Trojan.Agent) -> Quarantined and deleted successfully.

#12 nhanster

nhanster
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 23 April 2009 - 01:53 AM

OhOhOh!! After I quarantined and deleted the two files, I rebooted my computer, and then ran MBAM quick again, this time..no infection found!!! :thumbsup:

Is there a way to double check that it is really gone from my system??
Thank you for all your help!!

Malwarebytes' Anti-Malware 1.36
Database version: 2029
Windows 5.1.2600 Service Pack 2, v.2096

4/22/2009 11:50:52 PM
mbam-log-2009-04-22 (23-50-52).txt

Scan type: Quick Scan
Objects scanned: 73007
Time elapsed: 3 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:41 PM

Posted 23 April 2009 - 04:43 AM

By the way, you have done a great job with a dangerous new infection, let's crosscheck some stuff.

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Edited by DaChew, 23 April 2009 - 04:59 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#14 nhanster

nhanster
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 23 April 2009 - 12:25 PM

Look like its all clean! =))
Thanks for all your help!


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/23/2009 at 10:20 AM

Application Version : 4.26.1000

Core Rules Database Version : 3859
Trace Rules Database Version: 1811

Scan type : Complete Scan
Total Scan Time : 00:11:18

Memory items scanned : 221
Memory threats detected : 0
Registry items scanned : 4869
Registry threats detected : 0
File items scanned : 12349
File threats detected : 0

#15 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:41 PM

Posted 23 April 2009 - 04:15 PM

That SAS scan was too fast

Let's run a full/complete scan with MBAM
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users